Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 406007 (CVE-2012-1257) - net-im/pidgin, x11-plugins/pidgin-otr: libpurple OTR information leakage (CVE-2012-1257)
Summary: net-im/pidgin, x11-plugins/pidgin-otr: libpurple OTR information leakage (CVE...
Status: RESOLVED WONTFIX
Alias: CVE-2012-1257
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://census-labs.com/news/2012/02/2...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-27 10:36 UTC by Michael Harrison
Modified: 2016-11-25 05:13 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Harrison 2012-02-27 10:36:27 UTC
libpurple is an Instant Messaging (IM) library developed by the Pidgin project. It is used by a number of IM clients including Pidgin and Adium. libpurple-based clients support the OTR (“Off-the-Record”) protocol either natively or via a plugin. The OTR messaging protocol enables users to communicate securely over any IM network.

If libpurple is compiled with DBUS support and there is a DBUS session daemon running on the system, then all messages passing through libpurple are broadcasted over DBUS. The reason behind this is to allow for third party applications, such as desktop widgets to process these messages (e.g. create an animation when a message arrives). However, among the messages transmitted over DBUS one also finds the plaintext form of OTR conversations. This is a security problem, as the private OTR messages may leak to other (unrelated) processes that are executing under the same user as the libpurple-based application.

$URL contains POC and python script to verify vulnerability

Affected Products:libpurple (versions ≤ 2.10.1), libpurple clients with DBUS support (incl. pidgin versions ≤ 2.10.1), pidgin-otr (versions ≤ 3.2.0) 

Solution:
For now there does not appear to be a patch yet per comment made 17 hours ago, but is on the way. 
Pidgin bug:
http://developer.pidgin.im/ticket/14830
Comment 1 Michael Palimaka (kensington) gentoo-dev 2012-05-16 12:30:16 UTC
pidgin-otr upstream has released a new version fixing their issue.
Comment 2 Michael Palimaka (kensington) gentoo-dev 2012-05-16 12:34:52 UTC
(In reply to comment #1)
> pidgin-otr upstream has released a new version fixing their issue.

Please ignore my previous comment, this is for a different issue. Sorry for the noise.
Comment 3 Samuel Damashek (RETIRED) gentoo-dev 2013-12-22 05:57:24 UTC
Looks like nothing's being done upstream about this. I suggest changing status to upstream+.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-23 19:36:05 UTC
@ Security: Please consider closing this bug, see https://bugzilla.redhat.com/show_bug.cgi?id=798279#c2
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-11-25 05:13:59 UTC
Per the referenced links this is a security enhancement vice a vulnerability.  Pidgin uses DBus calls to notify the user of all received messages, but if using the OTR plugin the messages are not truly off the record.  However, the messages are only sent and received within the user's DBus session.