Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 608800 (CVE-2017-5604) - <net-im/mcabber-1.0.5: User Impersonation Vulnerability
Summary: <net-im/mcabber-1.0.5: User Impersonation Vulnerability
Status: RESOLVED FIXED
Alias: CVE-2017-5604
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://rt-solutions.de/en/2017/02/CV...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-09 22:18 UTC by Hanno Böck
Modified: 2017-07-11 00:59 UTC (History)
1 user (show)

See Also:
Package list:
=net-im/mcabber-1.0.5
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-02-09 22:18:01 UTC 
Vulnerability in message carbons allows forging sender ids, see:
https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/

Fixed in mcabber 1.0.5.

This affects a lot of clients, but most of them aren't in Gentoo, we should go through them and check all of them.
Comment 1 Wolfram Schlich (RETIRED) gentoo-dev 2017-02-16 16:22:26 UTC 
mcabber 1.0.5 is in portage now: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb5ddb9eeebd7bb2a60f778e6670842ae0de17b7

@arches,
please test and mark stable: =net-im/mcabber-1.0.5

thanks!
Comment 2 Agostino Sarubbo gentoo-dev 2017-02-17 10:15:42 UTC 
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2017-02-17 10:42:42 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-17 10:57:52 UTC 
GLSA Vote: No

@ Maintainer(s): Please cleanup and drop =net-im/mcabber-1.0.4!