Subject: kopete+otr send messages unencrypted without notice
Package: kopete
Version: 4:4.14.1-2
Justification: user security hole
Severity: grave
Tags: security upstream
Dear Maintainer,
Using kopete with OTR plugin lead to messages sent unencrypted without notice.
(I discovered this after sending sensitive credentials while helping some
people remotely...)
After checking that OTR encryption was working ("private session started"
notice), I was helping people remotely while feeling secure. After a first
restart of the other end computer, I saw a notification saying that OTR session
was refreshed (which is normal$
Later on, I detected that, in fact, the people at the other end were getting
all my messages unencrypted... despite of the notification I got on my end.
First detection was done with "Opportunistic" policy on both sides. Then I
tested again with a full restart at both ends + "Always" policy for OTR plugin.
Same result: when the other end restarts and I keep my session opened, I get
the "OTR session refreshed"$
Several accounts credentials were sent in clear, among which for a root account.
When I pay attention for the "OTR session refreshed" message, and especially
when "Always" policy is used on both sides, I would expect to be alerted that
some internal issue canceled the encryption, no matters what's the reason.
The notifications are not reliable, and we're talking about a secure messaging
system here (OTR)... This forced me to uninstall kopete, since I cannot rely on
it for secure messaging.
Remarks:
- Two bugs already mention this in the bug tracking of kopete at
https://bugs.kde.org/show_bug.cgi?id=274099 and
https://bugs.kde.org/show_bug.cgi?id=362535
- While the kopete team cannot solve this (old) issue, I cannot believe debian
can go on propagating this dangerous thing and the heavy security consequences
to the community, among which are key journalists.
- Until it is fixed, the OTR plugin should be disabled for kopete, or the
kopete UI should at least alert about its experimental support status in red
uppercases.
Thanks a lot in advance for any action, to disable it or fix it!
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages kopete depends on:
ii kde-runtime 4:4.14.2-2
ii kdepim-runtime 4:4.14.2-3
ii libc6 2.19-18+deb8u4
ii libexpat1 2.1.0-6+deb8u3
ii libgadu3 1:1.12.0-5
ii libgif4 4.1.6-11+deb8u1
ii libglib2.0-0 2.42.1-1+b1
ii libidn11 1.29-1+deb8u1
ii libjasper1 1.900.1-debian1-2.4+deb8u1
ii libkabc4 4:4.14.2-2+b1
ii libkcmutils4 4:4.14.2-5
ii libkde3support4 4:4.14.2-5
ii libkdecore5 4:4.14.2-5
ii libkdeui5 4:4.14.2-5
ii libkdnssd4 4:4.14.2-5
ii libkemoticons4 4:4.14.2-5
ii libkhtml5 4:4.14.2-5
ii libkio5 4:4.14.2-5
ii libkmime4 4:4.14.2-2+b1
ii libknewstuff2-4 4:4.14.2-5
ii libknotifyconfig4 4:4.14.2-5
ii libkopete4 4:4.14.1-2
ii libkparts4 4:4.14.2-5
ii libkpimidentities4 4:4.14.2-2+b1
ii libmeanwhile1 1.0.2-5
ii libmediastreamer-base3 3.6.1-2.4+b1
ii libmsn0.3 4.2-2
ii libortp9 3.6.1-2.4+b1
ii libotr5 4.1.0-2+deb8u1
ii libphonon4 4:4.8.0-4
ii libqca2 2.0.3-6
ii libqimageblitz4 1:0.0.6-4
ii libqt4-dbus 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqt4-network 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqt4-qt3support 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqt4-sql 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqt4-xml 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqtcore4 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqtgui4 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libsolid4 4:4.14.2-5
ii libsrtp0 1.4.5~20130609~dfsg-1.1+deb8u1
ii libssl1.0.0 1.0.1t-1+deb8u2
ii libstdc++6 4.9.2-10
ii libv4l-0 1.6.0-2
ii libx11-6 2:1.6.2-3
ii libxml2 2.9.1+dfsg1-5+deb8u2
ii libxslt1.1 1.1.28-2+b2
ii perl 5.20.2-3+deb8u5
ii phonon 4:4.8.0-4
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages kopete recommends:
ii libqca2-plugin-ossl 2.0.0~beta3-2
ii libqt4-sql-sqlite 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
Versions of packages kopete suggests:
pn imagemagick <none>
pn kdeartwork-emoticons <none>
pn khelpcenter4 <none>
pn texlive-latex-base <none>
-- no debconf information
