I have just released telepathy-gabble version 0.8.15, the latest from the 0.8 old-stable branch, which contains a fix for a security issue in Jingle calls (and a fix for a JID validation bug).
tarball: http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.8.15.tar.gz signature: http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.8.15.tar.gz.asc The issue theoretically allows attackers to trick Gabble into sending streamed media via a relay server selected by the attacker (as opposed to via a relay server selected by the XMPP service, or of course directly to and from the other party). The attacker sends the target a google:jingleinfo stanza containing a STUN server and a media relay of their choosing. Gabble does not check that the stanza was sent by the user's (trusted) server, and so interprets the contents. The malicious STUN server would be crafted to make the streaming implementation believe that it must use a relay (rather than being able to connect directly to the peer), and then the attacker's relay would be used. We have not constructed an exploit for this vulnerability, but we do have a test case demonstrating the bug in Gabble. All versions of the 0.8 and 0.10 stable branches of Gabble, as well as the unstable 0.11 series, are affected. Note that we do not give any security guarantees for streamed media calls, in general: audio/video data is not encrypted, so an attacker able to intercept the target's network traffic may always snoop on calls. This flaw exacerbates the situation by allowing attackers outside the network path to compromise the call. See <https://bugs.freedesktop.org/show_bug.cgi?id=34048> for more details, including individual patches for each affected version of Gabble. The “From now on, I will live on cigarettes and black coffee.” release. Fixes: • fd.o#34048: Malicious contacts can no longer trick Gabble into relaying audio/video data via a server of their choosing. (wjt, sjoerd) • Messages from JIDS with valid, but non-ASCII, domains are no longer silently dropped. -- Will _______________________________________________ telepathy mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/telepathy
