Bug 20273

Summary: jitsi new security issue CVE-2017-5603
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, geiger.david68210, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/715041/
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Source RPM: jitsi-2.6-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-02-12 17:25:20 CET 
A security issue in jitsi has been announced on February 9:
http://openwall.com/lists/oss-security/2017/02/09/29

The issue was fixed upstream in 2.10, recently uploaded for Cauldron by David.

The commit that fixed the issue is linked in the message above.

Mageia 5 is affected.
Comment 1 David GEIGER 2017-02-12 18:04:34 CET 
Done for mga5!
Comment 2 David Walser 2017-02-12 18:25:01 CET 
Thanks David!

Advisory:
========================

Updated jitsi package fixes security vulnerability:

An incorrect implementation of XEP-0280: Message Carbons in Jitsi and other
XMPP clients allows a remote attacker to impersonate any user, including
contacts, in the vulnerable application's display. This allows for
various kinds of social engineering attacks (CVE-2017-5603).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5603
http://openwall.com/lists/oss-security/2017/02/09/29
========================

Updated packages in core/updates_testing:
========================
jitsi-2.6-1.1.mga5

from jitsi-2.6-1.1.mga5.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Dave Hodgins 2017-02-13 21:01:58 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 3 Dave Hodgins 2017-02-13 23:10:40 CET 
Just testing that the package is functional, as I'm not clear on exactly how
to use the info provided to recreate the problem.

Tested on both i586 and x86_64.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 David Walser 2017-02-13 23:44:10 CET 
David Geiger,
Just a heads up that it appears that kopete needs a patch to fix this in Cauldron also, according to Arch:
https://lwn.net/Vulnerabilities/714423/
Comment 5 David Walser 2017-02-18 14:31:41 CET 
(In reply to David Walser from comment #4)
> David Geiger,
> Just a heads up that it appears that kopete needs a patch to fix this in
> Cauldron also, according to Arch:
> https://lwn.net/Vulnerabilities/714423/

Upstream fix found by David:
https://cgit.kde.org/kopete.git/commit/?id=6243764c4fd0985320d4a10b48051cc418d584ad
Comment 6 Mageia Robot 2017-02-18 17:29:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0049.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2017-02-21 11:52:46 CET

URL: (none) => https://lwn.net/Vulnerabilities/715041/