20273 – jitsi new security issue CVE-2017-5603

Bug 20273 - jitsi new security issue CVE-2017-5603

Summary: jitsi new security issue CVE-2017-5603

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	https://lwn.net/Vulnerabilities/715041/
Whiteboard:	advisory MGA5-64-OK MGA5-32-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2017-02-12 17:25 CET by David Walser
Modified:	2017-02-21 11:52 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	jitsi-2.6-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-02-12 17:25:20 CET

A security issue in jitsi has been announced on February 9:
http://openwall.com/lists/oss-security/2017/02/09/29

The issue was fixed upstream in 2.10, recently uploaded for Cauldron by David.

The commit that fixed the issue is linked in the message above.

Mageia 5 is affected.

Comment 1 David GEIGER 2017-02-12 18:04:34 CET

Done for mga5!

Comment 2 David Walser 2017-02-12 18:25:01 CET

Thanks David!

Advisory:
========================

Updated jitsi package fixes security vulnerability:

An incorrect implementation of XEP-0280: Message Carbons in Jitsi and other
XMPP clients allows a remote attacker to impersonate any user, including
contacts, in the vulnerable application's display. This allows for
various kinds of social engineering attacks (CVE-2017-5603).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5603
http://openwall.com/lists/oss-security/2017/02/09/29
========================

Updated packages in core/updates_testing:
========================
jitsi-2.6-1.1.mga5

from jitsi-2.6-1.1.mga5.src.rpm

CC: (none) => geiger.david68210
Assignee: geiger.david68210 => qa-bugs

Dave Hodgins 2017-02-13 21:01:58 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 3 Dave Hodgins 2017-02-13 23:10:40 CET

Just testing that the package is functional, as I'm not clear on exactly how
to use the info provided to recreate the problem.

Tested on both i586 and x86_64.

Keywords: (none) => validated_update
Whiteboard: advisory => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 4 David Walser 2017-02-13 23:44:10 CET

David Geiger,
Just a heads up that it appears that kopete needs a patch to fix this in Cauldron also, according to Arch:
https://lwn.net/Vulnerabilities/714423/

Comment 5 David Walser 2017-02-18 14:31:41 CET

(In reply to David Walser from comment #4)
> David Geiger,
> Just a heads up that it appears that kopete needs a patch to fix this in
> Cauldron also, according to Arch:
> https://lwn.net/Vulnerabilities/714423/

Upstream fix found by David:
https://cgit.kde.org/kopete.git/commit/?id=6243764c4fd0985320d4a10b48051cc418d584ad

Comment 6 Mageia Robot 2017-02-18 17:29:46 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0049.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2017-02-21 11:52:46 CET

URL: (none) => https://lwn.net/Vulnerabilities/715041/

Note You need to log in before you can comment on or make changes to this bug.