Bug 20962 - gajim new security issue CVE-2016-10376
Summary: gajim new security issue CVE-2016-10376
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-05-28 19:31 CEST by David Walser
Modified: 2017-06-10 09:02 CEST (History)
4 users (show)

See Also:
Source RPM: gajim-0.16.7-1.mga6.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-05-28 19:31:22 CEST 
A CVE has been assigned for a security issue in gajim:
http://openwall.com/lists/oss-security/2017/05/28/1

Mageia 5 is also affected.
David Walser 2017-05-28 19:31:29 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Nicolas Lécureuil 2017-06-01 23:44:33 CEST 
fixed in cauldron

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 2 Nicolas Lécureuil 2017-06-01 23:46:41 CEST 
pushed in updates_testing

src.rpm:  gajim-0.16.5-1.1.mga5

Assignee: mageia => qa-bugs

Comment 3 David Walser 2017-06-02 03:09:31 CEST 
Advisory:
========================

Updated gajim packages fix security vulnerabilities:

Gajim unconditionally implements the "XEP-0146: Remote Controlling Clients"
extension, which may be abused by malicious XMPP servers to, or example,
extract plaintext from OTR encrypted sessions (CVE-2016-10376).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10376
http://openwall.com/lists/oss-security/2017/05/28/1
========================

Updated packages in core/updates_testing:
========================
gajim-0.16.5-1.1.mga5

from gajim-0.16.5-1.1.mga5.src.rpm
Comment 4 Herman Viaene 2017-06-03 13:41:58 CEST 
MGA5-32 on Asus A6000VM Xfce
No installation issues
gajim launches OK from CLI, but then .....
Tried to use its wizard to create a jabber account, but got nowhere. Various listed servers were not reachable, on other I got "not acceptable".
Finaly used google to find out: this got me to jabber.hot.chilli.eu website where I could create an account (using same username and password! as with the wizard).
Then I could get gajim to connect, But it lacks some facility to search for someone to connect with if you don't know the jabbername. So that was the end of testing. Searching for previous updates just shows more problems in the past.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Lewis Smith 2017-06-09 21:33:53 CEST

Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => lewyssmith

Comment 5 Dave Hodgins 2017-06-10 02:56:35 CEST 
x86-64. Created an account at dismail.de. Didn't test any further.

Validating the update.

Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2017-06-10 09:02:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0166.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.