[Telepathy] Announce: telepathy-gabble 0.8.15 (containing a security fix)

Will Thompson will.thompson at collabora.co.uk
Wed Feb 16 09:10:27 PST 2011 

I have just released telepathy-gabble version 0.8.15, the latest from
the 0.8 old-stable branch, which contains a fix for a security issue in
Jingle calls (and a fix for a JID validation bug).

tarball: http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.8.15.tar.gz
signature: http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.8.15.tar.gz.asc

The issue theoretically allows attackers to trick Gabble into sending
streamed media via a relay server selected by the attacker (as opposed
to via a relay server selected by the XMPP service, or of course
directly to and from the other party).

The attacker sends the target a google:jingleinfo stanza containing a
STUN server and a media relay of their choosing. Gabble does not check
that the stanza was sent by the user's (trusted) server, and so
interprets the contents. The malicious STUN server would be crafted to
make the streaming implementation believe that it must use a relay
(rather than being able to connect directly to the peer), and then the
attacker's relay would be used.

We have not constructed an exploit for this vulnerability, but we do
have a test case demonstrating the bug in Gabble. All versions of the
0.8 and 0.10 stable branches of Gabble, as well as the unstable 0.11
series, are affected.

Note that we do not give any security guarantees for streamed media
calls, in general: audio/video data is not encrypted, so an attacker
able to intercept the target's network traffic may always snoop on
calls. This flaw exacerbates the situation by allowing attackers outside
the network path to compromise the call.

See <https://bugs.freedesktop.org/show_bug.cgi?id=34048> for more
details, including individual patches for each affected version of
Gabble.


The “From now on, I will live on cigarettes and black coffee.” release.

Fixes:

• fd.o#34048: Malicious contacts can no longer trick Gabble into relaying
  audio/video data via a server of their choosing. (wjt, sjoerd)

• Messages from JIDS with valid, but non-ASCII, domains are no longer silently
  dropped.

-- 
Will

More information about the telepathy mailing list