[Telepathy] Announce: telepathy-gabble 0.10.5 (containing a security fix)

Will Thompson will.thompson at collabora.co.uk
Wed Feb 16 09:10:16 PST 2011


I have just released telepathy-gabble version 0.10.5, the latest from
the 0.10 stable branch, which contains a fix for a security issue in
Jingle calls (plus one crash fix, and tweaks to the test suite).

tarball: http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.10.5.tar.gz
signature: http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.10.5.tar.gz.asc

The issue theoretically allows attackers to trick Gabble into sending
streamed media via a relay server selected by the attacker (as opposed
to via a relay server selected by the XMPP service, or of course
directly to and from the other party).

The attacker sends the target a google:jingleinfo stanza containing a
STUN server and a media relay of their choosing. Gabble does not check
that the stanza was sent by the user's (trusted) server, and so
interprets the contents. The malicious STUN server would be crafted to
make the streaming implementation believe that it must use a relay
(rather than being able to connect directly to the peer), and then the
attacker's relay would be used.

We have not constructed an exploit for this vulnerability, but we do
have a test case demonstrating the bug in Gabble. All versions of the
0.8 and 0.10 stable branches of Gabble, as well as the unstable 0.11
series, are affected.

Note that we do not give any security guarantees for streamed media
calls, in general: audio/video data is not encrypted, so an attacker
able to intercept the target's network traffic may always snoop on
calls. This flaw exacerbates the situation by allowing attackers outside
the network path to compromise the call. 

See <https://bugs.freedesktop.org/show_bug.cgi?id=34048> for more
details, including individual patches for each affected version of
Gabble.


The “Well, what's the architecture of a software in general actually!!!!!!”
release.

Fixes:

• fd.o #31412: fix crashes during disconnection if a PEP alias request is
  in-flight (smcv)

• Loosen an assertion to fix test failure with telepathy-glib >= 0.13.5,
  which releases connections' object paths sooner (smcv)

• fd.o#34048: Malicious contacts can no longer trick Gabble into relaying
  audio/video data via a server of their choosing. (wjt, sjoerd)

-- 
Will


More information about the telepathy mailing list