[Telepathy] Announce: telepathy-gabble 0.11.7 (containing a security fix)

Will Thompson will.thompson at collabora.co.uk
Wed Feb 16 09:10:18 PST 2011 

I have just released telepathy-gabble version 0.11.7, the latest from
the current 0.11 development branch, which contains (among other
changes) a fix for a security issue in Jingle calls.

tarball: http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.11.7.tar.gz
signature: http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.11.7.tar.gz.asc

The issue theoretically allows attackers to trick Gabble into sending
streamed media via a relay server selected by the attacker (as opposed
to via a relay server selected by the XMPP service, or of course
directly to and from the other party).

The attacker sends the target a google:jingleinfo stanza containing a
STUN server and a media relay of their choosing. Gabble does not check
that the stanza was sent by the user's (trusted) server, and so
interprets the contents. The malicious STUN server would be crafted to
make the streaming implementation believe that it must use a relay
(rather than being able to connect directly to the peer), and then the
attacker's relay would be used.

We have not constructed an exploit for this vulnerability, but we do
have a test case demonstrating the bug in Gabble. All versions of the
0.8 and 0.10 stable branches of Gabble, as well as the unstable 0.11
series, are affected.

Note that we do not give any security guarantees for streamed media
calls, in general: audio/video data is not encrypted, so an attacker
able to intercept the target's network traffic may always snoop on
calls. This flaw exacerbates the situation by allowing attackers outside
the network path to compromise the call. 

See <https://bugs.freedesktop.org/show_bug.cgi?id=34048> for more
details, including individual patches for each affected version of
Gabble.


Dependencies:

• telepathy-glib ≥ 0.13.12 is now required.

Fixes:

• fd.o#32390: Gabble now treats a request for a ContactSearch channel
  with Server set to the empty string as equivalent to not specifying a
  server, and rejects requests where the JID specified for Server is
  invalid. (wjt)

• fd.o#32874: Offline contacts are now assumed to support 1–1 text channels.
  (jonnylamb)

• fd.o#34048: Malicious contacts can no longer trick Gabble into relaying
  audio/video data via a server of their choosing. (wjt, sjoerd)

Enhancements:

• fd.o#32815: fallback-conference-server now defaults to
  conference.telepathy.im. Thus, if the user's server doesn't have a
  conference component configured, upgrading a 1-1 chat into an ad-hoc
  conference still works.

• fd.o#11291: support for xep-0092, Software Version. (Robot101, Michael
  Scherer)

• fd.o#33471: support for the FileTransfer.URI property. (cassidy)

Regards,
-- 
Will

More information about the telepathy mailing list