Bug#857546: profanity: Server certificates are not verified

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Bug#857546: profanity: Server certificates are not verified

Wolfgang Wiedmeyer
Package: profanity
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

Profanity is not built against libmesode[1]. Libmesode is a fork of
libstrophe that allows to validate the certificate chain. Upstream bug
#280 provides more information[2]. Libmesode doesn't seem to be packaged
yet in Debian.

If Profanity does not verify the xmpp server's certificate using
Debian's store of known CA certificates, users' passwords, text messages
and other sensitive information can be intercepted.

Best regards,
Wolfgang


[1]  https://github.com/boothj5/libmesode

[2]  https://github.com/boothj5/profanity/issues/280



-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-2-grsec-amd64 (SMP w/8 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Bug#857546: profanity: Server certificates are not verified

Tomasz Buchert via nm
On 12/03/17 13:53, Wolfgang Wiedmeyer wrote:

> Package: profanity
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Dear Maintainer,
>
> Profanity is not built against libmesode[1]. Libmesode is a fork of
> libstrophe that allows to validate the certificate chain. Upstream bug
> #280 provides more information[2]. Libmesode doesn't seem to be packaged
> yet in Debian.
>
> If Profanity does not verify the xmpp server's certificate using
> Debian's store of known CA certificates, users' passwords, text messages
> and other sensitive information can be intercepted.
>
> Best regards,
> Wolfgang
>
Hi Wolfgang,

it seems unlikely that we will be able to fix this for stretch. This
would require a new package upload and this is already a
no-go. Personally I think that forking libstrophe in the first place
was not a great idea, but I may lack some context.

I don't know what will be the best to proceed. Maybe we can clearly
specify in the manpage/--help/during-the-first-run that profanity does
not verify cert chains and the user is responsible for providing a safe
channel, via SSH tunnel or similar, for example?

Tomasz

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Bug#857546: profanity: Server certificates are not verified

Wolfgang Wiedmeyer
Hi Tomasz,

Tomasz Buchert writes:

> it seems unlikely that we will be able to fix this for stretch. This
> would require a new package upload and this is already a
> no-go. Personally I think that forking libstrophe in the first place
> was not a great idea, but I may lack some context.

Ok, is there no policy to allow a new package upload if it fixes a
serious security issue?

> I don't know what will be the best to proceed. Maybe we can clearly
> specify in the manpage/--help/during-the-first-run that profanity does
> not verify cert chains and the user is responsible for providing a safe
> channel, via SSH tunnel or similar, for example?

Sounds good. Are there plans then to package libmesode? An updated
profanity that is built against libmesode could then be provided in
Stretch Backports.

Best regards,
Wolfgang

--
Website: https://fossencdi.org
OpenPGP: 0F30 D1A0 2F73 F70A 6FEE  048E 5816 A24C 1075 7FC4
Key download: https://wiedmeyer.de/keys/ww.asc

signature.asc (834 bytes) Download Attachment
Loading...