BugTraq
pidgin OTR information leakage Feb 25 2012 04:31PM
Dimitris Glynos (dimitris census-labs com) (1 replies)
Re: pidgin OTR information leakage Feb 27 2012 05:27PM
Jann Horn (jannhorn googlemail com) (1 replies)
Re: [Full-disclosure] pidgin OTR information leakage Feb 27 2012 07:37PM
Michele Orru (antisnatchor gmail com) (1 replies)
Re: [Full-disclosure] pidgin OTR information leakage Feb 27 2012 08:21PM
Rich Pieri (ratinox MIT EDU) (1 replies)
On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:
> I think you didn't understood the content of the advisory.
> If there are 10 non-root users in an Ubuntu machine for example,
> if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10
> can see what user 1 pidgin conversation.

This is not what the OP or CVE describe:

>> plaintext. This makes it possible for attackers that have gained
>> user-level access on a host, to listen in on private conversations
>> associated with the victim account.

Which I read as: if I compromise user1's account then I can snoop user1's DBUS sessions. It says nothing about me being able to snoop user2's sessions. The leading phrase about attackers gaining user-level access implies that legitimate users on a system are not a relevant issue.

I believe that clarification is in order.

--
Rich Pieri <ratinox (at) MIT (dot) EDU [email concealed]>
MIT Laboratory for Nuclear Science

[ reply ]
Re: [Full-disclosure] pidgin OTR information leakage Feb 27 2012 09:27PM
Jeffrey Walton (noloader gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus