[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: kopete+otr send messages unencrypted without notice

On Sat, 11 Jun 2016 17:43:14 +0200 Francois Gerin <francois.gerin@gmail.com> wrote:
> Subject: kopete+otr send messages unencrypted without notice
> Package: kopete
> Version: 4:4.14.1-2
> Justification: user security hole
> Severity: grave
> Tags: security upstream
> 
> Dear Maintainer,
> 
> Using kopete with OTR plugin lead to messages sent unencrypted without notice. (I discovered this 
after sending sensitive credentials while helping some people remotely...)
> 
> After checking that OTR encryption was working ("private session started" notice), I was helping 
people remotely while feeling secure. After a first restart of the other end computer, I saw a 
notification saying that OTR session was refreshed (which is normal$
> Later on, I detected that, in fact, the people at the other end were getting all my messages 
unencrypted... despite of the notification I got on my end.
> First detection was done with "Opportunistic" policy on both sides. Then I tested again with a 
full restart at both ends + "Always" policy for OTR plugin. Same result: when the other end restarts 
and I keep my session opened, I get the "OTR session refreshed"$
> 
> Several accounts credentials were sent in clear, among which for a root account.
> 
> When I pay attention for the "OTR session refreshed" message, and especially when "Always" policy 
is used on both sides, I would expect to be alerted that some internal issue canceled the 
encryption, no matters what's the reason.
> The notifications are not reliable, and we're talking about a secure messaging system here 
(OTR)... This forced me to uninstall kopete, since I cannot rely on it for secure messaging.
> 
> Remarks:
>  - Two bugs already mention this in the bug tracking of kopete at 
https://bugs.kde.org/show_bug.cgi?id=274099 and https://bugs.kde.org/show_bug.cgi?id=362535
>  - While the kopete team cannot solve this (old) issue, I cannot believe debian can go on 
propagating this dangerous thing and the heavy security consequences to the community, among which 
are key journalists.
>  - Until it is fixed, the OTR plugin should be disabled for kopete, or the kopete UI should at 
least alert about its experimental support status in red uppercases.
> 
> Thanks a lot in advance for any action, to disable it or fix it!
> 
> 
> 
> 
> -- System Information:
> Debian Release: 8.5
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
> Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages kopete depends on:
> ii  kde-runtime             4:4.14.2-2
> ii  kdepim-runtime          4:4.14.2-3
> ii  libc6                   2.19-18+deb8u4
> ii  libexpat1               2.1.0-6+deb8u3
> ii  libgadu3                1:1.12.0-5
> ii  libgif4                 4.1.6-11+deb8u1
> ii  libglib2.0-0            2.42.1-1+b1
> ii  libidn11                1.29-1+deb8u1
> ii  libjasper1              1.900.1-debian1-2.4+deb8u1
> ii  libkabc4                4:4.14.2-2+b1
> ii  libkcmutils4            4:4.14.2-5
> ii  libkde3support4         4:4.14.2-5
> ii  libkdecore5             4:4.14.2-5
> ii  libkdeui5               4:4.14.2-5
> ii  libkdnssd4              4:4.14.2-5
> ii  libkemoticons4          4:4.14.2-5
> ii  libkhtml5               4:4.14.2-5
> ii  libkio5                 4:4.14.2-5

Hi! This problem is fixed in Kopete 16.12.

Debian KDE team now needs to update Kopete package...

-- 
Pali Rohár
pali.rohar@gmail.com

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: