Bug 52448

Summary: Don't allow others to close random tubes
Product: Telepathy Reporter: Jonny Lamb <jonny.lamb>
Component: gabbleAssignee: Telepathy bugs list <telepathy-bugs>
Status: RESOLVED MOVED QA Contact: Telepathy bugs list <telepathy-bugs>
Severity: normal    
Priority: medium    
Version: git master   
Hardware: Other   
OS: All   
i915 platform: i915 features:

Description Jonny Lamb 2012-07-24 16:02:46 UTC
(From bug #32612 comment #6):
> +private_tubes_factory_tube_close_cb (
> ...
> + if (!tube_msg_checks (self, msg, node, NULL, &tube_id))
> + return FALSE;
> Er, this function allows Alice to close tubes between us and Bob, if she can
> guess or brute-force the tube ID. Pre-existing bug?
> + DEBUG ("tube ID already in use; do not open the offered tube and close "
> + "the existing tube if it's to the same contact");
> Not a merge blocker and presumably not your fault, but these semantics are
> crazy. We should have a separate tube ID "namespace" per peer, and store tubes
> in the hash table by (handle, id) tuples or something.
Comment 1 GitLab Migration User 2019-12-03 19:57:36 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/telepathy/telepathy-gabble/issues/237.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.