Not giving more details until I've confirmed that this bug is embargoed.
(In reply to comment #0) > Not giving more details until I've confirmed that this bug is embargoed. I'm glad I did that before going into details; apparently, emptying the "QA Contact" is not enough, you have to explicitly set it to something else... The flaw is that if you connect to a legacy Jabber (i.e. not XMPP) server, WockyConnector:tls-required is not respected: we go straight to trying to perform legacy Jabber authentication. A network intermediary could exploit this by making their man-in-the-middle server implement legacy Jabber, rather than XMPP. The logic we should follow is: if the server is legacy Jabber, check whether we have already authenticated the server using "old SSL" (https-style SSL without STARTTLS, typically on port 5223). If we haven't, and TLS is required, stop.
Created attachment 79847 [details] [review] security: respect tls-required flag on legacy Jabber servers It's checked elsewhere for XMPP 1.0 servers, which can either use "old SSL" or perform STARTTLS. Legacy Jabber can only use "old SSL", which is similar to https - connect to a separate port, typically 5223, and start speaking SSL - so if the connection was ever going to be encrypted, by this point it already would be.
Comment on attachment 79847 [details] [review] security: respect tls-required flag on legacy Jabber servers Review of attachment 79847 [details] [review]: ----------------------------------------------------------------- Looks good (any chance to get a test for it as well?) :)
Created attachment 79891 [details] [review] NEWS: update and describe configuration changes for fd.o #65036
Created attachment 79892 [details] [review] tests: fix JabberAuthenticator when self.emit_events is False We don't currently use JabberAuthenticator in this mode, so nobody noticed that it didn't work. I'm about to add a test that does use it.
Created attachment 79893 [details] [review] Add a regression test for fd.o #65036
Created attachment 79894 [details] [review] patch for telepathy-gabble 0.16.x (x < 6) releases This is the same as Attachment #79847 [details], but with paths adjusted to apply to the Wocky submodule in vulnerable telepathy-gabble 0.16.x releases. Distributors will probably want to use this one; for instance, it's what I intend to apply in Debian.
Credit: thanks to Maksim Otstavnov for discovering this issue and reporting it to Debian.
Created attachment 79953 [details] [review] Add a regression test for fd.o #65036 --- Attachment #79893 [details] was an older version; I had some uncommitted changes. In attachment #79893 [details] [review] the "don't require encryption" case doesn't pass, but we test the legacy Jabber case without requiring encryption elsewhere anyway (tests/twisted/sasl/jabber_auth.py).
Comment on attachment 79953 [details] [review] Add a regression test for fd.o #65036 Review of attachment 79953 [details] [review]: ----------------------------------------------------------------- Looks good to me!
Created attachment 79974 [details] [review] NEWS: update and describe configuration changes for fd.o #65036 --- Attachment #79891 [details] didn't make much sense to review... this is what I meant to attach. Any opinion on this, or on Attachment #79892 [details]?
Comment on attachment 79892 [details] [review] tests: fix JabberAuthenticator when self.emit_events is False Review of attachment 79892 [details] [review]: ----------------------------------------------------------------- Looks fine.
Comment on attachment 79894 [details] [review] patch for telepathy-gabble 0.16.x (x < 6) releases Review of attachment 79894 [details] [review]: ----------------------------------------------------------------- Also looks fine, obvs.
Comment on attachment 79974 [details] [review] NEWS: update and describe configuration changes for fd.o #65036 Review of attachment 79974 [details] [review]: ----------------------------------------------------------------- Looks good.
telepathy-gabble 0.16.6 is ready for upload. My plan is to release and unembargo it tomorrow. Note for distributors: the patch you want to apply to telepathy-gabble is Attachment #79894 [details]. The rest are not necessary. I've confirmed that Attachment #79894 [details] applies and fixes this vulnerability on telepathy-gabble 0.9.15, as shipped in Debian 6 (oldstable). I would expect that it will work on anything in between, too.
Ending embargo.
This was fixed in 0.16.6 and 0.17.5. Attachment #79894 [details] should fix it for other versions.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.