Bug 822586 (CVE-2013-1431) - VUL-0: telepathy-gabble: CVE-2013-1431: TLS bypass via use of legacy Jabber
Summary: VUL-0: telepathy-gabble: CVE-2013-1431: TLS bypass via use of legacy Jabber
Status: RESOLVED FIXED
Alias: CVE-2013-1431
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Hans Petter Jansson
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-05-31 09:08 UTC by Alexander Bergmann
Modified: 2013-08-29 14:33 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-05-31 09:08:10 UTC 
Public via oss-security.

Date: Thu, 30 May 2013 15:54:26 +0100
From: Simon McVittie
Subject: [oss-security] CVE-2013-1431: telepathy-gabble: TLS bypass via use of legacy Jabber

Maksim Otstavnov reported a vulnerability in the Wocky submodule used by
telepathy-gabble, an XMPP client implementation for the Telepathy
framework. A network intermediary could use this vulnerability to bypass
TLS verification and perform a man-in-the-middle attack. The Debian
security team has allocated CVE-2013-1431 for this vulnerability.

This vulnerability is fixed in telepathy-gabble 0.16.6 [0]. All
versions since 0.9.x are believed to be vulnerable. The patch
described below is likely to apply to all affected versions without
modification.

If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP)
server, fixed versions of telepathy-gabble will not connect to that
server until you make one of these configuration changes:

* upgrade the server software to something that supports XMPP 1.0; or
* use an encrypted "old SSL" connection, typically on port 5223
  (old-ssl); or
* turn off "Encryption required (TLS/SSL)" (require-encryption).

Since the vulnerable code is in a git submodule, distributors with
tarball-based builds for telepathy-gabble will need to apply a patch
with suitably adjusted paths. A suitable patch[1] is available from
the Telepathy bug report[2]. Distributors who will patch the Wocky
submodule directly can take the patch from the git commit[3].

In the current development branch, versions 0.17.0 to 0.17.3 are
vulnerable; the upcoming 0.17.4 release will fix this vulnerability.

Regards,
    Simon

[0] http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz
    http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz.asc
[1] https://bugs.freedesktop.org/attachment.cgi?id=79894
[2] https://bugs.freedesktop.org/show_bug.cgi?id=65036
[3] cgit.freedesktop.org/wocky/commit/?id=ff317a2783058e8e90fac21bd8ba18359c5401f9
Comment 1 Scott Reeves 2013-05-31 15:59:20 UTC 
HPJ, can you look into this ...
Comment 2 Swamp Workflow Management 2013-05-31 22:00:38 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2013-06-03 13:00:10 UTC 
This is an autogenerated message for OBS integration:
This bug (822586) was mentioned in
https://build.opensuse.org/request/show/177297 Maintenance / 
https://build.opensuse.org/request/show/177298 Maintenance /
Comment 4 Swamp Workflow Management 2013-06-14 09:07:52 UTC 
openSUSE-SU-2013:1013-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 822586
CVE References: CVE-2013-1431
Sources used:
openSUSE 12.3 (src):    telepathy-gabble-0.17.1-2.8.1
openSUSE 12.2 (src):    telepathy-gabble-0.16.0-3.8.1
Comment 5 Marcus Meissner 2013-08-29 14:33:40 UTC 
We have telepathy-gabble-0.7.10 in SLE-11, so lets assume we are not affected.