On Sat, 11 Jun 2016 17:43:14 +0200 Francois Gerin
wrote:
> Subject: kopete+otr send messages unencrypted without notice
> Package: kopete
> Version: 4:4.14.1-2
> Justification: user security hole
> Severity: grave
> Tags: security upstream
>
> Dear Maintainer,
>
> Using kopete with OTR plugin lead to messages sent unencrypted without
> notice. (I discovered this
after sending sensitive credentials while helping some people remotely...)
>
> After checking that OTR encryption was working ("private session started"
> notice), I was helping
people remotely while feeling secure. After a first restart of the other end
computer, I saw a
notification saying that OTR session was refreshed (which is normal$
> Later on, I detected that, in fact, the people at the other end were getting
> all my messages
unencrypted... despite of the notification I got on my end.
> First detection was done with "Opportunistic" policy on both sides. Then I
> tested again with a
full restart at both ends + "Always" policy for OTR plugin. Same result: when
the other end restarts
and I keep my session opened, I get the "OTR session refreshed"$
>
> Several accounts credentials were sent in clear, among which for a root
> account.
>
> When I pay attention for the "OTR session refreshed" message, and especially
> when "Always" policy
is used on both sides, I would expect to be alerted that some internal issue
canceled the
encryption, no matters what's the reason.
> The notifications are not reliable, and we're talking about a secure
> messaging system here
(OTR)... This forced me to uninstall kopete, since I cannot rely on it for
secure messaging.
>
> Remarks:
> - Two bugs already mention this in the bug tracking of kopete at
https://bugs.kde.org/show_bug.cgi?id=274099 and
https://bugs.kde.org/show_bug.cgi?id=362535
> - While the kopete team cannot solve this (old) issue, I cannot believe
> debian can go on
propagating this dangerous thing and the heavy security consequences to the
community, among which
are key journalists.
> - Until it is fixed, the OTR plugin should be disabled for kopete, or the
> kopete UI should at
least alert about its experimental support status in red uppercases.
>
> Thanks a lot in advance for any action, to disable it or fix it!
>
>
>
>
> -- System Information:
> Debian Release: 8.5
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
> Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages kopete depends on:
> ii kde-runtime 4:4.14.2-2
> ii kdepim-runtime 4:4.14.2-3
> ii libc6 2.19-18+deb8u4
> ii libexpat1 2.1.0-6+deb8u3
> ii libgadu31:1.12.0-5
> ii libgif4 4.1.6-11+deb8u1
> ii libglib2.0-02.42.1-1+b1
> ii libidn111.29-1+deb8u1
> ii libjasper1 1.900.1-debian1-2.4+deb8u1
> ii libkabc44:4.14.2-2+b1
> ii libkcmutils44:4.14.2-5
> ii libkde3support4 4:4.14.2-5
> ii libkdecore5 4:4.14.2-5
> ii libkdeui5 4:4.14.2-5
> ii libkdnssd4 4:4.14.2-5
> ii libkemoticons4 4:4.14.2-5
> ii libkhtml5 4:4.14.2-5
> ii libkio5 4:4.14.2-5
Hi! This problem is fixed in Kopete 16.12.
Debian KDE team now needs to update Kopete package...
--
Pali Rohár
pali.ro...@gmail.com
signature.asc
Description: This is a digitally signed message part.
