I have just released telepathy-gabble version 0.10.5, the latest from the 0.10 stable branch, which contains a fix for a security issue in Jingle calls (plus one crash fix, and tweaks to the test suite).
tarball: http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.10.5.tar.gz signature: http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.10.5.tar.gz.asc The issue theoretically allows attackers to trick Gabble into sending streamed media via a relay server selected by the attacker (as opposed to via a relay server selected by the XMPP service, or of course directly to and from the other party). The attacker sends the target a google:jingleinfo stanza containing a STUN server and a media relay of their choosing. Gabble does not check that the stanza was sent by the user's (trusted) server, and so interprets the contents. The malicious STUN server would be crafted to make the streaming implementation believe that it must use a relay (rather than being able to connect directly to the peer), and then the attacker's relay would be used. We have not constructed an exploit for this vulnerability, but we do have a test case demonstrating the bug in Gabble. All versions of the 0.8 and 0.10 stable branches of Gabble, as well as the unstable 0.11 series, are affected. Note that we do not give any security guarantees for streamed media calls, in general: audio/video data is not encrypted, so an attacker able to intercept the target's network traffic may always snoop on calls. This flaw exacerbates the situation by allowing attackers outside the network path to compromise the call. See <https://bugs.freedesktop.org/show_bug.cgi?id=34048> for more details, including individual patches for each affected version of Gabble. The “Well, what's the architecture of a software in general actually!!!!!!” release. Fixes: • fd.o #31412: fix crashes during disconnection if a PEP alias request is in-flight (smcv) • Loosen an assertion to fix test failure with telepathy-glib >= 0.13.5, which releases connections' object paths sooner (smcv) • fd.o#34048: Malicious contacts can no longer trick Gabble into relaying audio/video data via a server of their choosing. (wjt, sjoerd) -- Will _______________________________________________ telepathy mailing list telepathy@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/telepathy