Bugtraq mailing list archives
Re: [Full-disclosure] pidgin OTR information leakage
From: Rich Pieri <ratinox () MIT EDU>
Date: Mon, 27 Feb 2012 20:21:10 +0000
On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:
I think you didn't understood the content of the advisory. If there are 10 non-root users in an Ubuntu machine for example, if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10 can see what user 1 pidgin conversation.
This is not what the OP or CVE describe:
plaintext. This makes it possible for attackers that have gained user-level access on a host, to listen in on private conversations associated with the victim account.
Which I read as: if I compromise user1's account then I can snoop user1's DBUS sessions. It says nothing about me being able to snoop user2's sessions. The leading phrase about attackers gaining user-level access implies that legitimate users on a system are not a relevant issue. I believe that clarification is in order. -- Rich Pieri <ratinox () MIT EDU> MIT Laboratory for Nuclear Science
Current thread:
- pidgin OTR information leakage Dimitris Glynos (Feb 27)
- Re: pidgin OTR information leakage Jann Horn (Feb 27)
- Re: [Full-disclosure] pidgin OTR information leakage Michele Orru (Feb 27)
- Re: [Full-disclosure] pidgin OTR information leakage Rich Pieri (Feb 27)
- Re: [Full-disclosure] pidgin OTR information leakage Jeffrey Walton (Feb 28)
- Message not available
- Re: [Full-disclosure] pidgin OTR information leakage Dimitris Glynos (Feb 28)
- Re: [Full-disclosure] pidgin OTR information leakage Dimitris Glynos (Feb 28)
- Re: [Full-disclosure] pidgin OTR information leakage Michele Orru (Feb 27)
- Re: pidgin OTR information leakage Jann Horn (Feb 27)