Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pidgin OTR information leakage

From: Rich Pieri <ratinox () MIT EDU>
Date: Mon, 27 Feb 2012 20:21:10 +0000
On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:

I think you didn't understood the content of the advisory.
If there are 10 non-root users in an Ubuntu machine for example,
if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10
can see what user 1 pidgin conversation.



This is not what the OP or CVE describe:


plaintext. This makes it possible for attackers that have gained 
user-level access on a host, to listen in on private conversations 
associated with the victim account.


Which I read as: if I compromise user1's account then I can snoop user1's DBUS sessions.  It says nothing about me 
being able to snoop user2's sessions.  The leading phrase about attackers gaining user-level access implies that 
legitimate users on a system are not a relevant issue.

I believe that clarification is in order.

-- 
Rich Pieri <ratinox () MIT EDU>
MIT Laboratory for Nuclear Science


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: