CVE-2013-1431: telepathy-gabble: TLS bypass via use of legacy Jabber

[Simon McVittie <simon.mcvittie () collabora co uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Maksim Otstavnov reported a vulnerability in the Wocky submodule used by
telepathy-gabble, an XMPP client implementation for the Telepathy
framework. A network intermediary could use this vulnerability to bypass
TLS verification and perform a man-in-the-middle attack. The Debian
security team has allocated CVE-2013-1431 for this vulnerability.

This vulnerability is fixed in telepathy-gabble 0.16.6 [0]. All
versions since 0.9.x are believed to be vulnerable. The patch
described below is likely to apply to all affected versions without
modification.

If you use an unencrypted connection to a "legacy Jabber" (pre-XMPP)
server, fixed versions of telepathy-gabble will not connect to that
server until you make one of these configuration changes:

• upgrade the server software to something that supports XMPP 1.0; or
• use an encrypted "old SSL" connection, typically on port 5223
  (old-ssl); or
• turn off "Encryption required (TLS/SSL)" (require-encryption).

Since the vulnerable code is in a git submodule, distributors with
tarball-based builds for telepathy-gabble will need to apply a patch
with suitably adjusted paths. A suitable patch[1] is available from
the Telepathy bug report[2]. Distributors who will patch the Wocky
submodule directly can take the patch from the git commit[3].

In the current development branch, versions 0.17.0 to 0.17.3 are
vulnerable; the upcoming 0.17.4 release will fix this vulnerability.

Regards,
    Simon

[0]
http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz

http://telepathy.freedesktop.org/releases/telepathy-gabble/telepathy-gabble-0.16.6.tar.gz.asc
[1] https://bugs.freedesktop.org/attachment.cgi?id=79894
[2] https://bugs.freedesktop.org/show_bug.cgi?id=65036
[3]
cgit.freedesktop.org/wocky/commit/?id=ff317a2783058e8e90fac21bd8ba18359c5401f9
-----BEGIN PGP SIGNATURE-----

iQIVAwUBUadoIk3o/ypjx8yQAQjp2g//ahF56sVtw5M0z7SVR8HXgXpvgwkoiV9C
9jAdfp12d4fePF0tmUjglnINRCvz1V0qwq40uYTD5i9KDgQ3sRbLJ0ND/AB3kxDn
6/xZnKdRaQrOC9yGoR5ukQcLdsZn92tBBcprLhy6Xb/fOh53ekGNxrlmUACGRR9s
yD4m1/5Yhxr2cCxBppcJAQp9Ml1Zk8+aO7TG7GK1dU58r0kDkOqCBei0mwSRVL0V
cO1sMyofOw+SOouwXne+XHwxY2/T2LaXq9jqm/hCZGMYwYr2Tg/ttysnkeJ40cNS
E2Bx8AUCjwhfNfS2RWZCea2XlyHyzxNMMQV8NsABbvFp4Ab0BVRr7wEazZAJIv88
IGrpzHLndfD/7zxEdDAnurJiHEaypaY6RzFh1vXeb8JMZJfbTlZFYj5GWpQvsX2G
zVdiOOkaC/82PqYO8+c+xPXQKdfsMmyTDq6Wz+QC6gyFmUJu6VR4xMC5WR74DmK3
bCG1VDy44d50/IbFBD8iNWhBfPbjEimuIIzwnwSYD8vUuNbbBvMuQwpCbYd9CduP
lZSnqkG7xG25Pvx0bbzUtFuZvaT+wxYRo2ggG8WiJ9lRs0x4LvhM/y8WMeBFkt/5
sT9RhAmLzEaUyIreOdK2JgzG0p+FtRAxvBsaVwlDTdSpwBZAK7VCgnPOqmaK+zey
eW5Zap6A7wM=
=YXtV
-----END PGP SIGNATURE-----