Full Disclosure: Re: pidgin OTR information leakage

Re: pidgin OTR information leakage

From: Rich Pieri <ratinox () MIT EDU>
Date: Mon, 27 Feb 2012 20:21:10 +0000

On Feb 27, 2012, at 2:37 PM, Michele Orru wrote:

I think you didn't understood the content of the advisory.
If there are 10 non-root users in an Ubuntu machine for example,
if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10
can see what user 1 pidgin conversation.



This is not what the OP or CVE describe:

plaintext. This makes it possible for attackers that have gained 
user-level access on a host, to listen in on private conversations 
associated with the victim account.


Which I read as: if I compromise user1's account then I can snoop user1's DBUS sessions.  It says nothing about me 
being able to snoop user2's sessions.  The leading phrase about attackers gaining user-level access implies that 
legitimate users on a system are not a relevant issue.

I believe that clarification is in order.

-- 
Rich Pieri <ratinox () MIT EDU>
MIT Laboratory for Nuclear Science


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

pidgin OTR information leakage Dimitris Glynos (Feb 27)
- Re: pidgin OTR information leakage Dimitris Glynos (Feb 27)
- Re: pidgin OTR information leakage Jann Horn (Feb 27)
  - Re: pidgin OTR information leakage Michele Orru (Feb 27)
    - Re: pidgin OTR information leakage Rich Pieri (Feb 28)
    - Re: pidgin OTR information leakage Jeffrey Walton (Feb 27)
    - Re: pidgin OTR information leakage Ferenc Kovacs (Feb 27)
    - Message not available
    - Re: pidgin OTR information leakage Dimitris Glynos (Feb 28)
- <Possible follow-ups>
- Re: pidgin OTR information leakage Dimitris Glynos (Feb 28)