Gajim through 0.16.7 unconditionally implements the XEP-0146: Remote Controlling Clients extension. This can be abused by malicious XMPP servers to, for example, extract plaintext from OTR encrypted sessions.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gajim | Gajim | * | 0.16.7 (including) |
| Gajim | Ubuntu | artful | * |
| Gajim | Ubuntu | esm-apps/xenial | * |
| Gajim | Ubuntu | trusty | * |
| Gajim | Ubuntu | upstream | * |
| Gajim | Ubuntu | xenial | * |
| Gajim | Ubuntu | yakkety | * |
| Gajim | Ubuntu | zesty | * |
References
- http://www.debian.org/security/2017/dsa-3943
- https://bugs.debian.org/863445
- https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc
- https://dev.gajim.org/gajim/gajim/issues/8378
- https://mail.jabber.org/pipermail/standards/2016-August/031335.html
- https://security.gentoo.org/glsa/201707-14
- http://www.debian.org/security/2017/dsa-3943
- https://bugs.debian.org/863445
- https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc
- https://dev.gajim.org/gajim/gajim/issues/8378
- https://mail.jabber.org/pipermail/standards/2016-August/031335.html
- https://security.gentoo.org/glsa/201707-14