[Pidgin] #14830: dbus information leakage

Kevin Stange kstange at pidgin.im
Wed Dec 21 03:51:01 EST 2011 

On 12/21/2011 12:56 AM, Mark Doliner wrote:
> My thoughts on this are that it doesn't need to be treated as a
> security problem because it requires local user access.

Also, we never claim to protect the contents of message windows in this
way.  This data can also be read via any plugin, any log files created,
or the actual memory allocation of the application if you have local access.

This is a bit like the plain text passwords argument, I think.  If your
level of paranoia is this high, you should disable logging, compile
without DBUS and other plugins, and protect the memory space of the
application somehow.

> On Tue, Dec 20, 2011 at 4:15 AM, Pidgin <trac at pidgin.im> wrote:
>> #14830: dbus information leakage
>> --------------------------+-------------------------------------------------
>>  Reporter:  dfunc         |     Owner:  rekkanoryo
>>     Type:  defect        |    Status:  new
>> Component:  unclassified  |   Version:  2.10.0
>>  Keywords:                |
>> --------------------------+-------------------------------------------------
>>  Pidgin transmits sensitive information (such as OTR plaintexts) over DBUS.
>>  An attacker that has compromised any application that runs within the same
>>  "X session" can easily snoop on this sensitive information by means of a
>>  dbus session monitor.
>>
>>  Related posts:
>>  http://pidgin.im/pipermail/devel/2011-December/010519.html
>>  http://lists.cypherpunks.ca/pipermail/otr-dev/2011-December/001244.html
>>
>> --
>> Ticket URL: <http://developer.pidgin.im/ticket/14830>
>> Pidgin <http://pidgin.im>
>> Pidgin
>> _______________________________________________
>> security mailing list
>> security at pidgin.im
>> http://pidgin.im/cgi-bin/mailman/listinfo/security
> _______________________________________________
> security mailing list
> security at pidgin.im
> http://pidgin.im/cgi-bin/mailman/listinfo/security


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20111221/c785352f/attachment.pgp>

More information about the security mailing list