[Pidgin] #15295: Pidgin leaks pidgin & libpurple version number & time data.
Pidgin
trac at pidgin.im
Wed Aug 29 16:55:55 EDT 2012
#15295: Pidgin leaks pidgin & libpurple version number & time data.
---------------------------------+------------------------------------------
Reporter: malaparte | Owner: bleeter
Type: defect | Status: new
Component: privacy | Version: 2.10.6
Keywords: security, libpurple |
---------------------------------+------------------------------------------
I notice when I query a user over XMPP using the 'get info' command, the
version number of pidgin and libpurple is leaked as such...
{{{
Resource: <some-numbers>
Priority: 1
Status: Available
Local Time: 23:09:41 +0300
Client: Pidgin 2.10.3 (libpurple 2.10.3)
}}}
In the pidgin debugger this looks like this
{{{
(06:16:40) jabber: Sending (ssl) (alice at jabber.ccc.de/1234567890): <iq
type='get' id='purplef0e41a8e' to='bob at jabber.ccc.de'><vCard xmlns='vcard-
temp'/></iq>
(06:16:40) jabber: Sending (ssl) (alice at jabber.ccc.de/1234567890): <iq
type='get' id='purplef0e41a8f' to='alice at jabber.ccc.de/1234567890'><query
xmlns='jabber:iq:last'/></iq>
(06:16:41) jabber: Recv (ssl)(213): <iq from='bob at jabber.ccc.de'
to='alice at jabber.ccc.de/1234567890' id='purplef0e41a8e'
type='result'><vCard xmlns='vcard-temp' prodid='-//HandGen//NONSGML vGen
v1.0//EN' version='2.0'/></iq>
(06:16:42) jabber: Recv (ssl)(199): <iq
from='bob at jabber.ccc.de/1234567890' to='alice at jabber.ccc.de/1234567890'
type='result' id='purplef0e41a8f'><query xmlns='jabber:iq:last'
seconds='0'/></iq>
}}}
I am concerned that leaking a version number makes the job of an attacker
much easier.
--
Ticket URL: <http://developer.pidgin.im/ticket/15295>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list