#14830: dbus information leakage
-----------------------------+----------------------------------------------
Reporter: dfunc | Owner: bleeter
Type: enhancement | Status: new
Milestone: Patches welcome | Component: libpurple
Version: 2.10.0 | Resolution:
Keywords: privacy |
-----------------------------+----------------------------------------------
Changes (by bleeter):
* owner: rekkanoryo => bleeter
Comment:
@dfunc: Whether Ultramancool is a developer/patch writer for Pidgin or not
is irrelevant. They raise some points that I feel should at least be
discussed as this ticket is listed on your report.
If one's running OTR on a libpurple system where all 'bells and whistles'
are compiled in, you've increased the surface area of attack by default.
One shouldn't be surprised if Pidgin starts behaving in 'unusual' ways
under such circumstances. For example, there's this
https://www.guifications.org/issues/694#change-1962 with the LastSeen
plugin which I'm still to deal with, however I can't help but feel it's
somehow related.
It's my opinion at the moment that OTR should at least perform a series of
checks to see if the environment it's running in is protected against
known issues (eg, see above with LastSeen - at the moment, I believe OTR
shouldn't activate if LastSeen is enabled). Given there's no real 'trust'
model for libpurple/pidgin/finch et al plugins, if I were an OTR dev I'd
insist on not loading if ANY other plugins are enabled. I'd also not
permit OTR to operate if DBUS were enabled. Something further that I've
just thought of (but not investigated nor do I have inclination to), if
the UI libpurple is connected to is performing spell checking, might it be
possible for an attacker to glean information similarly to this attack? I
use spell checking as an example, however I wish to emphasize this is more
about exposing information to external support libraries.
And this is where I arrive at Ultramancool's comment #9.
There is something really odd about OTR's approach of implicitly trusting
anything that Pidgin is capable of doing instead of, as I would try, to
ensure the user has a very limited exposure. Still, fixing this properly
will not be easy. Sure, we could suggest people disable DBUS, however
that'll then disable NetworkManager support. Further, I could suggest OTR
shouldn't be run in environments that permit plugins - however that
obviously leads to the problem where OTR itself wouldn't be able to load.
As I've stuck my hand up for working in some regard on
libpurple/pidgin/finch privacy, I've reassigned this ticket to me for now.
I'm also in two minds as to whether this is a defect or an enhancement, or
even in fact a Third Party issue (ok, three minds... nobody expects the
Spanish Inquisition)
[this was written before #11 and independently from it, would seem to be
some agreement yay!]
--
Ticket URL: <http://developer.pidgin.im/ticket/14830#comment:13>
Pidgin <http://pidgin.im>
Pidgin