| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7E7D37FB-D656-4819-BBB9-7F3DBFDE280E@MIT.EDU> Date: Mon, 27 Feb 2012 20:21:10 +0000 From: Rich Pieri <ratinox@....EDU> To: Michele Orru <antisnatchor@...il.com> Cc: "<bugtraq@...urityfocus.com>" <bugtraq@...urityfocus.com>, "<full-disclosure@...ts.grok.org.uk>" <full-disclosure@...ts.grok.org.uk>, Jann Horn <jannhorn@...glemail.com> Subject: Re: pidgin OTR information leakage On Feb 27, 2012, at 2:37 PM, Michele Orru wrote: > I think you didn't understood the content of the advisory. > If there are 10 non-root users in an Ubuntu machine for example, > if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10 > can see what user 1 pidgin conversation. This is not what the OP or CVE describe: >> plaintext. This makes it possible for attackers that have gained >> user-level access on a host, to listen in on private conversations >> associated with the victim account. Which I read as: if I compromise user1's account then I can snoop user1's DBUS sessions. It says nothing about me being able to snoop user2's sessions. The leading phrase about attackers gaining user-level access implies that legitimate users on a system are not a relevant issue. I believe that clarification is in order. -- Rich Pieri <ratinox@....EDU> MIT Laboratory for Nuclear Science _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists