Gajim: Information disclosure — GLSA 201707-14

A vulnerability in Gajim might allow remote attackers to intercept encrypted communications.

Affected packages

net-im/gajim on all architectures
Affected versions < 0.16.6-r1
Unaffected versions >= 0.16.6-r1

Background

Gajim is a Jabber/XMPP client which uses GTK+.

Description

Gajim unconditionally implements the “XEP-0146: Remote Controlling Clients” extension.

Impact

Remote attackers, by enticing a user to connect to a malicious XMPP server, could extract plaintext from Off The Record (OTR) encrypted sessions.

Workaround

There is no known workaround at this time.

Resolution

All Gajim users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-im/gajim-0.16.6-r1"
 

References

Release date
July 10, 2017

Latest revision
July 10, 2017: 1

Severity
normal

Exploitable
remote

Bugzilla entries