Bug#827048: kopete+otr send messages unencrypted without notice

To: submit@bugs.debian.org
Subject: Bug#827048: kopete+otr send messages unencrypted without notice
From: Francois Gerin <francois.gerin@gmail.com>
Date: Sat, 11 Jun 2016 17:43:14 +0200
Message-id: <[🔎] 2909341.AnV4G7H38V@fixe>
Reply-to: Francois Gerin <francois.gerin@gmail.com>, 827048@bugs.debian.org

Subject: kopete+otr send messages unencrypted without notice
Package: kopete
Version: 4:4.14.1-2
Justification: user security hole
Severity: grave
Tags: security upstream

Dear Maintainer,

Using kopete with OTR plugin lead to messages sent unencrypted without notice. (I discovered this after sending sensitive credentials while helping some people remotely...)

After checking that OTR encryption was working ("private session started" notice), I was helping people remotely while feeling secure. After a first restart of the other end computer, I saw a notification saying that OTR session was refreshed (which is normal$
Later on, I detected that, in fact, the people at the other end were getting all my messages unencrypted... despite of the notification I got on my end.
First detection was done with "Opportunistic" policy on both sides. Then I tested again with a full restart at both ends + "Always" policy for OTR plugin. Same result: when the other end restarts and I keep my session opened, I get the "OTR session refreshed"$

Several accounts credentials were sent in clear, among which for a root account.

When I pay attention for the "OTR session refreshed" message, and especially when "Always" policy is used on both sides, I would expect to be alerted that some internal issue canceled the encryption, no matters what's the reason.
The notifications are not reliable, and we're talking about a secure messaging system here (OTR)... This forced me to uninstall kopete, since I cannot rely on it for secure messaging.

Remarks:
 - Two bugs already mention this in the bug tracking of kopete at https://bugs.kde.org/show_bug.cgi?id=274099 and https://bugs.kde.org/show_bug.cgi?id=362535
 - While the kopete team cannot solve this (old) issue, I cannot believe debian can go on propagating this dangerous thing and the heavy security consequences to the community, among which are key journalists.
 - Until it is fixed, the OTR plugin should be disabled for kopete, or the kopete UI should at least alert about its experimental support status in red uppercases.

Thanks a lot in advance for any action, to disable it or fix it!




-- System Information:
Debian Release: 8.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages kopete depends on:
ii  kde-runtime             4:4.14.2-2
ii  kdepim-runtime          4:4.14.2-3
ii  libc6                   2.19-18+deb8u4
ii  libexpat1               2.1.0-6+deb8u3
ii  libgadu3                1:1.12.0-5
ii  libgif4                 4.1.6-11+deb8u1
ii  libglib2.0-0            2.42.1-1+b1
ii  libidn11                1.29-1+deb8u1
ii  libjasper1              1.900.1-debian1-2.4+deb8u1
ii  libkabc4                4:4.14.2-2+b1
ii  libkcmutils4            4:4.14.2-5
ii  libkde3support4         4:4.14.2-5
ii  libkdecore5             4:4.14.2-5
ii  libkdeui5               4:4.14.2-5
ii  libkdnssd4              4:4.14.2-5
ii  libkemoticons4          4:4.14.2-5
ii  libkhtml5               4:4.14.2-5
ii  libkio5                 4:4.14.2-5
ii  libkmime4               4:4.14.2-2+b1
ii  libknewstuff2-4         4:4.14.2-5
ii  libknotifyconfig4       4:4.14.2-5
ii  libkopete4              4:4.14.1-2
ii  libkparts4              4:4.14.2-5
ii  libkpimidentities4      4:4.14.2-2+b1
ii  libmeanwhile1           1.0.2-5
ii  libmediastreamer-base3  3.6.1-2.4+b1
ii  libmsn0.3               4.2-2
ii  libortp9                3.6.1-2.4+b1
ii  libotr5                 4.1.0-2+deb8u1
ii  libphonon4              4:4.8.0-4
ii  libqca2                 2.0.3-6
ii  libqimageblitz4         1:0.0.6-4
ii  libqt4-dbus             4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii  libqt4-network          4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii  libqt4-qt3support       4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii  libqt4-sql              4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii  libqt4-xml              4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii  libqtcore4              4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii  libqtgui4               4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii  libsolid4               4:4.14.2-5
ii  libsrtp0                1.4.5~20130609~dfsg-1.1+deb8u1
ii  libssl1.0.0             1.0.1t-1+deb8u2
ii  libstdc++6              4.9.2-10
ii  libv4l-0                1.6.0-2
ii  libx11-6                2:1.6.2-3
ii  libxml2                 2.9.1+dfsg1-5+deb8u2
ii  libxslt1.1              1.1.28-2+b2
ii  perl                    5.20.2-3+deb8u5
ii  phonon                  4:4.8.0-4
ii  zlib1g                  1:1.2.8.dfsg-2+b1

Versions of packages kopete recommends:
ii  libqca2-plugin-ossl  2.0.0~beta3-2
ii  libqt4-sql-sqlite    4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1

Versions of packages kopete suggests:
pn  imagemagick           <none>
pn  kdeartwork-emoticons  <none>
pn  khelpcenter4          <none>
pn  texlive-latex-base    <none>

-- no debconf information

Reply to:

Prev by Date: Processed: fixing it up for good
Next by Date: Processed: Further fixing/merging things
Previous by thread: Processed: fixing it up for good
Next by thread: Processed: Further fixing/merging things
Index(es):
- Date
- Thread