Your message dated Fri, 13 Jan 2017 15:06:28 +0000
with message-id <e1cs3qy-0009tt...@fasolo.debian.org>
and subject line Bug#827048: fixed in kopete 4:16.08.1-3
has caused the Debian Bug report #827048,
regarding kopete+otr send messages unencrypted without notice
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
827048: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=827048
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Subject: kopete+otr send messages unencrypted without notice
Package: kopete
Version: 4:4.14.1-2
Justification: user security hole
Severity: grave
Tags: security upstream
Dear Maintainer,
Using kopete with OTR plugin lead to messages sent unencrypted without notice.
(I discovered this after sending sensitive credentials while helping some
people remotely...)
After checking that OTR encryption was working ("private session started"
notice), I was helping people remotely while feeling secure. After a first
restart of the other end computer, I saw a notification saying that OTR session
was refreshed (which is normal$
Later on, I detected that, in fact, the people at the other end were getting
all my messages unencrypted... despite of the notification I got on my end.
First detection was done with "Opportunistic" policy on both sides. Then I
tested again with a full restart at both ends + "Always" policy for OTR plugin.
Same result: when the other end restarts and I keep my session opened, I get
the "OTR session refreshed"$
Several accounts credentials were sent in clear, among which for a root account.
When I pay attention for the "OTR session refreshed" message, and especially
when "Always" policy is used on both sides, I would expect to be alerted that
some internal issue canceled the encryption, no matters what's the reason.
The notifications are not reliable, and we're talking about a secure messaging
system here (OTR)... This forced me to uninstall kopete, since I cannot rely on
it for secure messaging.
Remarks:
- Two bugs already mention this in the bug tracking of kopete at
https://bugs.kde.org/show_bug.cgi?id=274099 and
https://bugs.kde.org/show_bug.cgi?id=362535
- While the kopete team cannot solve this (old) issue, I cannot believe debian
can go on propagating this dangerous thing and the heavy security consequences
to the community, among which are key journalists.
- Until it is fixed, the OTR plugin should be disabled for kopete, or the
kopete UI should at least alert about its experimental support status in red
uppercases.
Thanks a lot in advance for any action, to disable it or fix it!
-- System Information:
Debian Release: 8.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages kopete depends on:
ii kde-runtime 4:4.14.2-2
ii kdepim-runtime 4:4.14.2-3
ii libc6 2.19-18+deb8u4
ii libexpat1 2.1.0-6+deb8u3
ii libgadu3 1:1.12.0-5
ii libgif4 4.1.6-11+deb8u1
ii libglib2.0-0 2.42.1-1+b1
ii libidn11 1.29-1+deb8u1
ii libjasper1 1.900.1-debian1-2.4+deb8u1
ii libkabc4 4:4.14.2-2+b1
ii libkcmutils4 4:4.14.2-5
ii libkde3support4 4:4.14.2-5
ii libkdecore5 4:4.14.2-5
ii libkdeui5 4:4.14.2-5
ii libkdnssd4 4:4.14.2-5
ii libkemoticons4 4:4.14.2-5
ii libkhtml5 4:4.14.2-5
ii libkio5 4:4.14.2-5
ii libkmime4 4:4.14.2-2+b1
ii libknewstuff2-4 4:4.14.2-5
ii libknotifyconfig4 4:4.14.2-5
ii libkopete4 4:4.14.1-2
ii libkparts4 4:4.14.2-5
ii libkpimidentities4 4:4.14.2-2+b1
ii libmeanwhile1 1.0.2-5
ii libmediastreamer-base3 3.6.1-2.4+b1
ii libmsn0.3 4.2-2
ii libortp9 3.6.1-2.4+b1
ii libotr5 4.1.0-2+deb8u1
ii libphonon4 4:4.8.0-4
ii libqca2 2.0.3-6
ii libqimageblitz4 1:0.0.6-4
ii libqt4-dbus 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqt4-network 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqt4-qt3support 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqt4-sql 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqt4-xml 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqtcore4 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libqtgui4 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
ii libsolid4 4:4.14.2-5
ii libsrtp0 1.4.5~20130609~dfsg-1.1+deb8u1
ii libssl1.0.0 1.0.1t-1+deb8u2
ii libstdc++6 4.9.2-10
ii libv4l-0 1.6.0-2
ii libx11-6 2:1.6.2-3
ii libxml2 2.9.1+dfsg1-5+deb8u2
ii libxslt1.1 1.1.28-2+b2
ii perl 5.20.2-3+deb8u5
ii phonon 4:4.8.0-4
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages kopete recommends:
ii libqca2-plugin-ossl 2.0.0~beta3-2
ii libqt4-sql-sqlite 4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1
Versions of packages kopete suggests:
pn imagemagick <none>
pn kdeartwork-emoticons <none>
pn khelpcenter4 <none>
pn texlive-latex-base <none>
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: kopete
Source-Version: 4:16.08.1-3
We believe that the bug you reported is fixed in the latest version of
kopete, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 827...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Scott Kitterman <sc...@kitterman.com> (supplier of updated kopete package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 13 Jan 2017 09:00:46 -0500
Source: kopete
Binary: libkopete4 kopete libkopete-dev
Architecture: source amd64
Version: 4:16.08.1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Scott Kitterman <sc...@kitterman.com>
Description:
kopete - instant messaging and chat application
libkopete-dev - development files for the Kopete instant messaging and chat
appli
libkopete4 - main Kopete library
Closes: 827048
Changes:
kopete (4:16.08.1-3) unstable; urgency=medium
.
* Team upload.
* Add debian/patches/fix_otr.patch from upstream to resolve issue with
unencrypted messages being sent without notice (Closes: #827048)
Checksums-Sha1:
19b0d50d847804a6c7efbf0ac519f7eb8e39f2e2 2916 kopete_16.08.1-3.dsc
d847aa9e7529bf7cdb0b14ed2864308afeb337ee 58192 kopete_16.08.1-3.debian.tar.xz
105a7d90bbfa6a902049a07dfc4c6e160faac328 61048834
kopete-dbgsym_16.08.1-3_amd64.deb
795205ad4be6634e82e4577909431d44522c5d30 16650 kopete_16.08.1-3_amd64.buildinfo
952451586b3c75e9f1918c97f6206e9b9c8a832a 6753472 kopete_16.08.1-3_amd64.deb
60958bbe1a85349e8a3051bf242011669f95f4e5 124342
libkopete-dev_16.08.1-3_amd64.deb
58f7f1c1766142be695d21e27e4deb3ca9dfff25 6067840
libkopete4-dbgsym_16.08.1-3_amd64.deb
08bcc13608eec581591493815caa9cd773bbb770 414162 libkopete4_16.08.1-3_amd64.deb
Checksums-Sha256:
f784bbdd2f9d6b4502fee6d26bedd5558193c8d7a09d233c34b5477b1d5f86ab 2916
kopete_16.08.1-3.dsc
1c5b2eb91d5cbed8a08eeabe106f5a2e064b28ebba05e9994abe9239f26c3e08 58192
kopete_16.08.1-3.debian.tar.xz
8d48de7b52cd3890745126e539cb2f2d1e2b51b03d9f05f40a97f6c5814f7a43 61048834
kopete-dbgsym_16.08.1-3_amd64.deb
fbacd49604c46f8d991ce317e6c5329f3411b36ddde9e72b6c77c39150859d7f 16650
kopete_16.08.1-3_amd64.buildinfo
8def94b2cde9295aab462a2231b5856ca853b3f90e3f240f221c453132fe27fd 6753472
kopete_16.08.1-3_amd64.deb
5d9091884bdf77b2ea2ccb242b7d1fac9b2925bd8adf5b4f67a11c7e2e425756 124342
libkopete-dev_16.08.1-3_amd64.deb
2c04947cb519dddef3c9324e6742f55d981bff0d72aaa3653616d6d9f1f67a46 6067840
libkopete4-dbgsym_16.08.1-3_amd64.deb
1fbe1b9ffee055a453fe012fd378537126e3f791d621ae4514282710fdc4a75e 414162
libkopete4_16.08.1-3_amd64.deb
Files:
58f46329570276922cf2b7f7f5f5a6be 2916 kde optional kopete_16.08.1-3.dsc
3177eb696b2dfdf9a937068dfee85215 58192 kde optional
kopete_16.08.1-3.debian.tar.xz
e1e2949aaeb2fe61e18dd7265516ab7f 61048834 debug extra
kopete-dbgsym_16.08.1-3_amd64.deb
031de9eb270fa49617c3faf9d666b82a 16650 kde optional
kopete_16.08.1-3_amd64.buildinfo
0e86e471c969582138f96980251768f8 6753472 net optional
kopete_16.08.1-3_amd64.deb
5de6aef1ea5fb6abb37f48ff79746207 124342 libdevel optional
libkopete-dev_16.08.1-3_amd64.deb
c32cb52b8fba424f66bb6daeea4d8415 6067840 debug extra
libkopete4-dbgsym_16.08.1-3_amd64.deb
3d339520fb3e35b329d97fe122c06edd 414162 libs optional
libkopete4_16.08.1-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJYeOO/AAoJEHjX3vua1ZrxWcMQAIV4vUW6RboeuSWU41Af6HF9
3tdAuXxszeiJ8ATe5graxdjcGRE9J72I5pVI8tDvSB6pjCQpydnKL/j6xGMwBPhT
A3dqyghmDFJt3Rs+bFWuE7Xmbzgt9vLlw6CkLL69oUGbrE5KMKv+Xppg1T6rHnga
swJIuUtYz4vWz9ukTizbOA09uMVzNBzXawe/InrEiu2ZxN/xPqafyY/gC/rfojk+
nNR0NwhBZ+YZypYd9+PrG7z5Ax4MbweryG2AP5V7cvZdBJmXVPt32BG8D6s0cPsS
1UKlVQQi64kw9we6Vz2HdQs7waS5sQDO4doYRTluQ4rZEL3HZamrD9LcdskRGdyd
x+iDAdy7pxSTyCWdgEKmEz+xttTj1+YSk925lbwtGyefSLSCHEb/r2VccfIlaCg8
ArjZA3wn18oSMw0kCVDa2R3Xbt+MJBhpRV1ldd1ZVJ3smrisuORp71/yaFjPOoDE
2SepSBgDybr1CQfG2B8a7IlJBv1Tb/17L4AjGvm/bav8WXzQdA4WhFB32ZZJf9q1
Wd5l5z2ifuEonsMPjD4t+3VNl5QlBRLhVkRpLVV279qcAKqhACYyLonoC9XkjPbb
ApknXodOmQopumD2Da0iHPM6aDrAcMrEueOStg5BpNmgiyg4RU63l0BkTqiPZRSt
x+SOa0NBQ122KITkiPRL
=C35G
-----END PGP SIGNATURE-----
--- End Message ---
