Kopete: CVE 2017-5593 (User Impersonation Vulnerability)

Pali Rohár pali.rohar at gmail.com
Tue Feb 14 08:21:12 UTC 2017


On Tuesday 14 February 2017 00:07:46 Albert Astals Cid wrote:
> This shows we should not be embedding libiris, is this something that can be 
> worked on?

libiris is embedded in Kopete since beginning and being periodically
updated... Yes, dynamic linking against system library will prevent such
situations, but there are problems:

1) Upstream libiris does not support building dynamic shared library
2) Upstream libiris does not have stable API/ABI
3) In past Kopete had own libiris patches
4) Time to time Kopete needs to patch libiris for its own (e.g. to fix
   libiris bugs which affects only Kopete)

Problem 3) is fixed now, all Kopete patches were upstreamed.

Psi is the main "user" of libiris and it has embedded libiris library
too (via git submodule). So I do not know if 1) and 2) can be easily
fixed -- which needs to be done in upstream.

-- 
Pali Rohár
pali.rohar at gmail.com


More information about the release-team mailing list