0x7D4 October 0x8:


If you are using Yeemp 0.9.9 or earlier, upgrading is recommended.

A security hole has been discovered in the Yeemp instant messaging client. Yeemp uses public keys both for message encryption and to provide a degree of round-trip authentication for messages - each contact is given a unique public key. Unencrypted messages are considered to be probably spoofed in most circumstances; messages which are decryptable are checked to determine if the key used to decrypt them corresponds with the public key supplied to the claimed originator of the message. The initial public key request, however, cannot be encrypted, and is implemented as a file transfer request. The client was not checking the encryption on inbound files. As a result, anyone could send a Yeemp client a file purporting to be from any sender.

While this by itself cannot be exlpoited to execute arbitrary code, Yeemp accepts and attempts to display several media files with standardized filenames by default; in conjunction with security holes in external libraries or utilities, this could lead to the execution of arbitrary code. Yeemp uses several external utilities, including netpbm and ogg123, to handle certain media files.

Yeemp 0.9.10 fixes the spoofing vulnerability. In addition, if you have Yeemp set to use subterfugue shoggoth sandboxes, 0.9.10 will use them around netpbm and ogg123 calls, which should significantly mitigate the impact of any unpatched or as-yet-undiscovered vulnerabilities in ogg123 and netpbm.

To the best of my knowledge, Yeemp 0.9.9 and all prior versions are vulnerable. This vulnerability has been verified specifically on 0.7.2, 0.9, 0.9.4, 0.9.7, 0.9.8, and 0.9.9.

Nota Bene: 0.9.10 breaks the sendyeemp and weemp utilities. I'll fix them soon. (Sendyeemp especially, as it's important.)

Update your Yeemps.


{ Add Comment }