Dangerous bug - Gajim abuse - possibly interoperability with conf.room participant with old Psi or Psi+ 0.13-dev-rev2 (abuser said: 0.12 or 0.13)
Bug description
Dangerous bug - possibly interoperability with conf.room participant logged in with old Psi 0.12 or 0.13 or unknown client or library.
Hackers can easily use this to abuse Gajim users.
See a lot of stack traces and logs and a screentshot.
Traceback (most recent call last):
File "/usr/share/gajim/src/chat_control.py", line 560, in _on_message_textview_mykeypress_event
event_keymod)
File "/usr/share/gajim/src/groupchat_control.py", line 2029, in handle_message_textview_mykey_press
list_nick.remove(self.nick) # Skip self
ValueError: list.remove(x): x not in list
Traceback (most recent call last):
File "/usr/share/gajim/src/chat_control.py", line 560, in _on_message_textview_mykeypress_event
event_keymod)
File "/usr/share/gajim/src/groupchat_control.py", line 2029, in handle_message_textview_mykey_press
list_nick.remove(self.nick) # Skip self
ValueError: list.remove(x): x not in list
Traceback (most recent call last):
File "/usr/share/gajim/src/chat_control.py", line 560, in _on_message_textview_mykeypress_event
event_keymod)
File "/usr/share/gajim/src/groupchat_control.py", line 2029, in handle_message_textview_mykey_press
list_nick.remove(self.nick) # Skip self
ValueError: list.remove(x): x not in list
Traceback (most recent call last):
File "/usr/share/gajim/src/groupchat_control.py", line 2253, in on_list_treeview_button_press_event
self.mk_menu(event, iter)
File "/usr/share/gajim/src/groupchat_control.py", line 2101, in mk_menu
self.room_jid, user_nick).affiliation
AttributeError: 'NoneType' object has no attribute 'affiliation'
Traceback (most recent call last):
File "/usr/share/gajim/src/chat_control.py", line 560, in _on_message_textview_mykeypress_event
event_keymod)
File "/usr/share/gajim/src/groupchat_control.py", line 2029, in handle_message_textview_mykey_press
list_nick.remove(self.nick) # Skip self
ValueError: list.remove(x): x not in list
Traceback (most recent call last):
File "/usr/share/gajim/src/chat_control.py", line 560, in _on_message_textview_mykeypress_event
event_keymod)
File "/usr/share/gajim/src/groupchat_control.py", line 2029, in handle_message_textview_mykey_press
list_nick.remove(self.nick) # Skip self
ValueError: list.remove(x): x not in list
Traceback (most recent call last):
File "/usr/share/gajim/src/chat_control.py", line 560, in _on_message_textview_mykeypress_event
event_keymod)
File "/usr/share/gajim/src/groupchat_control.py", line 2029, in handle_message_textview_mykey_press
list_nick.remove(self.nick) # Skip self
ValueError: list.remove(x): x not in list
Traceback (most recent call last):
File "/usr/share/gajim/src/groupchat_control.py", line 2253, in on_list_treeview_button_press_event
self.mk_menu(event, iter)
File "/usr/share/gajim/src/groupchat_control.py", line 2101, in mk_menu
self.room_jid, user_nick).affiliation
AttributeError: 'NoneType' object has no attribute 'affiliation'
If you need xml console logs, please contact me via e-mail, I will send for log for your internal use. No problems with this.
Parts of xml console log follow:
\<message from='christian@conference.jabber.ru/abusernick' to='egpnick@jabber.ru/Resource' xml:lang='ru-RU' type='groupchat' id='abbea'>
\<body>скора буду библию читать. вот тогда можно будет и пообщацо ;-) \</body>
\<nick xmlns='http://jabber.org/protocol/nick'>Ы\</nick>
\</message>
\<iq to="jabber.ru" type="get" id="4220">
\<ping xmlns="urn:xmpp:ping" />
\</iq>
\<iq from='jabber.ru' to='egpnick@jabber.ru/Resource' type='error' xml:lang='en' id='4220'>
\<ping xmlns='urn:xmpp:ping'/>
\<error code='501' type='cancel'>
\<feature-not-implemented xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/>
\</error>
\</iq>
\<presence from='christian@conference.jabber.ru/abusernick' to='egpnick@jabber.ru/Resource' type='unavailable'>
\<x xmlns='http://jabber.org/protocol/muc#user'>
\<item jid='abuserid@jabber.ru/Psi+' affiliation='none' role='participant' nick='Павлег'/>
\<status code='303'/>
\</x>
\</presence>
\<presence from='christian@conference.jabber.ru/Павлег' to='egpnick@jabber.ru/Resource' xml:lang='ru-RU'>
\<priority>55\</priority>
\<c xmlns='http://jabber.org/protocol/caps' node='http://psi-im.org/caps' ver='0.13-dev-rev2' ext='cs ep-notify html'/>
\<x xmlns='http://jabber.org/protocol/muc#user'>
\<item jid='abuserid@jabber.ru/Psi+' affiliation='none' role='participant'/>
\</x>
\</presence>
\<iq to="abuserid@jabber.ru/Psi+" type="get" id="4229">
\<vCard xmlns="vcard-temp" />
\</iq>
\<iq to="abuserid@jabber.ru/Psi+" type="get" id="4230">
\<vCard xmlns="vcard-temp" />
\</iq>
\<iq from='abuserid@jabber.ru/Psi+' to='egpid@jabber.ru/Resource' id='4229' type='result'>
\<vCard xmlns='vcard-temp' version='2.0' prodid='-//HandGen//NONSGML vGen v1.0//EN'>
\<NICKNAME>Ы\</NICKNAME>
\</vCard>
\</iq>
\<iq from='abusernick@jabber.ru/Psi+' to='egpnick@jabber.ru/Resource' id='4230' type='result'>
\<vCard xmlns='vcard-temp' version='2.0' prodid='-//HandGen//NONSGML vGen v1.0//EN'>
\<NICKNAME>Ы\</NICKNAME>
\</vCard>
\</iq>
If you need a screenshot containing A LOT of these stack trace boxes, contact me. He was not a hacker he says.
I assign my ids to this: "chaotic-nick-bug1" "chaotic-bug1". You may wish to set tags/keywords...
Steps to reproduce
Login with incorrect profile and client into the conference room as "abuser".
From Gajim, press several letters TAB in the message input line. Stack trace pops up.
From Gajim, right mouse click on "abuser" entry in participant list. Stack trace pops up.
This happens every time TAB is pressed or mouse is right clicked on "abuser" entry in partic. list.
Software versions
OS version: Ubuntu 9.04
uname -a
Linux desktop1 2.6.28-17-generic #58-Ubuntu SMP Tue Dec 1 18:57:07 UTC 2009 i686 GNU/Linux
GTK+ Version: 2.16.1
PyGTK Version: 2.14.1
P.S.
I am updating Gajim to newest stable version.