This post will be about how I discovered a (security) bug in an open source project and how it has been handled. I’ll try to update this post or add new ones if the situation changes. However I think it’s good to have something in public, as not everyone is reading all those bugtrackers around.
First a few things:
- Openfire is a Jabber/XMPP server by Jive Software and the Igniterealtime Community. It’s open source and free. Besides ejabberd one of the top Jabber/XMPP servers out there. It has a neat webinterface, etc.
- Empathy. Ubuntu (GNOME??) introduced a new standard messenger, Empathy. It has a Jabber module called “telepathy-gabble” which handles connections and stuff. Basically every user new to Ubuntu will use this messenger in favor of Gajim or PSI (which I would prefer).
I maintain an Openfire server for my family and some friends. It’s not locked down, so it allows outside connections to other Jabber/XMPP users out there, e.g. Google Mail, GMX, web.de, JabJab. As there are only a few users only at the same time, it’s easy to see what outside connection are open currently. (If you don’t know what Jabber is, read on Wikipedia – in short: it’s a decentralized instant messaging protocol)
So recently I discovered my server having more server-to-server connections open than I’d expect. A few of the additional ones are:
- proxy.fsinf.at
- proxy.jabber.minus273.org
- proxy.jabber.planetteamspeak.com
- proxy.jabber.tf-network.de
- proxy.jabjab.de
- proxy.jabster.pl
- proxy.schokokeks.org
- proxy.ubuntu-jabber.net
- proxy.verdammung.org
- proxy.911910.cn
- proxy.vke.ru
Especially the last two can be fun for a server admin. Server-to-server connections to unknown servers in Russia and China. Yay! Fun!
Ok, so what now? Where to start?
I remembered two of my users started using Empathy as their new default messenger. I only noticed those connections when they were online at the same time. So I tried myself. A few seconds after connecting with Empathy, those s2s connections popped up. Ugh.
So I went through all settings of Empathy and couldn’t find anything related. To be honest: Empathy is a pretty weak client when it comes to settings. Hardly anything can be configured. That may be easier to use for starters, but you can see what kind of trouble this can cause.
Next thing I did was searching for the source code. I found out that Empathy wasn’t even handling the Jabber/XMPP stuff, but a package called telepathy-gabble. It wasn’t hard to find it’s source. I grep’ed through it and found the servers hard-coded:
/* List of public SOCKS5 proxies:
* http://coccinella.im/servers/servers_by_proxy_bytestreams.html */
#define GABBLE_PARAMS_DEFAULT_SOCKS5_PROXIES \
{ "proxy.jabber.org", "proxy.jabberfr.org",\
"proxy65.rooyee.biz", "proxy.jabbim.cz",\
"proxy.911910.cn",\
"proxy.downtempo.de",\
"proxy.im.flosoft.biz",\
"proxy.jabber.bluendo.com", "proxy.jabber.dk",
"proxy.jabber.freenet.de",\
"proxy.fsinf.at", "proxy.jabber.minus273.org",\
"proxy.jabber.planetteamspeak.com", "proxy.jabber.tf-network.de",\
"proxy.jabjab.de", "proxy.jabster.pl",\
"proxy.schokokeks.org",\
"proxy.ubuntu-jabber.de", "proxy.ubuntu-jabber.net",\
"proxy65.unstable.nl", "proxy.verdammung.org", "proxy.vke.ru",\
"proxy.vodka-pomme.net", "proxy.jabbernet.eu",\
NULL }
/* These proxies appeared to be the same as proxy.jabbernet.eu
"proxy.jabberchat.eu", "proxy.shady.nl", "proxy.nedbsd.be",\
"proxy.nedbsd.eu", "proxy.nedbsd.nl", "proxy.4business.nl"\
*/
This extract can be found in telepathy-gabble’s “Connection.h”.
As I wasn’t the only server admin having this problem (post on igniterealtime.org) I thought it would be good to tell them about this. I’d call it a bug, maybe even a security-related bug. Even if they wanted to have connections to those servers (else they weren’t hard-coded) there is absolutely no need to contact them, if no proxy/SOCKS5 connection is needed by the client.
I went on and filed a bug report at Ubuntu’s Launchpad:
Bug #487313
They marked the importance as “Medium” (!!) and told me it was best to tell the developers of the package itself.
Ok, no problem:
Bug #25179
Read their answer yourself. Just little traffic, they know it, will be fixed, maybe, somewhen, no one knows. Cool!
The funny thing is, they had known about this since April 2009:
Bug #21151
When you read through the answer of that bug report, they don’t even care on it. It’s classified as “improvement”/”enhancement”. Wow! Great!
I know, I’m a programmer and a developer. I could just take the source code myself, read through it, write a patch, send it in, hope for them to accept it, and all is good. They do free work as well, so don’t moan. Well, this is too simple. Ubuntu is one of the best and most popular Linux distributions out there. If they maintain the default messenger for it, they should do better.
My bet is that no fix will be published this year. Even if they fix it, it won’t make it into the next Ubuntu release in April 2010 (one year after the bug has been reported). That’s extremely sad. As I know one of the server admins whose server has been hard-coded, I will contact him about it and ask what he thinks about being the default proxy-connector for Ubuntu users… Hey, it’s only a connection.. from several million users…
Update 1:
The admin of schokokeks.org confirmed that they never authorized their server being used as an open proxy for telepathy-gabble. They have never been contacted by the telepathy authors. It’s not even an open jabber server.
Update 2:
The admin of fsinf.at told me they didn’t know about this either. He showed me a link to their stats (it’s also public on their website): http://jabber.fsinf.at/stats/fsinf.at/jabber.fsinf.at-ejabberd_connections.html
You can see in the lower right corner that s2s connections jumped after the release of Ubuntu 9.10.
Update 3 [Nov 26, 2009 21:30 CET]:
The admins of Jabjab and ubuntu-Jabber.de/ubuntu-Jabber.net/verdammung.org didn’t know of this either. Yep, ubuntu-Jabber.de/ubuntu-Jabber.net/verdammung.org point to the same server, which even blocks unauthorized proxy-requests, so it’s pretty useless in this list. During the day the developers started fixing the bug and it’s marked resolved now. We’ll see how long it takes until it’s available as an Ubuntu update.
Update 4 [Nov 27, 2009 08:45 CET]:
Ubuntu’s Launchpad shows the bug as “Fix Released”. We’ll see how long it takes to show up in the Update Manager – if at all.
Update 5 [Dec 21, 2009 20:00 CET]:
The updated package should be available for update in the Ubuntu repositories now.
The admin of schokokeks.org just contacted the Telepathy team regarding this issue, and referred to this post.
We’ll be fixing Gabble to only probe proxies when they’re actually needed (rather than when we sign in) ASAP. We believe there may also be a bug where the fallback proxies are probed even if your own XMPP server provides a proxy, which we’ll investigate. Additionally, we’re looking into providing a public proxy to use as the fallback for Telepathy users, rather than imposing on others, and replacing the fallback list (obtained from http://coccinella.im/servers/servers_by_proxy_bytestreams.html) with that one. We’ve contacted the Ubuntu packager, and he’s happy to release a Gabble update containing the necessary patches as soon as they’re ready; we’ll be contacting other distributions’ packagers to the same effect.
Thanks for bringing this to our attention, and apologies for any inconvenience caused.
The admin of schokokeks.org just contacted the Telepathy team regarding this issue, and referred to this post.
We’ll be fixing Gabble to only probe proxies when they’re actually needed (rather than when we sign in) ASAP. We believe there may also be a bug where the fallback proxies are probed even if your own XMPP server provides a proxy, which we’ll investigate. Additionally, we’re looking into providing a public proxy to use as the fallback for Telepathy users, rather than imposing on others, and replacing the fallback list (obtained from http://coccinella.im/servers/servers_by_proxy_bytestreams.html) with that one. We’ve contacted the Ubuntu packager, and he’s happy to release a Gabble update containing the necessary patches as soon as they’re ready; we’ll be contacting other distributions’ packagers to the same effect.
Thanks for bringing this to our attention, and apologies for any inconvenience caused.
@Will Thompson
Thanks, Will. It’s much appreciated.
@Will Thompson
Thanks, Will. It’s much appreciated.
“if at all” – why would you have reason to believe the Ubuntu maintainers are trying to deceive you in any way? If you already mistrust them so much, perhaps you should consider a different distribution?
“if at all” – why would you have reason to believe the Ubuntu maintainers are trying to deceive you in any way? If you already mistrust them so much, perhaps you should consider a different distribution?
@Robert McQueen
I don’t use Ubuntu regularly anyways. That part of sentence was no sign of mistrust. I just don’t know if the Ubuntu maintainers will classify it as a security fix or something that needs to be addressed with an update or can wait until the new release in April.
@Robert McQueen
I don’t use Ubuntu regularly anyways. That part of sentence was no sign of mistrust. I just don’t know if the Ubuntu maintainers will classify it as a security fix or something that needs to be addressed with an update or can wait until the new release in April.
It’s not a *security* issue, but it is undoubtedly a serious bug that should (and will) be addressed in an update.
It’s not a *security* issue, but it is undoubtedly a serious bug that should (and will) be addressed in an update.
@Will Thompson
Ok, cool. Thank you.
@Will Thompson
Ok, cool. Thank you.
The package is in karmic-proposed, awaiting positive feedback from testers before being shipped to all users. See https://bugs.edge.launchpad.net/ubuntu/+source/telepathy-gabble/+bug/488709/comments/6 for more information.
The package is in karmic-proposed, awaiting positive feedback from testers before being shipped to all users. See https://bugs.edge.launchpad.net/ubuntu/+source/telepathy-gabble/+bug/488709/comments/6 for more information.