Support reading messages with 12-byte IVs

Bug #1866115 reported by Julian Andres Klode on 2020-03-04
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dino-im (Ubuntu)
Julian Andres Klode

Bug Description

Most clients switched to 12-byte IVs for OMEMO encrypted messages, but dino only accepts 16-byte IVs.

[Test case]

Send OMEMO message from client which uses 12-byte IV, make sure it can be read.

Note that other clients might still not be able to read our messages (dino should though), this requires and will be fixed later. This change is solely to unblock dino to switch to sending 12-byte IVs.

[Regression potential]

Meh. I'm not sure what could regress here by not rejecting 12 byte IVs any longer, it's a simple if () on the IV size that we extend from == 16 to == 16 || == 12.

Changed in dino-im (Ubuntu):
status: New → Fix Released
Changed in dino-im (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Julian Andres Klode (juliank)
description: updated
Julian Andres Klode (juliank) wrote :

I have installed dino-im from the security-proposed PPA and confirmed I could receive 12-byte IV messages sent by conversations.

tags: added: verification-done-bionic
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dino-im - 0.0.git20180130-1ubuntu0.1

dino-im (0.0.git20180130-1ubuntu0.1) bionic-security; urgency=high

  * Cherry pick upstream security fixes (LP: #1866113)
    - SECURITY UPDATE: Fix check of source of a carbons message (CVE-2019-16235)
    - SECURITY UPDATE: Check roster push authorization (CVE-2019-16236)
    - SECURITY UPDATE: Fix check of source of MAM message (CVE-2019-16237)
  * Accept IV sizes of 12 in addition to 16 to enable reading messages
    sent from clients using 12-byte IVs again (LP: #1866115)

 -- Julian Andres Klode <email address hidden> Wed, 04 Mar 2020 15:20:07 +0100

Changed in dino-im (Ubuntu Bionic):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers