On Feb 27, 2012, at 2:37 PM, Michele Orru wrote: > I think you didn't understood the content of the advisory. > If there are 10 non-root users in an Ubuntu machine for example, > if user 1 is using pidgin with OTR compiled with DBUS, then user 2 to 10 > can see what user 1 pidgin conversation. This is not what the OP or CVE describe: >> plaintext. This makes it possible for attackers that have gained >> user-level access on a host, to listen in on private conversations >> associated with the victim account. Which I read as: if I compromise user1's account then I can snoop user1's DBUS sessions. It says nothing about me being able to snoop user2's sessions. The leading phrase about attackers gaining user-level access implies that legitimate users on a system are not a relevant issue. I believe that clarification is in order. -- Rich Pieri <ratinox@xxxxxxx> MIT Laboratory for Nuclear Science
