Sven Lankes | 1 Nov 19:24 2011
Picon

Certificate Spoofing issue in PSI

Hello Psi-Maintainers,

it has bee brought to my attention (as the maintainer of the fedora-psi
package) that the currently released psi version is vulnerable to the
issues listed in the security advisory below. Mainly:

    When displaying a security dialog with a certificate, KSSL does not
    properly force its QLabels to use QLabel::PlainText. As a result, if
    given a certificate containing rich text in its fields, it will
    render the rich text.

http://archives.neohapsis.com/archives/fulldisclosure/2011-10/att-0353/NDSA20111003.txt.asc
http://www.kde.org/info/security/advisory-20111003-1.txt

I've looked at parts of the source long and hard and did come to the
conclusion that it would be way to dangerous for me to touch that part
of the code myself introducing more breakage than I would be fixing.

Is there maybe a chance to get a 0.14.1 release with (those) security
issues fixed? Or even a 0.15?

--

-- 
sven === jabber/xmpp: sven@...
Norka Lucena | 2 Nov 17:22 2011

Psi handling of priorities of user presence

Dear Psi developers,

I have noticed that Psi handles priorities of user presence in a non 
very intuitive way, which significantly differs from the handling of the 
same scenario done by XMPP servers such as OpenFire. Consequently, Psi 
displays the wrong presence while the server shows the correct one.

Observed Situation:
If priorities of two or more resources are the same, Psi uses the last 
update from any of those resources as the current user status (which is 
not necessarily the correct one).

Scenario:
For example, given a user connected from two resources, 
a <at> b.com/resource1 and a <at> b.com/resource2, both are priority 5, both being 
initially available. If a <at> b.com/resource1 goes offline, the user a <at> b.com 
is shown by Psi as offline. This is clearly incorrect because 
a <at> b.com/resource2 is still online (as correctly shown by the XMPP server).

Interestingly, this only happens if an observer (another user) is 
present in the system. If the observer connects to the system after 
a <at> b.com/resource1 went offline, the user a <at> b.com is shown correctly as 
online (because a <at> b.com/resource2 is online).

What exactly was your original, intended design for such scenario? Is 
this a problem you plan to solve in upcoming versions? Any other comment 
on the subject?

Thanks in advance for your feedback,

(Continue reading)

Norka Lucena | 2 Nov 18:09 2011

Bug Report: Psi crashes when sending a message to an offline user

The crash occurs when sending a message to one of your contacts and that 
contacts goes offline at the exact moment you are sending the message. 
Although observation of the crash was accidental, you can reproduce it 
as follows:

Sender's side:
	1. Right click on a any online contact.
	2. Select the option 'Send Message To'.
	3. Select a specific resource, but do not click.

Receiver's side:
	4. Go offline in the specific resource.

Sender's side:
	5. Click to send meeting invitation .

The crash occurs because of an invalid reference access in the function 
ContactProfile::doContextMenu in contactview.cpp, line 1546.

1544	//if(res > 0) {
1545		const UserResource &r = rl[res];
1546		rname = r.name();
1547	//}

Notice that removing the comment will not really solve the problem. The 
problem is caused by rl (resource list) becoming empty before the rname 
(resource name) assignment. r is invalid.

Do you plan to fix this problem any time soon?

(Continue reading)

Rion | 3 Nov 05:11 2011
Picon

Re: Bug Report: Psi crashes when sending a message to an offline user

its fixed an year or more ago. but not released yet.

2011/11/2 Norka Lucena <norka.lucena@...>:
> The crash occurs when sending a message to one of your contacts and that
> contacts goes offline at the exact moment you are sending the message.
> Although observation of the crash was accidental, you can reproduce it as
> follows:
>
> Sender's side:
>        1. Right click on a any online contact.
>        2. Select the option 'Send Message To'.
>        3. Select a specific resource, but do not click.
>
> Receiver's side:
>        4. Go offline in the specific resource.
>
> Sender's side:
>        5. Click to send meeting invitation .
>
>
> The crash occurs because of an invalid reference access in the function
> ContactProfile::doContextMenu in contactview.cpp, line 1546.
>
> 1544    //if(res > 0) {
> 1545            const UserResource &r = rl[res];
> 1546            rname = r.name();
> 1547    //}
>
> Notice that removing the comment will not really solve the problem. The
> problem is caused by rl (resource list) becoming empty before the rname
(Continue reading)

Justin Karneges | 21 Nov 21:05 2011

Code moving to github

Hi folks,

I've taken the initial steps to make github the official home for our code.

https://github.com/psi-im

The psi, iris, and libpsi modules were already in there, being synced from our 
origin repos (iris was even being specially synced from svn).  I have disabled 
the syncing mechanisms for these repos now, so new commits should be targetted 
against github.  I did not perform any kind of clean reimport into github.  I 
believe there wouldn't be a difference in the final result, unless someone can 
correct me.

This means iris now uses git instead of svn.  Additionally I've moved psimedia 
into github, so it no longer uses svn either.  Also, the placement of these 
projects into an organization dubbed "psi-im" is significant.  It marks the 
start of their transition away from being under the Delta umbrella to the Psi 
umbrella.  I'll write more about this in a future email.

There are still plenty of URLs and references all over the place that point to 
the old repo locations.  I'll work to fix these soon.

Justin

P.S.: I know I'm behind on email.  I'll get to it all eventually.
Justin Karneges | 22 Nov 03:05 2011

Re: Code moving to github

On Monday, November 21, 2011 12:05:35 PM Justin Karneges wrote:
> I've taken the initial steps to make github the official home for our code.

In addition to the familiar modules, Psi has a bunch of old modules that in 
the last few years managed to fall off the face of the earth.  Probably it was 
for good reason since these modules are no longer in use, but I'm bothered 
that their removal was not a conscious decision.  I speak of course of the Psi 
CVS!  Formerly a private repo that was graciously mirrored to the public by 
Anywise in Psi's early days, both the private repo and the mirror have been 
gone now for some time.  I recovered the old CVS modules and put them in 
github.

So you'll now find cutestuff, neatstuff, media, and ambrosia within the psi-im 
organization on github.  They are likely only of historic interest, but there 
they are.  If we choose to get rid of them someday it will be a conscious 
decision instead of accidental abandonment.

Psi/Delta has now been reduced from four repos to three:

  Delta SVN - contains qconf
  KDE SVN - contains qca
  Psi Git - contains everything else

I've corrected all the bad Psi CVS and Psi Darcs (!) links on the Psi and 
Delta websites to point to github where applicable.

Justin
Dmitry Nezhevenko | 22 Nov 19:50 2011
Picon

Re: Code moving to github

On Mon, Nov 21, 2011 at 12:05:35PM -0800, Justin Karneges wrote:
> Hi folks,
> 
> I've taken the initial steps to make github the official home for our code.
> 
> https://github.com/psi-im
> 
> The psi, iris, and libpsi modules were already in there, being synced from our 
> origin repos (iris was even being specially synced from svn).  I have disabled 
> the syncing mechanisms for these repos now, so new commits should be targetted 
> against github.  I did not perform any kind of clean reimport into github.  I 
> believe there wouldn't be a difference in the final result, unless someone can 
> correct me.

How it's supposed to be cloned to build current psi? I've tried to clone
psi repo and usual git submodule init/update and got followed:

% git submodule update
fatal: destination path 'iris' already exists and is not an empty
directory.
Clone of 'git@...:psi-im/iris.git' into submodule path 'iris'
failed

Probably you need to drop everything from from psi's iris directory
--

-- 
WBR, Dmitry
On Mon, Nov 21, 2011 at 12:05:35PM -0800, Justin Karneges wrote:
> Hi folks,
(Continue reading)

Justin Karneges | 23 Nov 01:18 2011

Re: Code moving to github

On Tuesday, November 22, 2011 10:50:22 AM Dmitry Nezhevenko wrote:
> How it's supposed to be cloned to build current psi? I've tried to clone
> psi repo and usual git submodule init/update and got followed:
> 
> % git submodule update
> fatal: destination path 'iris' already exists and is not an empty
> directory.
> Clone of 'git@...:psi-im/iris.git' into submodule path 'iris'
> failed
> 
> Probably you need to drop everything from from psi's iris directory

Here are the instructions that are on the website:

git clone git://github.com/psi-im/psi.git
cd psi
git submodule init
git submodule update

I tried again just now with a fresh checkout to be sure, and it worked fine.

Justin
Justin Karneges | 23 Nov 02:37 2011

Continuing in the cloud-y tradition, or Bug tracker and Forum

Hi folks,

As discussed earlier, we need a bug tracker.  For this purpose, we'll be using 
the GitHub issue tracker found here:
  https://github.com/psi-im/psi/issues

It looks like people had even been putting stuff in it already.  Well now it's 
official.

We also need a replacement for the web forum.  Without something like it, 
regular users don't have an obvious path to get help.  Instead of setting up a 
standard web forum again we will try a Google Group:
  http://groups.google.com/group/psi-users

The web interface to Google Groups is not the most beautiful thing, but users 
should be able to navigate it as well as any web forum I think.  It also has 
the advantage of offering a mailing list interface, which I know people here 
will like.

There will be no migration of past data into these new systems.  The Redmine 
data was lost, in fact.  As for the forum data, it may be interesting to 
restore it someday for historical purposes, but in any case it wouldn't go 
into the Google Group.

I still need to correct the links on the website that refer to these services.  
In the meantime, I've made redmine.psi-im.org and forum.psi-im.org redirect to 
the new locations.

Justin
(Continue reading)

Justin Karneges | 26 Nov 03:23 2011

Wiki restored

The wiki is alive again: http://psi-im.org/wiki/

New account registration is disabled to prevent spam.  This may change in the 
future, but first we need to come up with a good long term plan for the 
wiki/docs.

Justin

Gmane