deekoo.net / technocracy

Yeemp

Yeemp is a multiprotocol instant messaging program. It currently runs on Linux and FreeBSD. The Yeemp client supports the Yeemp, ICQ, and AIM protocols.

Features & such | Major changes | Screenshots | Theming tutorial | Future development plans.

Downloads

Current version: 0.9.14 (2005 August 20)

Yeemp source.

Yeemp Linux/i386 binary

.deb packages:
Yeemp base & console client (Linux/i386)
Yeemp server
X client.

Got comments, questions, flames, cult membership applications?
You can send 'em to Deekoo here.

Ident:
Pass:
Deekoo is currently
[WebYeemp Status]

Yeemp is written in perl. You'll need to have the perl Net::SSLeay, IPC::Open3, Fcntl, POSIX, and IO::Select modules. You'll also need GnuPG and OpenSSL installed.

Credits:

This product includes software developed by Sampo Kellomaki (sampo@iki.fi)




Warning for users of Yeemp versions below 0.9.10

A security hole has been discovered in the Yeemp instant messaging client. Yeemp uses public keys both for message encryption and to provide a degree of round-trip authentication for messages - each contact is given a unique public key. Unencrypted messages are considered to be probably spoofed in most circumstances; messages which are decryptable are checked to determine if the key used to decrypt them corresponds with the public key supplied to the claimed originator of the message. The initial public key request, however, cannot be encrypted, and is implemented as a file transfer request. The client was not checking the encryption on inbound files. As a result, anyone could send a Yeemp client a file purporting to be from any sender.

While this by itself cannot be exlpoited to execute arbitrary code, Yeemp accepts and attempts to display several media files with standardized filenames by default; in conjunction with security holes in external libraries or utilities, this could lead to the execution of arbitrary code. Yeemp uses several external utilities, including netpbm and ogg123, to handle certain media files.

Yeemp 0.9.10 fixes the spoofing vulnerability. In addition, if you have Yeemp set to use subterfugue shoggoth sandboxes, 0.9.10 will use them around netpbm and ogg123 calls, which should significantly mitigate the impact of any unpatched or as-yet-undiscovered vulnerabilities in ogg123 and netpbm.

To the best of my knowledge, Yeemp 0.9.9 and all prior versions are vulnerable. This vulnerability has been verified specifically on 0.7.2, 0.9, 0.9.4, 0.9.7, 0.9.8, and 0.9.9.

Nota Bene: 0.9.10 breaks the sendyeemp and weemp utilities. I'll fix them soon. (Sendyeemp especially, as it's important.)

{ Main / Technocracy }