Savoir-faire Linux’s Jami is a free, open source, peer-to-peer and end-to-end encrypted instant messaging software. Black Lantern Security (BLS) researchers have found 2 vulnerabilities in the Windows client which allows local Denial of Service (DoS) and passing strings to QRC URLs in Windows.

CVE-2023-3433 - Local Denial of Service through Forced Deadlock

BLS researchers determined that the “nickname” field within the user profile management section of the application was not fully sanitizing input. By inserting <foo> into the nickname field, the application was forced to try and resolve the special characters but had no path to move forward resulting in a deadlock. This deadlock effectively resulted in a local DoS for the application. As long as these special characters were in the “nickname” field, no messages could be sent or received by the user.

Patch: https://review.jami.net/c/jami-daemon/+/23575

CVE-2023-3434: Passing Strings to QRC URLs

BLS researchers identified that when users send messages using custom HTML Anchor tags, the string within the HTML gets passed to Windows to handle as a QRC URL. This can result in specially-crafted messages being passed to unsuspecting users, believing they’ve received a traditional hyperlink; but in reality, an attacker can pass string values to an unexpected QRC URL for Windows to execute.

Sending the following message:

<a href="maliciousQRCcomponent" id="fuzzelement1">test</a>

Creates a standard hyperlink message:

However, by clicking the link, Windows attempts to open:

qrc:/components/maliciousQRCcomponent

Patch: https://review.jami.net/c/jami-client-qt/+/23569

Both of these vulnerabilities are patched in the latest Windows Beta and live client.

Disclosure Timeline