MacVim Sparkle update vulnerable to MitM?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

MacVim Sparkle update vulnerable to MitM?

Ivan Wang
Hi all,

A quick check shows MacVim's autoupdate is done with Sparkle framework at 1.13.0.

Given the recent turmoil of Sparkle MitM proof of concept (see: https://sparkle-project.org/documentation/security/), is MacVim vulnerable?
MacVim up until Snapshot 96 's using vulnerable version of Sparkle, but not sure about http or https.

Thanks
Ivan.

--
--
You received this message from the "vim_mac" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_mac" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: MacVim Sparkle update vulnerable to MitM?

Kazuki Sakamoto-2
Hey Ivan,

Both URLs are https.

https://github.com/macvim-dev/macvim/blob/7a04d45bec06ce4fd52a7fa127993d98ed023583/src/MacVim/Info.plist#L1308-L1309

enclosure url
https://raw.githubusercontent.com/macvim-dev/macvim/gh-pages/appcast/latest.xml

Kazuki

On Wed, Feb 10, 2016 at 5:27 PM, Ivan Wang <[hidden email]> wrote:

> Hi all,
>
> A quick check shows MacVim's autoupdate is done with Sparkle framework at 1.13.0.
>
> Given the recent turmoil of Sparkle MitM proof of concept (see: https://sparkle-project.org/documentation/security/), is MacVim vulnerable?
> MacVim up until Snapshot 96 's using vulnerable version of Sparkle, but not sure about http or https.
>
> Thanks
> Ivan.
>
> --
> --
> You received this message from the "vim_mac" maillist.
> Do not top-post! Type your reply below the text you are replying to.
> For more information, visit http://www.vim.org/maillist.php
>
> ---
> You received this message because you are subscribed to the Google Groups "vim_mac" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
> For more options, visit https://groups.google.com/d/optout.

--
--
You received this message from the "vim_mac" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_mac" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: MacVim Sparkle update vulnerable to MitM?

Ivan Wang
On Thursday, February 11, 2016 at 11:47:51 AM UTC+8, sakamoto wrote: Hi Kazuki san,

Really appreciate for your quick and precise response.

Thanks a lot!
Ivan.

--
--
You received this message from the "vim_mac" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_mac" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.