Debian Bug report logs -
#702252
telepathy-gabble: CVE-2013-1769 remotely-triggerable DoS (crash) via weird data forms in caps
Reported by: Simon McVittie <smcv@debian.org>
Date: Mon, 4 Mar 2013 14:48:01 UTC
Severity: important
Tags: fixed-upstream
Found in versions telepathy-gabble/0.16.1-2, telepathy-gabble/0.9.15-1+squeeze1
Fixed in versions telepathy-gabble/0.16.5-1, telepathy-gabble/0.17.3-1
Done: Laurent Bigonville <bigon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, security@debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>:
Bug#702252; Package telepathy-gabble.
(Mon, 04 Mar 2013 14:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>.
(Mon, 04 Mar 2013 14:48:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: telepathy-gabble
Version: 0.9.15-1+squeeze1
Severity: important
Tags: fixed-upstream pending
telepathy-gabble is vulnerable to CVE-2013-1769, a remotely-triggerable DoS:
other XMPP users can cause Gabble to crash with a NULL pointer dereference
by sending malformed capabilities ("caps") data.
In squeeze, telepathy-gabble itself is believed to be vulnerable.
In wheezy, sid and experimental, the vulnerable code has moved into the
Wocky submodule (which is shipped as part of the telepathy-gabble tarball -
Wocky is not yet ABI-stable) so different patches are needed.
An upload to sid will follow soon.
Security team (in x-debbugs-cc), please let me know whether you want this
to be a DSA or a stable update? I would suggest a stable update since it's
only a DoS.
S
Marked as found in versions telepathy-gabble/0.16.1-2.
Request was from Simon McVittie <smcv@debian.org>
to control@bugs.debian.org.
(Mon, 04 Mar 2013 16:06:04 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Mon, 04 Mar 2013 16:06:17 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Mon, 04 Mar 2013 16:06:17 GMT) (full text, mbox, link).
Message #12 received at 702252-close@bugs.debian.org (full text, mbox, reply):
Source: telepathy-gabble
Source-Version: 0.16.5-1
We believe that the bug you reported is fixed in the latest version of
telepathy-gabble, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 702252@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated telepathy-gabble package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 04 Mar 2013 15:10:21 +0000
Source: telepathy-gabble
Binary: telepathy-gabble telepathy-gabble-dbg
Architecture: source amd64
Version: 0.16.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
telepathy-gabble - Jabber/XMPP connection manager
telepathy-gabble-dbg - Jabber/XMPP connection manager (debug symbols)
Closes: 702252
Changes:
telepathy-gabble (0.16.5-1) unstable; urgency=medium
.
* New upstream stable release
- drop all patches, applied upstream
- fixes a remotely-triggerable DoS (CVE-2013-1769, Closes: #702252)
Checksums-Sha1:
bd3a8c37b7a56c213cc1b70cbc3b633089aeebd7 2479 telepathy-gabble_0.16.5-1.dsc
6553fe69ccaa9926458d282893ad3d94ac9180e0 2635272 telepathy-gabble_0.16.5.orig.tar.gz
7e80bbb812c1d76434a80b57be7b5b44cc98c582 12664 telepathy-gabble_0.16.5-1.debian.tar.gz
654be34169d9445c07b3a5166b422f120678d3f7 818104 telepathy-gabble_0.16.5-1_amd64.deb
7e97c2a1f7a8e639279ceb06139e3322f0584251 2128260 telepathy-gabble-dbg_0.16.5-1_amd64.deb
Checksums-Sha256:
dfeebd3eae40da25933d2ae54b1e0f71a974621dec74bf90b0df1365899074db 2479 telepathy-gabble_0.16.5-1.dsc
fdadd2b61f2ed912af20df9766adb6ddafb156f174840c7a305e9f19efa16d33 2635272 telepathy-gabble_0.16.5.orig.tar.gz
5fb72135171c1a215ada8ae928a0a29ffa7ef09f54aef17028dbb0d512b223da 12664 telepathy-gabble_0.16.5-1.debian.tar.gz
594acc5757e9569beb543791210b185c5d24449385a8f63b0df28f944dc6b6c7 818104 telepathy-gabble_0.16.5-1_amd64.deb
ba1d1a2e37a8fc1f6b846c40c0d3b198a7395ae95fc2712b5af001c6ddaa1264 2128260 telepathy-gabble-dbg_0.16.5-1_amd64.deb
Files:
02340d4b582aecb03c0e9c351c14ef9e 2479 net optional telepathy-gabble_0.16.5-1.dsc
06eab928c1d147029ee33be53a03710c 2635272 net optional telepathy-gabble_0.16.5.orig.tar.gz
44c3ba4cee02aca78b69fd0d4959e2f3 12664 net optional telepathy-gabble_0.16.5-1.debian.tar.gz
f165b27e56216e7ec93f59dc6a564e05 818104 net optional telepathy-gabble_0.16.5-1_amd64.deb
8f014e4d2d902df2b768165ef1b46da9 2128260 debug extra telepathy-gabble-dbg_0.16.5-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIVAwUBUTTDIE3o/ypjx8yQAQjV+Q//b4KiRr5dGZKx0XcqPUwb6VHCHRtZLCIU
6ralOQZt6A6P5F496GuouxSV/KS4sQ8l9oX6WjBaEmQQT3Ktyr6mbjkflqkLSbcr
7VxB8fT2N98hbGe9bWmva55ncErkU9IJyVzHgHtSjFQ3nluHi7sy/3i3EI5wDeN3
0ZZX8Ccz7y/LzFrygIgUI/5QWE+PIqyOi7m4yda88tJzCFdNmORbxdmML1aivHhf
OjJqJ0dwEopqOiUKxmmJiXymOgF3j1GHecLUJOO9+eeS7FcEzLd0rsTo0K96wsnd
Za0hpKb4iKzRPAW/ZfZmfLpDxqTT3TnzBrx9JZP8tNB7KdlDPS4WiNNjeFzLlMrS
lxlQoVXAZ/Z2YmTcpgcbPXItMxnb1VazQKahx+PtsIdcTyy1HdXewQ3bfhHAGaTe
RiXq536iDblwcyKr3i5c0WXmhCWsGkpLuN+RJfk3uHTsqDF8PBzsAvfjBiVAtyoB
MU149ZvMhdSBbR+XoADTLAsIp58IpithI2uXbM3T5Os+/RJNzIkhTd3lyzWK57uC
fF0CXP6PWB5H2skbucN3VOz8y8LttMqV/Xc74eNvbr+DuUpNkG/PLV2EjCZo6Zuc
Ly33TSqlNh5heCvDSWvRAh5VeLjQBkmqmipvihgNHXHs6K2Q0jFyYx3qY549KRnv
x4zOrd3BUvY=
=YVq8
-----END PGP SIGNATURE-----
Reply sent
to Laurent Bigonville <bigon@debian.org>:
You have taken responsibility.
(Sun, 10 Mar 2013 12:36:04 GMT) (full text, mbox, link).
Notification sent
to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer.
(Sun, 10 Mar 2013 12:36:04 GMT) (full text, mbox, link).
Message #17 received at 702252-close@bugs.debian.org (full text, mbox, reply):
Source: telepathy-gabble
Source-Version: 0.17.3-1
We believe that the bug you reported is fixed in the latest version of
telepathy-gabble, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 702252@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laurent Bigonville <bigon@debian.org> (supplier of updated telepathy-gabble package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 10 Mar 2013 13:10:28 +0100
Source: telepathy-gabble
Binary: telepathy-gabble telepathy-gabble-dbg telepathy-gabble-tests
Architecture: source amd64
Version: 0.17.3-1
Distribution: experimental
Urgency: low
Maintainer: Debian Telepathy maintainers <pkg-telepathy-maintainers@lists.alioth.debian.org>
Changed-By: Laurent Bigonville <bigon@debian.org>
Description:
telepathy-gabble - Jabber/XMPP connection manager
telepathy-gabble-dbg - Jabber/XMPP connection manager (debug symbols)
telepathy-gabble-tests - Jabber/XMPP connection manager (automated tests)
Closes: 702252
Changes:
telepathy-gabble (0.17.3-1) experimental; urgency=low
.
* New upstream release
- drop all patches, applied upstream
- fixes a remotely-triggerable DoS (CVE-2013-1769, Closes: #702252)
- debian/shlibs.local: Bump version
* debian/control: Fix duplicate package description
Checksums-Sha1:
5aab5dfaa235bd1af74a6cb3c7cd18682852af4d 2240 telepathy-gabble_0.17.3-1.dsc
d912c77465b64b249ac51c92c1ce67988b6976ca 2710882 telepathy-gabble_0.17.3.orig.tar.gz
9980171b81e6a620af1718d6666510945a30e3c4 13163 telepathy-gabble_0.17.3-1.debian.tar.gz
0a299f3d76c088c9fdc21358a4f0b8c666abfb44 835208 telepathy-gabble_0.17.3-1_amd64.deb
7b5a1e8f91047b36b3e4a671ced2be6ad60e9935 9589248 telepathy-gabble-dbg_0.17.3-1_amd64.deb
adf4e5f25f6b2b52cf20739ed3826895eb2b012b 2787388 telepathy-gabble-tests_0.17.3-1_amd64.deb
Checksums-Sha256:
561b44e18d05802d03482753038c3ddfc8783dc600f0ca871651863d0b6c8ed1 2240 telepathy-gabble_0.17.3-1.dsc
b75f28d3645f2bd8046ad1a4754e3bc164fd44f62cf3b1cbe34c71d4542b94c9 2710882 telepathy-gabble_0.17.3.orig.tar.gz
f5f42a9155de016ef12fd20c4d7f6c687b1b57ac41743ee3bd7c105d89f93406 13163 telepathy-gabble_0.17.3-1.debian.tar.gz
0fa54be24b5b9127f438840fae3e6d1f926f6df2a8170733b638af5bbbea9089 835208 telepathy-gabble_0.17.3-1_amd64.deb
d711828c6d9aa1657068b633cd98dd87cf6292dee24d43d6c7531a9db777c01d 9589248 telepathy-gabble-dbg_0.17.3-1_amd64.deb
0c89ab0b1d779a40dd62a13276ac70331acd7fcff25fe01246f7dd9a40846c0a 2787388 telepathy-gabble-tests_0.17.3-1_amd64.deb
Files:
51061c97e382d8c3ec26bc93f8b8c6a0 2240 net optional telepathy-gabble_0.17.3-1.dsc
f190ac6244440601f616dd61846689ba 2710882 net optional telepathy-gabble_0.17.3.orig.tar.gz
81d5ba131d2c0b86d85b0b76b5119a58 13163 net optional telepathy-gabble_0.17.3-1.debian.tar.gz
7c1338cee51fc70dd91d5ff76fdc7ee8 835208 net optional telepathy-gabble_0.17.3-1_amd64.deb
f839bf08e19f47a876e4dee9ef4fded4 9589248 debug extra telepathy-gabble-dbg_0.17.3-1_amd64.deb
f1e70ad2a7872d3ae01b41a95984b82e 2787388 debug extra telepathy-gabble-tests_0.17.3-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJRPHmTAAoJEB/FiR66sEPVmygIAJh6Ga1IV1aBnTjRVP5hgbxO
BLJ4Wf8VzFUGpWDOBNbe6PdoeSgK1Rjb6EFCYj36HYL55ZD1MSda5MkplB+KLjy7
1gmbiltIKHeNWUHIInyug1n6eNrPSsxx4anCMjzjok9KINqQoq8qkodoAbPpX7oq
YYKrZDLYgAVN7LR1jegHwy+97nl4B5AFT6nyM3FDW1ccRcRV7d5p9ZJJVz/dRmPK
/Y+SoVCkBRlG4wRDIMCoAGr8CMTTbFyZ13MCcuQaYelxE9LMWvuW5Ru/YHdDzoPZ
1krS5YTaW5JwGw3wNeurSEB10BLgCo1oC9PSPs8PZZKbQ6b4VT0+vTPqpDVxnRU=
=xE5r
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 08 Apr 2013 07:26:49 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:21:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon