qutecom: multiple vulnerabilities

Debian Bug report logs - #572946
qutecom: multiple vulnerabilities

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: qutecom: multiple vulnerabilities

Date: Sun, 7 Mar 2010 14:43:13 -0500

Package: qutecom
Version: 2.2~rc3.hg396~dfsg1-5+b1
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for pidgin.  Since qutecom embeds libpurple, it may also be
affected.  I have not checked this myself, so please do so, and close
the bug if you find the package to be not affected.

CVE-2010-0423[0]:
| gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a
| denial of service (CPU consumption and application hang) by sending
| many smileys in a (1) IM or (2) chat.

CVE-2010-0420[1]:
| libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user
| chat (MUC) room is used, does not properly parse nicknames containing
| <br> sequences, which allows remote attackers to cause a denial of
| service (application crash) via a crafted nickname.

CVE-2010-0277[2]:
| slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6,
| including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a
| denial of service (memory corruption and application crash) or
| possibly have unspecified other impact via a malformed MSNSLP INVITE
| request in an SLP message, a different issue than CVE-2010-0013.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423
    http://security-tracker.debian.org/tracker/CVE-2010-0423
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420
    http://security-tracker.debian.org/tracker/CVE-2010-0420
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277
    http://security-tracker.debian.org/tracker/CVE-2010-0277

Message #10 received at 572946@bugs.debian.org (full text, mbox, reply):

From: Ludovico Cavedon <cavedon@debian.org>

To: Michael Gilbert <michael.s.gilbert@gmail.com>, 572946@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#572946: qutecom: multiple vulnerabilities

Date: Mon, 08 Mar 2010 16:15:34 +0100

package qutecom
tags 572946 + confirmed
forwarded 572946 http://trac.qutecom.org/ticket/195
thanks

Michael Gilbert wrote:
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for pidgin.  Since qutecom embeds libpurple, it may also be
> affected.  I have not checked this myself, so please do so, and close
> the bug if you find the package to be not affected.

Yes, these CVEs affect qutecom, thanks for reporting them.
I will try and see if I get a stable version of qutecom (except segfault
at exit) working with the external libpurple.

Thanks,
Ludovico

Message #19 received at 572946-close@bugs.debian.org (full text, mbox, reply):

From: Ludovico Cavedon <cavedon@debian.org>

To: 572946-close@bugs.debian.org

Subject: Bug#572946: fixed in qutecom 2.2~rc3.hg396~dfsg1-6

Date: Tue, 09 Mar 2010 22:01:19 +0000

Source: qutecom
Source-Version: 2.2~rc3.hg396~dfsg1-6

We believe that the bug you reported is fixed in the latest version of
qutecom, which is due to be installed in the Debian FTP archive:

qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
  to main/q/qutecom/qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
  to main/q/qutecom/qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
  to main/q/qutecom/qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
qutecom_2.2~rc3.hg396~dfsg1-6.dsc
  to main/q/qutecom/qutecom_2.2~rc3.hg396~dfsg1-6.dsc
qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
  to main/q/qutecom/qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
  to main/q/qutecom/wengophone_2.2~rc3.hg396~dfsg1-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 572946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovico Cavedon <cavedon@debian.org> (supplier of updated qutecom package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 09 Mar 2010 20:35:47 +0100
Source: qutecom
Binary: qutecom qutecom-data qutecom-dbg wengophone
Architecture: source all amd64
Version: 2.2~rc3.hg396~dfsg1-6
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <pkg-voip-maintainers@lists.alioth.debian.org>
Changed-By: Ludovico Cavedon <cavedon@debian.org>
Description: 
 qutecom    - SIP-based software telephone with video and chat features
 qutecom-data - SIP-based software telephone with video and chat features (data f
 qutecom-dbg - SIP-based software telephone with video and chat features (debug
 wengophone - SIP-based software telephone with video and chat (transitional pa
Closes: 556311 559785 572946
Changes: 
 qutecom (2.2~rc3.hg396~dfsg1-6) unstable; urgency=low
 .
   * Add fix-binutils-gold.patch for building with binutils-gold.
     Closes: #556311.
   * Add libpurple-glib.patch and purple-wait-init.patch for fixing crash with
     external liburple.
   * Compile against external libpurple (CVE-2010-0423, CVE-2010-0420,
     CVE-2010-0277). Closes: #559785, #572946.
   * Update Standards-Version to 3.8.4.
Checksums-Sha1: 
 9237b8854b92ea5ec911eb07d43b12cfaf90bd2d 2028 qutecom_2.2~rc3.hg396~dfsg1-6.dsc
 ee86486341c76ef7e11e1130ae9519f64e977a76 35968 qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
 662d0c201d887dea5a77a07936ced9ef199d9c94 6401092 qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
 5396d590fc7728c6ff73021e436b0d1fbaee7ca1 20182 wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
 54fe8fdcc27abeb6868aca2cccbd7df9864a1b8c 2850174 qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
 f5241b630e2cb457e4813b4310a402a8bb10277f 31185354 qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
Checksums-Sha256: 
 f6b97c9c5a12ab516c716dd9d6317f02908cb203c46ca959b8eec3aeeae6c598 2028 qutecom_2.2~rc3.hg396~dfsg1-6.dsc
 1751701be1910f2ae23d44bd9c57da2f3fa5de2265a2976b31da8fe288359752 35968 qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
 7464674429e0d40bf56d0970db3f25413e3fcab067f41fe5389441ebfa62803b 6401092 qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
 02b32336225301ef799e912ca7352331b6a40f4cbdded860dfe7bf90aad25069 20182 wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
 96ae2dc0ba53d19577e560f0788a0255922aa341b3fb654af663fb3d3cc50cd0 2850174 qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
 25bb1e5d985409dde589c2f850bc4b3ce38deba4ddd02a2fdb509fbb95b92df6 31185354 qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
Files: 
 7290d07a7169639bad5aa96a7465993f 2028 net optional qutecom_2.2~rc3.hg396~dfsg1-6.dsc
 8fa618b5f50e544de608c9965c2fecf7 35968 net optional qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
 f1ac0ae50531ca29eb4ea74471085198 6401092 net optional qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
 5397b77bb6f93a505fa549c4239fad14 20182 net optional wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
 e971bca280f3360e5595d72f68928bfb 2850174 net optional qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
 48845e7657b356b71dfdc92f888ea4d2 31185354 debug extra qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuWuY8ACgkQCidatrS8pdfDpQCdEk5jNlBEhnie5bLK/vkcvNhf
IB4An2mu2RNQ4t4LxlXSgn9iHjeNskKe
=DZr3
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.