Debian Bug report logs -
#518468
CVE-2008-6393: possible DoS
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Fri, 6 Mar 2009 11:54:02 UTC
Severity: important
Tags: security
Fixed in versions psi/0.12.1-1, psi/0.11-9
Done: Jan Niehusmann <jan@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jan Niehusmann <jan@debian.org>
:
Bug#518468
; Package psi
.
(Fri, 06 Mar 2009 11:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Jan Niehusmann <jan@debian.org>
.
(Fri, 06 Mar 2009 11:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: psi
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for psi.
CVE-2008-6393[0]:
| PSI Jabber client before 0.12.1 allows remote attackers to cause a
| denial of service (crash) and possibly execute arbitrary code via a
| file transfer request with a negative value in a SOCKS5 option, which
| bypasses a signed integer check and triggers an integer overflow and a
| heap-based buffer overflow.
The blogpost[1] has some more information. At the moment, I guess the
security impact is fairly low and only results in a client DoS. Maybe
you could check this further, just to be sure?
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6393
http://security-tracker.debian.net/tracker/CVE-2008-6393
[1] http://jolmos.blogspot.com/2008/12/psi-remote-integer-overflow.html
Information forwarded
to debian-bugs-dist@lists.debian.org, Jan Niehusmann <jan@debian.org>
:
Bug#518468
; Package psi
.
(Fri, 06 Mar 2009 12:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Jan Niehusmann <jan@gondor.com>
:
Extra info received and forwarded to list. Copy sent to Jan Niehusmann <jan@debian.org>
.
(Fri, 06 Mar 2009 12:24:02 GMT) (full text, mbox, link).
Message #10 received at 518468@bugs.debian.org (full text, mbox, reply):
On Fri, Mar 06, 2009 at 10:52:17PM +1100, Steffen Joeris wrote:
> Package: psi
> Severity: important
> Tags: security
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for psi.
>
> CVE-2008-6393[0]:
> | PSI Jabber client before 0.12.1 allows remote attackers to cause a
> | denial of service (crash) and possibly execute arbitrary code via a
> | file transfer request with a negative value in a SOCKS5 option, which
> | bypasses a signed integer check and triggers an integer overflow and a
> | heap-based buffer overflow.
>
> The blogpost[1] has some more information. At the moment, I guess the
> security impact is fairly low and only results in a client DoS. Maybe
> you could check this further, just to be sure?
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
Thanks for the report.
You can work around the published exploit by disabling the file transfer
port (set it to zero). But I'm not sure if that's sufficient: The
vulnerable code could also get triggered on outgoing connections. I
didn't follow all possible code paths to check that.
Jan
Information forwarded
to debian-bugs-dist@lists.debian.org, Jan Niehusmann <jan@debian.org>
:
Bug#518468
; Package psi
.
(Fri, 06 Mar 2009 13:12:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Jan Niehusmann <jan@gondor.com>
:
Extra info received and forwarded to list. Copy sent to Jan Niehusmann <jan@debian.org>
.
(Fri, 06 Mar 2009 13:12:02 GMT) (full text, mbox, link).
Message #15 received at 518468@bugs.debian.org (full text, mbox, reply):
Here is the fix for this DoS, from upstream git:
Author: Kevin Smith <kismith@aegeus.local>
Date: Wed Dec 17 17:38:39 2008 +0000
Justin's fix for DOS vulnerability in file transfer code
diff --git a/cutestuff/network/socks.cpp b/cutestuff/network/socks.cpp
index 31d728d..91e7e19 100644
--- a/cutestuff/network/socks.cpp
+++ b/cutestuff/network/socks.cpp
@@ -261,7 +261,8 @@ static int spc_get_version(QByteArray *from, SPCS_VERSION *s)
return -1;
if(from->size() < 2)
return 0;
- int num = from->at(1);
+ unsigned char mlen = from->at(1);
+ int num = mlen;
if(num > 16) // who the heck has over 16 auth methods??
return -1;
if(from->size() < 2 + num)
Reply sent
to Jan Niehusmann <jan@debian.org>
:
You have taken responsibility.
(Mon, 09 Mar 2009 22:06:25 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Mon, 09 Mar 2009 22:06:26 GMT) (full text, mbox, link).
Message #20 received at 518468-close@bugs.debian.org (full text, mbox, reply):
Source: psi
Source-Version: 0.12.1-1
We believe that the bug you reported is fixed in the latest version of
psi, which is due to be installed in the Debian FTP archive:
psi_0.12.1-1.diff.gz
to pool/main/p/psi/psi_0.12.1-1.diff.gz
psi_0.12.1-1.dsc
to pool/main/p/psi/psi_0.12.1-1.dsc
psi_0.12.1-1_i386.deb
to pool/main/p/psi/psi_0.12.1-1_i386.deb
psi_0.12.1.orig.tar.gz
to pool/main/p/psi/psi_0.12.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 518468@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Niehusmann <jan@debian.org> (supplier of updated psi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 09 Mar 2009 18:31:53 +0100
Source: psi
Binary: psi
Architecture: source i386
Version: 0.12.1-1
Distribution: unstable
Urgency: high
Maintainer: Jan Niehusmann <jan@debian.org>
Changed-By: Jan Niehusmann <jan@debian.org>
Description:
psi - Jabber client using Qt
Closes: 504644 518468
Changes:
psi (0.12.1-1) unstable; urgency=high
.
* New Upstream Version
This fixes remote DoS vulnerability CVE-2008-6393 found and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
The original advisory is available at:
http://www.securityfocus.com/archive/1/499563
(Closes: Bug#518468)
* Depend on qt << 4.5.0 as psi needs some patches to work with qt 4.5
* Psi currently doesn't handle missing ssl plugin gracefully. Therefore,
depend on libqca2-plugin-ossl instead of only recommending it.
(Closes: Bug#504644)
Checksums-Sha1:
cd13a3ce23ed4090cccd938604dae481f04ab6cd 1207 psi_0.12.1-1.dsc
9663d3f68e252da0762a9cc4059023fba0b28974 2504019 psi_0.12.1.orig.tar.gz
5a7983bbd5009f4e56eaf27800ce59194f2d9d58 10781 psi_0.12.1-1.diff.gz
78ae448f1041a6cd14e8de339981462706362de0 2908170 psi_0.12.1-1_i386.deb
Checksums-Sha256:
29d6946b0ad7e90531a4336a8fb069c674cc16d47e917c7759fa8a472697b629 1207 psi_0.12.1-1.dsc
3e0a1f0e01c3140b0f84c4553aeb41721f2e6ae3e6c9793eca75e47ab975b497 2504019 psi_0.12.1.orig.tar.gz
371174557c75293600bcdaa7b34c95dc1a21e0a2a5713d50c2f6d1533ef38cdd 10781 psi_0.12.1-1.diff.gz
54e9187a1ca11302ce5ac55e55cf53bfa05746bc7032e062849ad752ca66b7de 2908170 psi_0.12.1-1_i386.deb
Files:
f69dcdc49bcce922707e5aaca82a65bc 1207 net optional psi_0.12.1-1.dsc
8b98247aed1ec126dfe47c15cf6c0230 2504019 net optional psi_0.12.1.orig.tar.gz
f201e97ea5a6ca0f23e15bb34ba647ed 10781 net optional psi_0.12.1-1.diff.gz
4221ee4975f1fe55c0d6f2968baf1d42 2908170 net optional psi_0.12.1-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iJwEAQECAAYFAkm1foMACgkQgUvx9im0397LFgP9FGQVUUQ5t2U7ZEw4/afC6WTj
LLjuLIJrdfcTwY4rYZ2xdc5UhRVi/rVAWKLHC/zyfXnU9aABvN2tUuwyRuv64ErK
QUq/e+PwUhM3ko4ZPv3oVh/yRfM/WeUWdLCOoVyfJcXcBXVnfMW31SdlqeYdzDmG
RJw0kt+df6jbwtz1uXQ=
=eU2x
-----END PGP SIGNATURE-----
Reply sent
to Jan Niehusmann <jan@debian.org>
:
You have taken responsibility.
(Tue, 24 Mar 2009 20:12:19 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Tue, 24 Mar 2009 20:12:19 GMT) (full text, mbox, link).
Message #25 received at 518468-close@bugs.debian.org (full text, mbox, reply):
Source: psi
Source-Version: 0.11-9
We believe that the bug you reported is fixed in the latest version of
psi, which is due to be installed in the Debian FTP archive:
psi_0.11-9.diff.gz
to pool/main/p/psi/psi_0.11-9.diff.gz
psi_0.11-9.dsc
to pool/main/p/psi/psi_0.11-9.dsc
psi_0.11-9_amd64.deb
to pool/main/p/psi/psi_0.11-9_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 518468@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Niehusmann <jan@debian.org> (supplier of updated psi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 09 Mar 2009 15:28:11 +0100
Source: psi
Binary: psi
Architecture: source amd64
Version: 0.11-9
Distribution: stable-security
Urgency: high
Maintainer: Jan Niehusmann <jan@debian.org>
Changed-By: Jan Niehusmann <jan@debian.org>
Description:
psi - Jabber client using Qt
Closes: 518468
Changes:
psi (0.11-9) stable-security; urgency=high
.
* Fix for CVE-2008-6393, taken from upstream git repository.
This fixes a remote DoS vulnerability found and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
The original advisory is available at:
http://www.securityfocus.com/archive/1/499563
(Closes: Bug#518468)
Checksums-Sha1:
aa6f538a01c37a430380806fb56a92b63a4e87eb 1010 psi_0.11-9.dsc
05c5ca9c7b75f182c19e1de9456a87d8221f92c6 2315401 psi_0.11.orig.tar.gz
0bef5109bd6b01bf3ab95d2346aeacf577c517ea 11710 psi_0.11-9.diff.gz
51208828839003126ac40fc5d280ee549361bc78 2791050 psi_0.11-9_amd64.deb
Checksums-Sha256:
944d4fca8c52dde8e5b729928a793abbc2fdbe6ec434702fc4ff1cbb24d592ed 1010 psi_0.11-9.dsc
a7f44285e27f60fd76d086239fd19c1d2bc562aee97f1021bf2466f52c54f2e5 2315401 psi_0.11.orig.tar.gz
8f0384b05ec022e7f207084416307d31e7c9206ec03b222a98df43574c6e23e1 11710 psi_0.11-9.diff.gz
ff366f7e5b2f35f7618aca15f606255b917b31fce8dd684dfc919f852a5f87d7 2791050 psi_0.11-9_amd64.deb
Files:
ebc7d52229204de80bd31de70c7f7c59 1010 net optional psi_0.11-9.dsc
637941349f1c28ed88242d7e3e5abcbc 2315401 net optional psi_0.11.orig.tar.gz
d2c26bc079fc6a2661f3a23cc90d34e7 11710 net optional psi_0.11-9.diff.gz
5787e7983a52abfa5fdfa9433d0f8cee 2791050 net optional psi_0.11-9_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkm1cRQACgkQXm3vHE4uylqPHwCgt0ubV1Yx7M5EvKhLc6TQ9WHu
H04AnjW5SvBRRvZr1OC5xMgHD0gMB4xD
=/w0m
-----END PGP SIGNATURE-----
Reply sent
to Jan Niehusmann <jan@debian.org>
:
You have taken responsibility.
(Sat, 11 Apr 2009 17:21:15 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Sat, 11 Apr 2009 17:21:15 GMT) (full text, mbox, link).
Message #30 received at 518468-close@bugs.debian.org (full text, mbox, reply):
Source: psi
Source-Version: 0.11-9
We believe that the bug you reported is fixed in the latest version of
psi, which is due to be installed in the Debian FTP archive:
psi_0.11-9.diff.gz
to pool/main/p/psi/psi_0.11-9.diff.gz
psi_0.11-9.dsc
to pool/main/p/psi/psi_0.11-9.dsc
psi_0.11-9_amd64.deb
to pool/main/p/psi/psi_0.11-9_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 518468@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Niehusmann <jan@debian.org> (supplier of updated psi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 09 Mar 2009 15:28:11 +0100
Source: psi
Binary: psi
Architecture: source amd64
Version: 0.11-9
Distribution: stable-security
Urgency: high
Maintainer: Jan Niehusmann <jan@debian.org>
Changed-By: Jan Niehusmann <jan@debian.org>
Description:
psi - Jabber client using Qt
Closes: 518468
Changes:
psi (0.11-9) stable-security; urgency=high
.
* Fix for CVE-2008-6393, taken from upstream git repository.
This fixes a remote DoS vulnerability found and reported
by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
The original advisory is available at:
http://www.securityfocus.com/archive/1/499563
(Closes: Bug#518468)
Checksums-Sha1:
aa6f538a01c37a430380806fb56a92b63a4e87eb 1010 psi_0.11-9.dsc
05c5ca9c7b75f182c19e1de9456a87d8221f92c6 2315401 psi_0.11.orig.tar.gz
0bef5109bd6b01bf3ab95d2346aeacf577c517ea 11710 psi_0.11-9.diff.gz
51208828839003126ac40fc5d280ee549361bc78 2791050 psi_0.11-9_amd64.deb
Checksums-Sha256:
944d4fca8c52dde8e5b729928a793abbc2fdbe6ec434702fc4ff1cbb24d592ed 1010 psi_0.11-9.dsc
a7f44285e27f60fd76d086239fd19c1d2bc562aee97f1021bf2466f52c54f2e5 2315401 psi_0.11.orig.tar.gz
8f0384b05ec022e7f207084416307d31e7c9206ec03b222a98df43574c6e23e1 11710 psi_0.11-9.diff.gz
ff366f7e5b2f35f7618aca15f606255b917b31fce8dd684dfc919f852a5f87d7 2791050 psi_0.11-9_amd64.deb
Files:
ebc7d52229204de80bd31de70c7f7c59 1010 net optional psi_0.11-9.dsc
637941349f1c28ed88242d7e3e5abcbc 2315401 net optional psi_0.11.orig.tar.gz
d2c26bc079fc6a2661f3a23cc90d34e7 11710 net optional psi_0.11-9.diff.gz
5787e7983a52abfa5fdfa9433d0f8cee 2791050 net optional psi_0.11-9_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkm1cRQACgkQXm3vHE4uylqPHwCgt0ubV1Yx7M5EvKhLc6TQ9WHu
H04AnjW5SvBRRvZr1OC5xMgHD0gMB4xD
=/w0m
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 10 May 2009 07:33:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:12:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.