Debian Bug report logs -
#557754
amsn: CVE-2006-0138 denial-of-services
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammarelkhatib@gmail.com>
:
Bug#557754
; Package amsn
.
(Tue, 24 Nov 2009 05:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Muammar El Khatib <muammarelkhatib@gmail.com>
.
(Tue, 24 Nov 2009 05:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: amsn
Version: 0.98.1-1
Severity: important
Tags: security
Hi,
The following CVE (Common Vulnerabilities & Exposures) ids were
published quite a while ago for amsn. Please check whether these
issues still exist. If so, you may want to issue proposed-updates for
the stable releases.
CVE-2006-0138[0]:
| aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
| denial of service (client hang and termination of client's
| instant-messaging session) by repeatedly sending crafted data to the
| default file-transfer port (TCP 6891).
CVE-2007-2195[1]:
| aMSN (aka Alvaro's Messenger) 0.96 and earlier allows remote attackers
| to cause a denial of service (application crash) by sending invalid
| data to TCP port 31337.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0138
http://security-tracker.debian.org/tracker/CVE-2006-0138
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2195
http://security-tracker.debian.org/tracker/CVE-2007-2195
Severity set to 'grave' from 'important'
Request was from Moritz Muehlenhoff <jmm@debian.org>
to control@bugs.debian.org
.
(Sat, 26 Dec 2009 16:18:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#557754
; Package amsn
.
(Tue, 05 Jan 2010 13:36:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Muammar El Khatib <muammarelkhatib@gmail.com>
:
Extra info received and forwarded to list.
(Tue, 05 Jan 2010 13:36:10 GMT) (full text, mbox, link).
Message #16 received at 557754@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Michael,
On Tue, Nov 24, 2009 at 1:03 AM, Michael Gilbert
<michael.s.gilbert@gmail.com> wrote:
> Package: amsn
> Version: 0.98.1-1
> Severity: important
> Tags: security
>
> Hi,
>
> The following CVE (Common Vulnerabilities & Exposures) ids were
> published quite a while ago for amsn. Please check whether these
> issues still exist. If so, you may want to issue proposed-updates for
> the stable releases.
>
> CVE-2006-0138[0]:
> | aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
> | denial of service (client hang and termination of client's
> | instant-messaging session) by repeatedly sending crafted data to the
> | default file-transfer port (TCP 6891).
>
I have confirmed this one. And a screenshot can be found attached to this mail.
> CVE-2007-2195[1]:
> | aMSN (aka Alvaro's Messenger) 0.96 and earlier allows remote attackers
> | to cause a denial of service (application crash) by sending invalid
> | data to TCP port 31337.
>
This second one seems to not be valid. When I execute the exploit,
which was written in Python, I get this:
muammar@obey:~/src/main/programs/amsn/amsn-0.98.1$ python 23583.py
Traceback (most recent call last):
File "23583.py", line 8, in <module>
s.connect((HOST, PORT))
File "<string>", line 1, in connect
socket.error: (111, 'Connection refused')
It seems that aMSN is not opening that port at any time. I probed with
other ports which were open but nothing happened. Anyways, I am trying
to see if this can be reproduced. At least I can say for sure that the
first one still exists.
> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0138
> http://security-tracker.debian.org/tracker/CVE-2006-0138
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2195
> http://security-tracker.debian.org/tracker/CVE-2007-2195
I have forwarded this bug upstream. Thanks for reporting.
Regards
--
Muammar El Khatib.
Linux user: 403107.
GPG Key = 127029F1
http://muammar.me | http://proyectociencia.org
,''`.
: :' :
`. `'
`-
[cve-2006-0138.png (image/png, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammarelkhatib@gmail.com>
:
Bug#557754
; Package amsn
.
(Sun, 24 Jan 2010 08:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Kees Cook <kees@debian.org>
:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammarelkhatib@gmail.com>
.
(Sun, 24 Jan 2010 08:27:02 GMT) (full text, mbox, link).
Message #21 received at 557754@bugs.debian.org (full text, mbox, reply):
severity 557754 important
thanks
Both of these issues are denials of service, so I'm reducing severity
to "important". Additionally, upstream seems to indicate in their bug
report that CVE-2007-2195 does not exist any more.
--
Kees Cook @debian.org
Severity set to 'important' from 'grave'
Request was from Kees Cook <kees@debian.org>
to control@bugs.debian.org
.
(Sun, 24 Jan 2010 08:27:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammar@debian.org>
:
Bug#557754
; Package amsn
.
(Tue, 13 Dec 2011 17:06:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammar@debian.org>
.
(Tue, 13 Dec 2011 17:06:07 GMT) (full text, mbox, link).
Message #28 received at 557754@bugs.debian.org (full text, mbox, reply):
On Tue, Jan 05, 2010 at 09:04:30AM -0430, Muammar El Khatib wrote:
> Hi Michael,
>
> On Tue, Nov 24, 2009 at 1:03 AM, Michael Gilbert
> <michael.s.gilbert@gmail.com> wrote:
> > Package: amsn
> > Version: 0.98.1-1
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following CVE (Common Vulnerabilities & Exposures) ids were
> > published quite a while ago for amsn. Please check whether these
> > issues still exist. If so, you may want to issue proposed-updates for
> > the stable releases.
> >
> > CVE-2006-0138[0]:
> > | aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
> > | denial of service (client hang and termination of client's
> > | instant-messaging session) by repeatedly sending crafted data to the
> > | default file-transfer port (TCP 6891).
> >
>
> I have confirmed this one. And a screenshot can be found attached to this mail.
What's the status?
Has this been fixed in the last approx. two years?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammar@debian.org>
:
Bug#557754
; Package amsn
.
(Tue, 13 Dec 2011 17:15:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Muammar El Khatib <muammarelkhatib@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammar@debian.org>
.
(Tue, 13 Dec 2011 17:15:06 GMT) (full text, mbox, link).
Message #33 received at 557754@bugs.debian.org (full text, mbox, reply):
On Tue, Dec 13, 2011 at 18:01, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Tue, Jan 05, 2010 at 09:04:30AM -0430, Muammar El Khatib wrote:
>> Hi Michael,
>>
>> On Tue, Nov 24, 2009 at 1:03 AM, Michael Gilbert
>> <michael.s.gilbert@gmail.com> wrote:
>> > Package: amsn
>> > Version: 0.98.1-1
>> > Severity: important
>> > Tags: security
>> >
>> > Hi,
>> >
>> > The following CVE (Common Vulnerabilities & Exposures) ids were
>> > published quite a while ago for amsn. Please check whether these
>> > issues still exist. If so, you may want to issue proposed-updates for
>> > the stable releases.
>> >
>> > CVE-2006-0138[0]:
>> > | aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
>> > | denial of service (client hang and termination of client's
>> > | instant-messaging session) by repeatedly sending crafted data to the
>> > | default file-transfer port (TCP 6891).
>> >
>>
>> I have confirmed this one. And a screenshot can be found attached to this mail.
>
> What's the status?
>
Upstream seems to not care about it.
> Has this been fixed in the last approx. two years?
>
No, it has not... I am not sure I'd be able to fix this by myself, btw.
--
Muammar El Khatib.
Linux user: 403107.
GPG Key = 127029F1
http://muammar.me | http://proyectociencia.org
,''`.
: :' :
`. `'
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammar@debian.org>
:
Bug#557754
; Package amsn
.
(Tue, 13 Dec 2011 17:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammar@debian.org>
.
(Tue, 13 Dec 2011 17:27:03 GMT) (full text, mbox, link).
Message #38 received at 557754@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Muammar El Khatib <muammarelkhatib@gmail.com> [2011-12-13 18:16]:
> On Tue, Dec 13, 2011 at 18:01, Moritz Muehlenhoff <jmm@inutil.org> wrote:
[...]
> >> I have confirmed this one. And a screenshot can be found attached to this mail.
> >
> > What's the status?
> >
>
> Upstream seems to not care about it.
>
> > Has this been fixed in the last approx. two years?
> >
>
> No, it has not... I am not sure I'd be able to fix this by myself, btw.
Given the number of instant messaging clients in the archive, what about
removing amsn? I doubt it would stand a serious audit anyway and given that it
is written in tcl, I also doubt it can be properly maintained by anyone who is
not the upstream.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammar@debian.org>
:
Bug#557754
; Package amsn
.
(Tue, 13 Dec 2011 17:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Muammar El Khatib <muammarelkhatib@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammar@debian.org>
.
(Tue, 13 Dec 2011 17:33:03 GMT) (full text, mbox, link).
Message #43 received at 557754@bugs.debian.org (full text, mbox, reply):
On Tue, Dec 13, 2011 at 18:21, Nico Golde <nion@debian.org> wrote:
> Hi,
> * Muammar El Khatib <muammarelkhatib@gmail.com> [2011-12-13 18:16]:
>> On Tue, Dec 13, 2011 at 18:01, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> [...]
>> >> I have confirmed this one. And a screenshot can be found attached to this mail.
>> >
>> > What's the status?
>> >
>>
>> Upstream seems to not care about it.
>>
>> > Has this been fixed in the last approx. two years?
>> >
>>
>> No, it has not... I am not sure I'd be able to fix this by myself, btw.
>
> Given the number of instant messaging clients in the archive, what about
> removing amsn? I doubt it would stand a serious audit anyway and given that it
> is written in tcl, I also doubt it can be properly maintained by anyone who is
> not the upstream.
That's right. There many IM clients out there. I don't have a strong
opinion on removing aMSN. What I don't know is if it will not
like/will affect to the users of it (given the statistics in popcon).
On the other hand, I have read on the webpage of aMSN that they plan
to release (some day) a version based on Python. I have already tested
such a version, and it is not in that good shape still.
Finally, I am inclined to accept that which be better for Debian
either being removing aMSN or not.
Regards,
--
Muammar El Khatib.
Linux user: 403107.
GPG Key = 127029F1
http://muammar.me | http://proyectociencia.org
,''`.
: :' :
`. `'
`-
Information forwarded
to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammar@debian.org>
:
Bug#557754
; Package amsn
.
(Thu, 15 Dec 2011 23:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammar@debian.org>
.
(Thu, 15 Dec 2011 23:21:03 GMT) (full text, mbox, link).
Message #48 received at 557754@bugs.debian.org (full text, mbox, reply):
> That's right. There many IM clients out there. I don't have a strong
> opinion on removing aMSN. What I don't know is if it will not
> like/will affect to the users of it (given the statistics in popcon).
>
> On the other hand, I have read on the webpage of aMSN that they plan
> to release (some day) a version based on Python. I have already tested
> such a version, and it is not in that good shape still.
>
> Finally, I am inclined to accept that which be better for Debian
> either being removing aMSN or not.
Please submit a bug against psuedo package ftp.debian.org requesting
removal of your package.
Thanks,
Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammarelkhatib@gmail.com>
:
Bug#557754
; Package amsn
.
(Tue, 05 Jun 2012 15:42:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Armin K." <krejzi@email.com>
:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammarelkhatib@gmail.com>
.
(Tue, 05 Jun 2012 15:42:03 GMT) (full text, mbox, link).
Message #53 received at 557754@bugs.debian.org (full text, mbox, reply):
On my system the CVE-2006-0138 is not present. I've tried using default
STARTING file transfer port (6891) and it said that connection was
refused. Then I found out that my amsn is listening on another port. I
tried that port too, data were sent, but amsn didn't crash nor disconnect.
tcp 0 0 0.0.0.0:61152 0.0.0.0:*
LISTEN 10969/wish
I used this script when I tested this issue
http://www.securiteam.com/exploits/5JP090KHFQ.html
Also, my aMSN is 0.98.9 05/23/2012 so I guess it was fixed within 0.98.4
- 0.98.9 ... Can aMSN be put back into book? It is as far the best MSN
only client available for Linux. (Emesene 1.63 was good too, but it does
not work anymore for me)
Information forwarded
to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammarelkhatib@gmail.com>
:
Bug#557754
; Package amsn
.
(Tue, 10 Jul 2012 14:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Gianfranco Costamagna <costamagnagianfranco@yahoo.it>
:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammarelkhatib@gmail.com>
.
(Tue, 10 Jul 2012 14:36:04 GMT) (full text, mbox, link).
Message #58 received at 557754@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi everybody, please look at [1] the new amsn 0.98.9 fixes those vulnerabilities, so can please you consider adding amsn back?
thanks
[1] http://sourceforge.net/mailarchive/forum.php?thread_name=CAO3MEfCKyEDFo%2BFuwkFepb2akUgMKVdvmNU9UsF%2B6kUdV0zxnw%40mail.gmail.com&forum_name=amsn-devel
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Muammar El Khatib <muammarelkhatib@gmail.com>
:
Bug#557754
; Package amsn
.
(Tue, 10 Jul 2012 15:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steven Chamberlain <steven@pyro.eu.org>
:
Extra info received and forwarded to list. Copy sent to Muammar El Khatib <muammarelkhatib@gmail.com>
.
(Tue, 10 Jul 2012 15:36:04 GMT) (full text, mbox, link).
Message #63 received at 557754@bugs.debian.org (full text, mbox, reply):
Hi,
Someone already tried, but there were packaging issues which means it
wasn't accepted yet. In fact (quoting from the reviewer's reasons for
rejection) :
> This package is
> not suitable for inclusion in the archive, not until it has been
> pretty much redone from scratch.
>
> Especially so, because this is a reintroduction attempt of something
> that has been removed on request of QA.
Even if all this can be done, it would be too late to be included in the
Wheezy release unfortunately.
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Marked as fixed in versions amsn/0.98.9-1.
Request was from Steven Chamberlain <steven@pyro.eu.org>
to control@bugs.debian.org
.
(Wed, 07 Nov 2012 22:00:07 GMT) (full text, mbox, link).
Reply sent
to Debian FTP Masters <ftpmaster@ftp-master.debian.org>
:
You have taken responsibility.
(Thu, 29 Oct 2015 16:00:06 GMT) (full text, mbox, link).
Notification sent
to Michael Gilbert <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Thu, 29 Oct 2015 16:00:06 GMT) (full text, mbox, link).
Message #70 received at 557754-done@bugs.debian.org (full text, mbox, reply):
Version: 0.98.9-1+rm
Dear submitter,
as the package amsn has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/803288
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 27 Nov 2015 07:30:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:27:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.