amsn: CVE-2006-0138 denial-of-services

Debian Bug report logs - #557754
amsn: CVE-2006-0138 denial-of-services

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: amsn: CVE-2006-0138 denial-of-services

Date: Tue, 24 Nov 2009 00:33:59 -0500

Package: amsn
Version: 0.98.1-1
Severity: important
Tags: security

Hi,

The following CVE (Common Vulnerabilities & Exposures) ids were
published quite a while ago for amsn.  Please check whether these
issues still exist.  If so, you may want to issue proposed-updates for
the stable releases.

CVE-2006-0138[0]:
| aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
| denial of service (client hang and termination of client's
| instant-messaging session) by repeatedly sending crafted data to the
| default file-transfer port (TCP 6891).

CVE-2007-2195[1]:
| aMSN (aka Alvaro's Messenger) 0.96 and earlier allows remote attackers
| to cause a denial of service (application crash) by sending invalid
| data to TCP port 31337.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0138
    http://security-tracker.debian.org/tracker/CVE-2006-0138
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2195
    http://security-tracker.debian.org/tracker/CVE-2007-2195

Message #16 received at 557754@bugs.debian.org (full text, mbox, reply):

From: Muammar El Khatib <muammarelkhatib@gmail.com>

To: 557754@bugs.debian.org

Cc: Michael Gilbert <michael.s.gilbert@gmail.com>

Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services

Date: Tue, 5 Jan 2010 09:04:30 -0430

[Message part 1 (text/plain, inline)]

Hi Michael,

On Tue, Nov 24, 2009 at 1:03 AM, Michael Gilbert
<michael.s.gilbert@gmail.com> wrote:
> Package: amsn
> Version: 0.98.1-1
> Severity: important
> Tags: security
>
> Hi,
>
> The following CVE (Common Vulnerabilities & Exposures) ids were
> published quite a while ago for amsn.  Please check whether these
> issues still exist.  If so, you may want to issue proposed-updates for
> the stable releases.
>
> CVE-2006-0138[0]:
> | aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
> | denial of service (client hang and termination of client's
> | instant-messaging session) by repeatedly sending crafted data to the
> | default file-transfer port (TCP 6891).
>

I have confirmed this one. And a screenshot can be found attached to this mail.

> CVE-2007-2195[1]:
> | aMSN (aka Alvaro's Messenger) 0.96 and earlier allows remote attackers
> | to cause a denial of service (application crash) by sending invalid
> | data to TCP port 31337.
>

This second one seems to not be valid. When I execute the exploit,
which was written in Python, I get this:
muammar@obey:~/src/main/programs/amsn/amsn-0.98.1$ python 23583.py

Traceback (most recent call last):
  File "23583.py", line 8, in <module>
    s.connect((HOST, PORT))
  File "<string>", line 1, in connect
socket.error: (111, 'Connection refused')

It seems that aMSN is not opening that port at any time. I probed with
other ports which were open but nothing happened. Anyways, I am trying
to see if this can be reproduced. At least I can say for sure that the
first one still exists.

> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
>
> For further information see:
>
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0138
>    http://security-tracker.debian.org/tracker/CVE-2006-0138
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2195
>    http://security-tracker.debian.org/tracker/CVE-2007-2195

I have forwarded this bug upstream. Thanks for reporting.

Regards
-- 
Muammar El Khatib.
Linux user: 403107.
GPG Key = 127029F1
http://muammar.me | http://proyectociencia.org
  ,''`.
 : :' :
 `. `'
   `-

[cve-2006-0138.png (image/png, attachment)]

Message #21 received at 557754@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@debian.org>

To: 557754@bugs.debian.org

Subject: updates

Date: Sun, 24 Jan 2010 00:22:19 -0800

severity 557754 important
thanks

Both of these issues are denials of service, so I'm reducing severity
to "important".  Additionally, upstream seems to indicate in their bug
report that CVE-2007-2195 does not exist any more.

-- 
Kees Cook                                            @debian.org

Message #28 received at 557754@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Muammar El Khatib <muammarelkhatib@gmail.com>

Cc: 557754@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>

Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services

Date: Tue, 13 Dec 2011 18:01:58 +0100

On Tue, Jan 05, 2010 at 09:04:30AM -0430, Muammar El Khatib wrote:
> Hi Michael,
> 
> On Tue, Nov 24, 2009 at 1:03 AM, Michael Gilbert
> <michael.s.gilbert@gmail.com> wrote:
> > Package: amsn
> > Version: 0.98.1-1
> > Severity: important
> > Tags: security
> >
> > Hi,
> >
> > The following CVE (Common Vulnerabilities & Exposures) ids were
> > published quite a while ago for amsn.  Please check whether these
> > issues still exist.  If so, you may want to issue proposed-updates for
> > the stable releases.
> >
> > CVE-2006-0138[0]:
> > | aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
> > | denial of service (client hang and termination of client's
> > | instant-messaging session) by repeatedly sending crafted data to the
> > | default file-transfer port (TCP 6891).
> >
> 
> I have confirmed this one. And a screenshot can be found attached to this mail.

What's the status?

Has this been fixed in the last approx. two years?

Cheers,
        Moritz
       

Message #33 received at 557754@bugs.debian.org (full text, mbox, reply):

From: Muammar El Khatib <muammarelkhatib@gmail.com>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 557754@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>

Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services

Date: Tue, 13 Dec 2011 18:11:23 +0100

On Tue, Dec 13, 2011 at 18:01, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Tue, Jan 05, 2010 at 09:04:30AM -0430, Muammar El Khatib wrote:
>> Hi Michael,
>>
>> On Tue, Nov 24, 2009 at 1:03 AM, Michael Gilbert
>> <michael.s.gilbert@gmail.com> wrote:
>> > Package: amsn
>> > Version: 0.98.1-1
>> > Severity: important
>> > Tags: security
>> >
>> > Hi,
>> >
>> > The following CVE (Common Vulnerabilities & Exposures) ids were
>> > published quite a while ago for amsn.  Please check whether these
>> > issues still exist.  If so, you may want to issue proposed-updates for
>> > the stable releases.
>> >
>> > CVE-2006-0138[0]:
>> > | aMSN (aka Alvaro's Messenger) allows remote attackers to cause a
>> > | denial of service (client hang and termination of client's
>> > | instant-messaging session) by repeatedly sending crafted data to the
>> > | default file-transfer port (TCP 6891).
>> >
>>
>> I have confirmed this one. And a screenshot can be found attached to this mail.
>
> What's the status?
>

Upstream seems to not care about it.

> Has this been fixed in the last approx. two years?
>

No, it has not... I am not sure I'd be able to fix this by myself, btw.


-- 
Muammar El Khatib.
Linux user: 403107.
GPG Key = 127029F1
http://muammar.me | http://proyectociencia.org
  ,''`.
 : :' :
 `. `'
   `-

Message #38 received at 557754@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: Muammar El Khatib <muammarelkhatib@gmail.com>, 557754@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@inutil.org>, Michael Gilbert <michael.s.gilbert@gmail.com>

Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services

Date: Tue, 13 Dec 2011 18:21:39 +0100

[Message part 1 (text/plain, inline)]

Hi,
* Muammar El Khatib <muammarelkhatib@gmail.com> [2011-12-13 18:16]:
> On Tue, Dec 13, 2011 at 18:01, Moritz Muehlenhoff <jmm@inutil.org> wrote:
[...] 
> >> I have confirmed this one. And a screenshot can be found attached to this mail.
> >
> > What's the status?
> >
> 
> Upstream seems to not care about it.
> 
> > Has this been fixed in the last approx. two years?
> >
> 
> No, it has not... I am not sure I'd be able to fix this by myself, btw.

Given the number of instant messaging clients in the archive, what about 
removing amsn? I doubt it would stand a serious audit anyway and given that it 
is written in tcl, I also doubt it can be properly maintained by anyone who is 
not the upstream.

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #43 received at 557754@bugs.debian.org (full text, mbox, reply):

From: Muammar El Khatib <muammarelkhatib@gmail.com>

To: Nico Golde <nion@debian.org>

Cc: 557754@bugs.debian.org, Moritz Muehlenhoff <jmm@inutil.org>, Michael Gilbert <michael.s.gilbert@gmail.com>

Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services

Date: Tue, 13 Dec 2011 18:29:11 +0100

On Tue, Dec 13, 2011 at 18:21, Nico Golde <nion@debian.org> wrote:
> Hi,
> * Muammar El Khatib <muammarelkhatib@gmail.com> [2011-12-13 18:16]:
>> On Tue, Dec 13, 2011 at 18:01, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> [...]
>> >> I have confirmed this one. And a screenshot can be found attached to this mail.
>> >
>> > What's the status?
>> >
>>
>> Upstream seems to not care about it.
>>
>> > Has this been fixed in the last approx. two years?
>> >
>>
>> No, it has not... I am not sure I'd be able to fix this by myself, btw.
>
> Given the number of instant messaging clients in the archive, what about
> removing amsn? I doubt it would stand a serious audit anyway and given that it
> is written in tcl, I also doubt it can be properly maintained by anyone who is
> not the upstream.

That's right. There many IM clients out there. I don't have a strong
opinion on removing aMSN. What I don't know is if it will not
like/will affect to the users of it (given the statistics in popcon).

On the other hand, I have read on the webpage of aMSN that they plan
to release (some day) a version based on Python. I have already tested
such a version, and it is not in that good shape still.

Finally, I am inclined to accept that which be better for Debian
either being removing aMSN or not.

Regards,

-- 
Muammar El Khatib.
Linux user: 403107.
GPG Key = 127029F1
http://muammar.me | http://proyectociencia.org
  ,''`.
 : :' :
 `. `'
   `-

Message #48 received at 557754@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>

To: 557754@bugs.debian.org

Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services

Date: Thu, 15 Dec 2011 18:19:27 -0500

> That's right. There many IM clients out there. I don't have a strong
> opinion on removing aMSN. What I don't know is if it will not
> like/will affect to the users of it (given the statistics in popcon).
>
> On the other hand, I have read on the webpage of aMSN that they plan
> to release (some day) a version based on Python. I have already tested
> such a version, and it is not in that good shape still.
>
> Finally, I am inclined to accept that which be better for Debian
> either being removing aMSN or not.

Please submit a bug against psuedo package ftp.debian.org requesting
removal of your package.

Thanks,
Mike

Message #53 received at 557754@bugs.debian.org (full text, mbox, reply):

From: "Armin K." <krejzi@email.com>

To: 557754@bugs.debian.org

Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services

Date: Tue, 05 Jun 2012 17:32:56 +0200

On my system the CVE-2006-0138 is not present. I've tried using default 
STARTING file transfer port (6891) and it said that connection was 
refused. Then I found out that my amsn is listening on another port. I 
tried that port too, data were sent, but amsn didn't crash nor disconnect.

tcp        0      0 0.0.0.0:61152           0.0.0.0:* 
LISTEN      10969/wish

I used this script when I tested this issue 
http://www.securiteam.com/exploits/5JP090KHFQ.html

Also, my aMSN is 0.98.9 05/23/2012 so I guess it was fixed within 0.98.4 
- 0.98.9 ... Can aMSN be put back into book? It is as far the best MSN 
only client available for Linux. (Emesene 1.63 was good too, but it does 
not work anymore for me)

Message #58 received at 557754@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>

To: "557754@bugs.debian.org" <557754@bugs.debian.org>

Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services

Date: Tue, 10 Jul 2012 15:33:44 +0100 (BST)

[Message part 1 (text/plain, inline)]

 Hi everybody, please look at [1] the new amsn 0.98.9 fixes those vulnerabilities, so can please you consider adding amsn back?


thanks
[1] http://sourceforge.net/mailarchive/forum.php?thread_name=CAO3MEfCKyEDFo%2BFuwkFepb2akUgMKVdvmNU9UsF%2B6kUdV0zxnw%40mail.gmail.com&forum_name=amsn-devel

[Message part 2 (text/html, inline)]

Message #63 received at 557754@bugs.debian.org (full text, mbox, reply):

From: Steven Chamberlain <steven@pyro.eu.org>

To: Gianfranco Costamagna <costamagnagianfranco@yahoo.it>, 557754@bugs.debian.org

Subject: Re: Bug#557754: amsn: CVE-2006-0138 denial-of-services

Date: Tue, 10 Jul 2012 16:32:54 +0100

Hi,

Someone already tried, but there were packaging issues which means it
wasn't accepted yet.  In fact (quoting from the reviewer's reasons for
rejection) :

> This package is
> not suitable for inclusion in the archive, not until it has been
> pretty much redone from scratch.
> 
> Especially so, because this is a reintroduction attempt of something
> that has been removed on request of QA.

Even if all this can be done, it would be too late to be included in the
Wheezy release unfortunately.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Message #70 received at 557754-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 557754-done@bugs.debian.org,689243-done@bugs.debian.org,802830-done@bugs.debian.org,

Cc: amsn@packages.debian.org, amsn@packages.qa.debian.org

Subject: Bug#803288: Removed package(s) from unstable

Date: Thu, 29 Oct 2015 15:58:21 +0000

Version: 0.98.9-1+rm

Dear submitter,

as the package amsn has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/803288

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.