Debian Bug report logs -
#875829
prosody: CVE-2017-18265: crashed on error handling for stream errors
Reported by: Albert Dengg <albert@fsfe.org>
Date: Thu, 14 Sep 2017 21:15:02 UTC
Severity: important
Tags: patch, security, stretch
Found in version prosody/0.9.12-2
Fixed in versions prosody/0.10.0-1, prosody/0.9.12-2+deb9u1
Done: Sergei Golovan <sgolovan@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://prosody.im/issues/issue/987
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, albert@fsfe.org, Matthew James Wild <mwild1@gmail.com>:
Bug#875829; Package prosody.
(Thu, 14 Sep 2017 21:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Albert Dengg <albert@fsfe.org>:
New Bug report received and forwarded. Copy sent to albert@fsfe.org, Matthew James Wild <mwild1@gmail.com>.
(Thu, 14 Sep 2017 21:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: prosody
Version: 0.9.12-2
Severity: important
Tags: patch
hi,
with the lua-socket version from debian stretch, prosody as shipped in the debian
package crashes when handling (at least some) stream errors,
see also upstream bug [0].
as mentioned in the upstream bug, the patches in [1] and [2] fix this
crash as it seems (i'm testing it further, but sofar everything looks
good)
could these 2 patches please be applied for the debian package?
thx,
regards
albert
[0] <https://prosody.im/issues/issue/987>
[1] <https://hg.prosody.im/0.9/rev/176b7f4e4ac9>
[2] <https://hg.prosody.im/0.9/rev/adfffc5b4e2a>
-- System Information:
Debian Release: 9.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages prosody depends on:
ii adduser 3.115
ii libc6 2.24-11+deb9u1
ii libidn11 1.33-1
ii libssl1.1 1.1.0f-3
ii lsb-base 9.20161125
ii lua-expat [lua5.1-expat] 1.3.0-4
ii lua-filesystem [lua5.1-filesystem] 1.6.3-1
ii lua-sec [lua5.1-sec] 0.6-3
ii lua-socket [lua5.1-socket] 3.0~rc1+git+ac3201d-3
ii lua5.1 5.1.5-8.1+b2
ii ssl-cert 1.0.39
Versions of packages prosody recommends:
ii lua-event [lua5.1-event] 0.4.3-2
Versions of packages prosody suggests:
pn lua-dbi-mysql <none>
pn lua-dbi-postgresql <none>
pn lua-dbi-sqlite3 <none>
ii lua-zlib 0.2+git+1+9622739-2+b2
-- Configuration Files:
/etc/prosody/prosody.cfg.lua changed [not included]
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org, Matthew James Wild <mwild1@gmail.com>:
Bug#875829; Package prosody.
(Wed, 25 Apr 2018 13:39:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Sergei Golovan <sgolovan@gmail.com>:
Extra info received and forwarded to list. Copy sent to Matthew James Wild <mwild1@gmail.com>.
(Wed, 25 Apr 2018 13:39:05 GMT) (full text, mbox, link).
Message #10 received at 875829@bugs.debian.org (full text, mbox, reply):
Hi Albert,
Sorry for a delay.
On Fri, Sep 15, 2017 at 12:05 AM, Albert Dengg <albert@fsfe.org> wrote:
>
> hi,
>
> with the lua-socket version from debian stretch, prosody as shipped in the debian
> package crashes when handling (at least some) stream errors,
> see also upstream bug [0].
>
> as mentioned in the upstream bug, the patches in [1] and [2] fix this
> crash as it seems (i'm testing it further, but sofar everything looks
> good)
>
> could these 2 patches please be applied for the debian package?
It seems to me like it's a fairly important bug, which justifies
fixing it in stable.
I'll prepare a fixed version shortly.
Cheers!
--
Sergei Golovan
Added tag(s) stretch.
Request was from Sergei Golovan <sgolovan@debian.org>
to control@bugs.debian.org.
(Wed, 25 Apr 2018 15:09:17 GMT) (full text, mbox, link).
Marked as fixed in versions prosody/0.10.0-1.
Request was from Sergei Golovan <sgolovan@debian.org>
to control@bugs.debian.org.
(Wed, 25 Apr 2018 16:54:04 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Sergei Golovan <sgolovan@debian.org>
to control@bugs.debian.org.
(Fri, 27 Apr 2018 06:00:05 GMT) (full text, mbox, link).
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 07 May 2018 11:45:04 GMT) (full text, mbox, link).
Changed Bug title to 'prosody: CVE-2017-18265: crashed on error handling for stream errors' from 'prosody crashed on error handling for stream errors'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 09 May 2018 17:18:04 GMT) (full text, mbox, link).
Reply sent
to Sergei Golovan <sgolovan@debian.org>:
You have taken responsibility.
(Sun, 13 May 2018 20:54:04 GMT) (full text, mbox, link).
Notification sent
to Albert Dengg <albert@fsfe.org>:
Bug acknowledged by developer.
(Sun, 13 May 2018 20:54:04 GMT) (full text, mbox, link).
Message #27 received at 875829-close@bugs.debian.org (full text, mbox, reply):
Source: prosody
Source-Version: 0.9.12-2+deb9u1
We believe that the bug you reported is fixed in the latest version of
prosody, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 875829@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sergei Golovan <sgolovan@debian.org> (supplier of updated prosody package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 07 May 2018 14:41:26 +0300
Source: prosody
Binary: prosody
Architecture: source amd64
Version: 0.9.12-2+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Matthew James Wild <mwild1@gmail.com>
Changed-By: Sergei Golovan <sgolovan@debian.org>
Description:
prosody - Lightweight Jabber/XMPP server
Closes: 875829
Changes:
prosody (0.9.12-2+deb9u1) stretch-security; urgency=medium
.
* Add a patch by upstream which fixes prosody crashes in the c2s, s2s and
component modules (closes: #875829).
Checksums-Sha1:
2db17b36379461635b29a7985ac25d7146f0d524 2066 prosody_0.9.12-2+deb9u1.dsc
4fb248c5bb470d9940e38538bbd0ea61ac68ea3f 268895 prosody_0.9.12.orig.tar.gz
406c733e412f4ac2af7d90e454b56cafe9b21a3b 12956 prosody_0.9.12-2+deb9u1.debian.tar.xz
325cb22d1de4b1d2aeda83b43665e1d776fe9d2c 35888 prosody-dbgsym_0.9.12-2+deb9u1_amd64.deb
139ad8f81c5a00af5baf1b60b55925c6f815d5ec 6387 prosody_0.9.12-2+deb9u1_amd64.buildinfo
1c16040ef59b5e1f9a601fe138dcbc73ca1fa772 204972 prosody_0.9.12-2+deb9u1_amd64.deb
Checksums-Sha256:
d994dc57fe6a7378c310a9583a7b3e69fe40171d35419042e84017f3352f1862 2066 prosody_0.9.12-2+deb9u1.dsc
2c4c60c6e1a4bdc91219a5d34cda687ff87b5ee1752b20b5e232f79782f2d4a9 268895 prosody_0.9.12.orig.tar.gz
4bad36fcd4b1bc8242351496959cd3011f1be352a3157cf81e43222ef647af70 12956 prosody_0.9.12-2+deb9u1.debian.tar.xz
15b0faa233c587ed6f02892bf6414d5881dfa9023e94d4a71134bfe1bed1f161 35888 prosody-dbgsym_0.9.12-2+deb9u1_amd64.deb
0e0b791a775ac7af2fd9dfda7de5e5cf20ddd940fef9e4db7569b2eccfdaf320 6387 prosody_0.9.12-2+deb9u1_amd64.buildinfo
2bd3a869bc8b658cf313c387c91a536add0ee82e053bbd08fde7adf303034920 204972 prosody_0.9.12-2+deb9u1_amd64.deb
Files:
924bd12a365bf2743bd4430b72fdf0a5 2066 net extra prosody_0.9.12-2+deb9u1.dsc
d8bc8efb3cd5591bb8d12f1009afe5b3 268895 net extra prosody_0.9.12.orig.tar.gz
56fdffb6fc6dee8c492b17bba96d2fca 12956 net extra prosody_0.9.12-2+deb9u1.debian.tar.xz
3d4da590989a1ec0e3614fe80e4b1036 35888 debug extra prosody-dbgsym_0.9.12-2+deb9u1_amd64.deb
dd3d8d9ba1678a218774aeac366e8d15 6387 net extra prosody_0.9.12-2+deb9u1_amd64.buildinfo
24dcd7958d84a5f74cebce76095ef124 204972 net extra prosody_0.9.12-2+deb9u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE/SYPsyDB+ShSnvc4Tyrk60tj54cFAlrwPK0ACgkQTyrk60tj
54f3dw/7BnZZAePWYe7uCBAgTer0sL2iclNcVmJTq9AKCmdsQ1podOS+yLqTMG8B
W9DsQixXIafL1BNxQdVyF+YL1TgKApHulvh5mwYkg6B2bsOfCnLuSoyB17VugQoo
aQ/ZIrL/83v3gxLIJ7RQVq/iG3ia5tfPq8wZuz6liae03cfbsZCKeffN4Mop9IqA
v+R42UIboDMEWXENRZcG4VD1LNsfKhjcinXsk6hsU2txSileoy+nQ+tFNBaB15ZW
2EOYpeZE4Yjb8mSmNxv/l8XbSQpsatCgrgrZaVBbllV6bIRqBiRN+wF5oq0UJ2DE
NJKLotSK7iS8ktNUpkuZun6vRw/apUodfK6+drkuZ3Ab6BxWSDVaUx4eUYbhlQUg
qCa+z926rq/NlyFmlUDs8OHMIJScYf7GdXxk0PLOVcrxsAD2Yhz43Fixf787SFgu
aY5rNmMgMVL2MVCX8ks5spMXe4C3EPZgHQ0pDurjIsIdsAc04xi2e6MPbfHKu8Ub
xs8TdAAjYLTij4HTQJJgWVoI4pRo9WZaPOsM9a1JcmCc7g1jx4lTYHppedD5N+4P
nKs2eWDxrI2+4Afd0cFp7h6+oRNISLf0x7EuK5O0B2naPIsJUnms4zFddsBgXPT5
LbaYUqz3vIvTOkBEdsyImTd4MbHt2bgNJbyOVV7o/jzMzwyl7YE=
=xS+F
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 12 Aug 2018 07:28:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:23 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon