CVE-2008-4776: remote DoS

Debian Bug report logs - #503916
CVE-2008-4776: remote DoS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2008-4776: remote DoS

Date: Wed, 29 Oct 2008 21:14:30 +1100

Package: libgadu3
Version: 1:1.8.0+r592-2
Severity: important
Tags: security, patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libgadu3.

CVE-2008-4776:
libgadu before 1.8.2 allows remote servers to cause a denial of
service (crash) via a contact description with a large length, which
triggers a buffer over-read.

The Red Hat bug report[1] has more information and the upstream patch[2].

Since it seems that the issue can only be used to perform a DoS and libgadu
is used by messenger clients, it shouldn't need a DSA/DTSA.

However, it would be nice to get the issue fixed in lenny via migration
through unstable.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4776
    http://security-tracker.debian.net/tracker/CVE-2008-4776
[1] https://bugzilla.redhat.com/show_bug.cgi?id=468830
[2] https://bugzilla.redhat.com/attachment.cgi?id=321690

Message #10 received at 503916@bugs.debian.org (full text, mbox, reply):

From: Marcin Owsiany <porridge@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 503916@bugs.debian.org

Subject: Re: Bug#503916: CVE-2008-4776: remote DoS

Date: Wed, 29 Oct 2008 10:43:07 +0000

On Wed, Oct 29, 2008 at 09:14:30PM +1100, Steffen Joeris wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for libgadu3.

Finally :-) I have the packages ready from the day upstream patched
this.. just waiting for the ID to build and upload.

Please note that the tracker entry is incomplete. See my initial email
to security team (attached) for more details.

-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Message #17 received at 503916@bugs.debian.org (full text, mbox, reply):

From: Marcin Owsiany <porridge@debian.org>

To: Steffen Joeris <steffen.joeris@skolelinux.de>, 503916@bugs.debian.org

Subject: Re: Bug#503916: CVE-2008-4776: remote DoS

Date: Wed, 29 Oct 2008 10:49:24 +0000

[Message part 1 (text/plain, inline)]

On Wed, Oct 29, 2008 at 10:43:07AM +0000, Marcin Owsiany wrote:
> to security team (attached) for more details.

*sigh*

-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

[Message part 2 (message/rfc822, inline)]

From: Marcin Owsiany <porridge@debian.org>

To: security@debian.org

Subject: Security vulnerability in libgadu3 << 1.8.2

Date: Fri, 24 Oct 2008 12:14:32 +0100

[Message part 3 (text/plain, inline)]

Hi,

There is a medium-to-low severity vulnerability in libgadu.
Please allocate a CVE ID. Description below. I will start preparing
packages.

Upstream announcement (Polish only):
http://toxygen.net/libgadu/releases/1.8.2.html
http://toxygen.net/websvn/listing.php?repname=libgadu&path=%2F&rev=638&sc=1

Rough translation: a crafted packet sent by a rouge Gadu-Gadu server (or
MiTM attacker) may cause a segmentation violation in the libgadu library
due to an error in the function for parsing contact description packets.
Most likely this can only cause reading of uninitialized memory (DoS),
although authors do not rule out overwriting of memory (potentially
leading to arbitrary code execution). This vulnerability was found by
Jakub Zawadzki.

Upstream has released libgadu version 1.8.2. The (2 line) fix for this
is the only difference from 1.8.1.
The vulnerable code dates back at least to September 2003, possibly even
earlier, which means all Debian-distributed libgadu versions are
vulnerable, back to oldstable. (ekg source package until and including
etch, and libgadu source package since lenny).

Since there is a minimal patch, I will probably create a minimal minor
version updates. The versions will be:

sarge           ekg       1:1.5+20050411-9
sarge-volatile  ekg       1:1.5+20050411-10
etch            ekg       1:1.7~rc2-1etch4
sid+lenny       libgadu   1:1.8~rc1-2

I will submit final interdiffs when I get the CVE ID.

(I hope I can upload to sid and ask for an exception to have it
propagate to lenny? Or is it better to prepare a special version for
lenny?)

-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 503916@bugs.debian.org (full text, mbox, reply):

From: Steffen Joeris <steffen.joeris@skolelinux.de>

To: Marcin Owsiany <porridge@debian.org>

Cc: 503916@bugs.debian.org

Subject: Re: Bug#503916: CVE-2008-4776: remote DoS

Date: Wed, 29 Oct 2008 21:58:55 +1100

[Message part 1 (text/plain, inline)]

On Wed, 29 Oct 2008 09:43:07 pm Marcin Owsiany wrote:
> On Wed, Oct 29, 2008 at 09:14:30PM +1100, Steffen Joeris wrote:
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for libgadu3.
>
> Finally :-) I have the packages ready from the day upstream patched
> this.. just waiting for the ID to build and upload.
>
> Please note that the tracker entry is incomplete. See my initial email
> to security team (attached) for more details.
Bah, you are right. I was too fast there and didn't look into my team@s.d.o. 
inbox. You already got a go from Moritz for stable, so feel free to go ahead. 
I have modified the tracker entry now.
For testing I still thing it can be fixed via migration from unstable. Please 
use "urgency=high" in your uploads and mail debian-release@l.d.o. (with cc to 
secure-testing-team@lists.alioth.debian.org) for an unblock.
Thanks for your work and sorry for the confusion.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 503916-done@bugs.debian.org (full text, mbox, reply):

From: Marcin Owsiany <porridge@debian.org>

To: 503916-done@bugs.debian.org

Subject: Re: Bug#503916: CVE-2008-4776: remote DoS

Date: Thu, 30 Oct 2008 08:49:09 +0000

Source-Version: 1:1.8.0+r592-3

Fixed package uploaded.

-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Message #32 received at 503916@bugs.debian.org (full text, mbox, reply):

From: Jarek Kamiński <jarek@vilo.eu.org>

To: secure-testing-team@lists.alioth.debian.org, 503916@bugs.debian.org

Subject: Re: Security update for Debian Testing - 2008-11-03

Date: Mon, 3 Nov 2008 21:22:29 +0100

On Mon, Nov 03, 2008 at 02:04:55AM +0100, secure-testing-team@lists.alioth.debian.org wrote:
> This automatic mail gives an overview over security issues that were recently 
> fixed in Debian Testing. The majority of fixed packages migrate to testing 
> from unstable. If this would take too long, fixed packages are uploaded to the 
> testing-security repository instead. It can also happen that vulnerable 
> packages are removed from Debian testing.
> 
> Migrated from unstable:
> =======================
> libgadu 1:1.8.0+r592-3:
> CVE-2008-4776: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
>                http://bugs.debian.org/503916

At first glance it looks, that kadu may also be affected. It isn't
linked to libgadu from libgadu3 package and comes with own copy of
libgadu sources (not patched). Can someone confirm that?

I won't have time to fully verify it before Friday, so excuse me, if
it's just a false alarm.

Jarek.

Message #37 received at 503916@bugs.debian.org (full text, mbox, reply):

From: Marcin Owsiany <porridge@debian.org>

To: Patryk Cisek <patryk@prezu.one.pl>, Jarek Kamiński <jarek@vilo.eu.org>, 503916@bugs.debian.org

Cc: secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#503916: Security update for Debian Testing - 2008-11-03

Date: Mon, 3 Nov 2008 20:44:33 +0000

On Mon, Nov 03, 2008 at 09:22:29PM +0100, Jarek Kamiński wrote:
> On Mon, Nov 03, 2008 at 02:04:55AM +0100, secure-testing-team@lists.alioth.debian.org wrote:
> > This automatic mail gives an overview over security issues that were recently 
> > fixed in Debian Testing. The majority of fixed packages migrate to testing 
> > from unstable. If this would take too long, fixed packages are uploaded to the 
> > testing-security repository instead. It can also happen that vulnerable 
> > packages are removed from Debian testing.
> > 
> > Migrated from unstable:
> > =======================
> > libgadu 1:1.8.0+r592-3:
> > CVE-2008-4776: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
> >                http://bugs.debian.org/503916
> 
> At first glance it looks, that kadu may also be affected. It isn't
> linked to libgadu from libgadu3 package and comes with own copy of
> libgadu sources (not patched). Can someone confirm that?

I guess the maintainer is the right person to ask.

-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

Message #42 received at 503916@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <debian-secure-testing+ml@ngolde.de>

To: Jarek Kami??ski <jarek@vilo.eu.org>, 503916@bugs.debian.org

Cc: secure-testing-team@lists.alioth.debian.org

Subject: Re: Bug#503916: Security update for Debian Testing - 2008-11-03

Date: Mon, 3 Nov 2008 22:17:18 +0100

[Message part 1 (text/plain, inline)]

Hi,
* Jarek Kami??ski <jarek@vilo.eu.org> [2008-11-03 22:07]:
> On Mon, Nov 03, 2008 at 02:04:55AM +0100, secure-testing-team@lists.alioth.debian.org wrote:
> > This automatic mail gives an overview over security issues that were recently 
> > fixed in Debian Testing. The majority of fixed packages migrate to testing 
> > from unstable. If this would take too long, fixed packages are uploaded to the 
> > testing-security repository instead. It can also happen that vulnerable 
> > packages are removed from Debian testing.
> > 
> > Migrated from unstable:
> > =======================
> > libgadu 1:1.8.0+r592-3:
> > CVE-2008-4776: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
> >                http://bugs.debian.org/503916
> 
> At first glance it looks, that kadu may also be affected. It isn't
> linked to libgadu from libgadu3 package and comes with own copy of
> libgadu sources (not patched). Can someone confirm that?

Yes confirmed, kadu is embedding libgadu completely and 
linking against this version. It has the same problem, a bug 
has been filed.

Thanks for the notice!

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.