Debian Bug report logs -
#503916
CVE-2008-4776: remote DoS
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Wed, 29 Oct 2008 10:15:01 UTC
Severity: important
Tags: patch, security
Found in version libgadu/1:1.8.0+r592-2
Fixed in version 1:1.8.0+r592-3
Done: Marcin Owsiany <porridge@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Marcin Owsiany <porridge@debian.org>
:
Bug#503916
; Package libgadu3
.
(Wed, 29 Oct 2008 10:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
New Bug report received and forwarded. Copy sent to Marcin Owsiany <porridge@debian.org>
.
(Wed, 29 Oct 2008 10:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libgadu3
Version: 1:1.8.0+r592-2
Severity: important
Tags: security, patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for libgadu3.
CVE-2008-4776:
libgadu before 1.8.2 allows remote servers to cause a denial of
service (crash) via a contact description with a large length, which
triggers a buffer over-read.
The Red Hat bug report[1] has more information and the upstream patch[2].
Since it seems that the issue can only be used to perform a DoS and libgadu
is used by messenger clients, it shouldn't need a DSA/DTSA.
However, it would be nice to get the issue fixed in lenny via migration
through unstable.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4776
http://security-tracker.debian.net/tracker/CVE-2008-4776
[1] https://bugzilla.redhat.com/show_bug.cgi?id=468830
[2] https://bugzilla.redhat.com/attachment.cgi?id=321690
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#503916
; Package libgadu3
.
(Wed, 29 Oct 2008 10:48:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Marcin Owsiany <porridge@debian.org>
:
Extra info received and forwarded to list.
(Wed, 29 Oct 2008 10:48:06 GMT) (full text, mbox, link).
Message #10 received at 503916@bugs.debian.org (full text, mbox, reply):
On Wed, Oct 29, 2008 at 09:14:30PM +1100, Steffen Joeris wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for libgadu3.
Finally :-) I have the packages ready from the day upstream patched
this.. just waiting for the ID to build and upload.
Please note that the tracker entry is incomplete. See my initial email
to security team (attached) for more details.
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Tags added: pending
Request was from Marcin Owsiany <porridge@debian.org>
to control@bugs.debian.org
.
(Wed, 29 Oct 2008 10:48:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#503916
; Package libgadu3
.
(Wed, 29 Oct 2008 10:51:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Marcin Owsiany <porridge@debian.org>
:
Extra info received and forwarded to list.
(Wed, 29 Oct 2008 10:51:07 GMT) (full text, mbox, link).
Message #17 received at 503916@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, Oct 29, 2008 at 10:43:07AM +0000, Marcin Owsiany wrote:
> to security team (attached) for more details.
*sigh*
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
[Message part 2 (message/rfc822, inline)]
[Message part 3 (text/plain, inline)]
Hi,
There is a medium-to-low severity vulnerability in libgadu.
Please allocate a CVE ID. Description below. I will start preparing
packages.
Upstream announcement (Polish only):
http://toxygen.net/libgadu/releases/1.8.2.html
http://toxygen.net/websvn/listing.php?repname=libgadu&path=%2F&rev=638&sc=1
Rough translation: a crafted packet sent by a rouge Gadu-Gadu server (or
MiTM attacker) may cause a segmentation violation in the libgadu library
due to an error in the function for parsing contact description packets.
Most likely this can only cause reading of uninitialized memory (DoS),
although authors do not rule out overwriting of memory (potentially
leading to arbitrary code execution). This vulnerability was found by
Jakub Zawadzki.
Upstream has released libgadu version 1.8.2. The (2 line) fix for this
is the only difference from 1.8.1.
The vulnerable code dates back at least to September 2003, possibly even
earlier, which means all Debian-distributed libgadu versions are
vulnerable, back to oldstable. (ekg source package until and including
etch, and libgadu source package since lenny).
Since there is a minimal patch, I will probably create a minimal minor
version updates. The versions will be:
sarge ekg 1:1.5+20050411-9
sarge-volatile ekg 1:1.5+20050411-10
etch ekg 1:1.7~rc2-1etch4
sid+lenny libgadu 1:1.8~rc1-2
I will submit final interdiffs when I get the CVE ID.
(I hope I can upload to sid and ask for an exception to have it
propagate to lenny? Or is it better to prepare a special version for
lenny?)
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Marcin Owsiany <porridge@debian.org>
:
Bug#503916
; Package libgadu3
.
(Wed, 29 Oct 2008 10:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Extra info received and forwarded to list. Copy sent to Marcin Owsiany <porridge@debian.org>
.
(Wed, 29 Oct 2008 10:57:04 GMT) (full text, mbox, link).
Message #22 received at 503916@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, 29 Oct 2008 09:43:07 pm Marcin Owsiany wrote:
> On Wed, Oct 29, 2008 at 09:14:30PM +1100, Steffen Joeris wrote:
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for libgadu3.
>
> Finally :-) I have the packages ready from the day upstream patched
> this.. just waiting for the ID to build and upload.
>
> Please note that the tracker entry is incomplete. See my initial email
> to security team (attached) for more details.
Bah, you are right. I was too fast there and didn't look into my team@s.d.o.
inbox. You already got a go from Moritz for stable, so feel free to go ahead.
I have modified the tracker entry now.
For testing I still thing it can be fixed via migration from unstable. Please
use "urgency=high" in your uploads and mail debian-release@l.d.o. (with cc to
secure-testing-team@lists.alioth.debian.org) for an unblock.
Thanks for your work and sorry for the confusion.
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Marcin Owsiany <porridge@debian.org>
:
You have taken responsibility.
(Thu, 30 Oct 2008 08:51:09 GMT) (full text, mbox, link).
Notification sent
to Steffen Joeris <steffen.joeris@skolelinux.de>
:
Bug acknowledged by developer.
(Thu, 30 Oct 2008 08:51:10 GMT) (full text, mbox, link).
Message #27 received at 503916-done@bugs.debian.org (full text, mbox, reply):
Source-Version: 1:1.8.0+r592-3
Fixed package uploaded.
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Information forwarded
to debian-bugs-dist@lists.debian.org, Marcin Owsiany <porridge@debian.org>
:
Bug#503916
; Package libgadu3
.
(Mon, 03 Nov 2008 20:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jarek Kamiński <jarek@vilo.eu.org>
:
Extra info received and forwarded to list. Copy sent to Marcin Owsiany <porridge@debian.org>
.
(Mon, 03 Nov 2008 20:27:03 GMT) (full text, mbox, link).
Message #32 received at 503916@bugs.debian.org (full text, mbox, reply):
On Mon, Nov 03, 2008 at 02:04:55AM +0100, secure-testing-team@lists.alioth.debian.org wrote:
> This automatic mail gives an overview over security issues that were recently
> fixed in Debian Testing. The majority of fixed packages migrate to testing
> from unstable. If this would take too long, fixed packages are uploaded to the
> testing-security repository instead. It can also happen that vulnerable
> packages are removed from Debian testing.
>
> Migrated from unstable:
> =======================
> libgadu 1:1.8.0+r592-3:
> CVE-2008-4776: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
> http://bugs.debian.org/503916
At first glance it looks, that kadu may also be affected. It isn't
linked to libgadu from libgadu3 package and comes with own copy of
libgadu sources (not patched). Can someone confirm that?
I won't have time to fully verify it before Friday, so excuse me, if
it's just a false alarm.
Jarek.
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#503916
; Package libgadu3
.
(Mon, 03 Nov 2008 20:48:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Marcin Owsiany <porridge@debian.org>
:
Extra info received and forwarded to list.
(Mon, 03 Nov 2008 20:48:08 GMT) (full text, mbox, link).
Message #37 received at 503916@bugs.debian.org (full text, mbox, reply):
On Mon, Nov 03, 2008 at 09:22:29PM +0100, Jarek Kamiński wrote:
> On Mon, Nov 03, 2008 at 02:04:55AM +0100, secure-testing-team@lists.alioth.debian.org wrote:
> > This automatic mail gives an overview over security issues that were recently
> > fixed in Debian Testing. The majority of fixed packages migrate to testing
> > from unstable. If this would take too long, fixed packages are uploaded to the
> > testing-security repository instead. It can also happen that vulnerable
> > packages are removed from Debian testing.
> >
> > Migrated from unstable:
> > =======================
> > libgadu 1:1.8.0+r592-3:
> > CVE-2008-4776: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
> > http://bugs.debian.org/503916
>
> At first glance it looks, that kadu may also be affected. It isn't
> linked to libgadu from libgadu3 package and comes with own copy of
> libgadu sources (not patched). Can someone confirm that?
I guess the maintainer is the right person to ask.
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Information forwarded
to debian-bugs-dist@lists.debian.org, Marcin Owsiany <porridge@debian.org>
:
Bug#503916
; Package libgadu3
.
(Mon, 03 Nov 2008 21:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <debian-secure-testing+ml@ngolde.de>
:
Extra info received and forwarded to list. Copy sent to Marcin Owsiany <porridge@debian.org>
.
(Mon, 03 Nov 2008 21:21:04 GMT) (full text, mbox, link).
Message #42 received at 503916@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Jarek Kami??ski <jarek@vilo.eu.org> [2008-11-03 22:07]:
> On Mon, Nov 03, 2008 at 02:04:55AM +0100, secure-testing-team@lists.alioth.debian.org wrote:
> > This automatic mail gives an overview over security issues that were recently
> > fixed in Debian Testing. The majority of fixed packages migrate to testing
> > from unstable. If this would take too long, fixed packages are uploaded to the
> > testing-security repository instead. It can also happen that vulnerable
> > packages are removed from Debian testing.
> >
> > Migrated from unstable:
> > =======================
> > libgadu 1:1.8.0+r592-3:
> > CVE-2008-4776: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
> > http://bugs.debian.org/503916
>
> At first glance it looks, that kadu may also be affected. It isn't
> linked to libgadu from libgadu3 package and comes with own copy of
> libgadu sources (not patched). Can someone confirm that?
Yes confirmed, kadu is embedding libgadu completely and
linking against this version. It has the same problem, a bug
has been filed.
Thanks for the notice!
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 02 Dec 2008 07:27:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:31:30 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.