kopete bundles libgadu +++ This bug was initially created as a clone of Bug #244888 +++ CVE-2008-4776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4776): libgadu before 1.8.2 allows remote servers to cause a denial of service (crash) via a contact description with a large length, which triggers a buffer over-read.
I just committed an updated ebuild which forcibly disables gadu. Unfortunately kopete won't support the system gadu.
(In reply to comment #1) > I just committed an updated ebuild which forcibly disables gadu. Unfortunately > kopete won't support the system gadu. > Great. Now kopete doesn't support gadu at all. Can you patch bundled libgadu instead of just disabling it?
(In reply to comment #2) > (In reply to comment #1) > > I just committed an updated ebuild which forcibly disables gadu. Unfortunately > > kopete won't support the system gadu. > > > > Great. Now kopete doesn't support gadu at all. Can you patch bundled libgadu > instead of just disabling it? Kopete bundled libgadu is a fork from the 1.5 release. If you can get a working patch, we'll apply it, otherwise we'll focus on getting KDE4 marked stable.
Created attachment 192434 [details, diff] kopete-libgadu-CVE-2008-4776.patch It seems this patch is sufficient to fix the security bug. I could not verify functionality against a gadu server. Mieszko, if you can apply and test the patch, that would be very helpful.
Created attachment 192575 [details] Proposed ebuild Proposed patch works, and I've made ebuild using it, which also works;)
*** Bug 264611 has been marked as a duplicate of this bug. ***
fixed in kopete-3.5.10-r4, which is soon-to-be-stabilized. This can be closed
(In reply to comment #7) > fixed in kopete-3.5.10-r4, which is soon-to-be-stabilized. This can be closed > Thanks for the effort and fast fix. But please let the security team decide how to handle security bugs and when to close them. Okay, so kopete-3.5.10-r4 is fixed. Our usual process would now suggest stabilization. Are there any regressions or is it ready to be stabilized?
kopete-3.5.10-r4 can't go for stabilization, it will go along with the other kde-3.5.10 packages. I'll reply here when i'll do this (which i plan to do it really soon). Just for the record, bug 245954 is the tracker for kde3
Please update us when you have a timeline for stabilization.
I have opened stabilization bug for kde 3.5.10, adding it in depend buglist
kde 3.5.10 stabling seems to progress rather slow. do you have any input from arches or is it feasible to stable a patched kopete 3.5.9 in the meantime?
(In reply to comment #12) > kde 3.5.10 stabling seems to progress rather slow. do you have any input from > arches or is it feasible to stable a patched kopete 3.5.9 in the meantime? Robert, looking at the tree, seems like alpha and sparc are the last 2 stable arches missing 3.5.10. IIRC, alpha should be having issues with the latest Xorg and sparc has issues with qt-qwebkit.
Created attachment 197466 [details] Testing kopete-3.5.9-r3 ebuild
I've added the CVE patch to the above ebuild. It builds here, but I don't have gadu access. Can anyone test it with gadu? @alpha / @sparc: If you still can't do 3.5.10, would you be willing to test and stable the above instead?
(In reply to comment #13) > Robert, > > looking at the tree, seems like alpha and sparc are the last 2 stable arches > missing 3.5.10. IIRC, alpha should be having issues with the latest Xorg and > sparc has issues with qt-qwebkit. Please ignore the above comment as it's related to KDE-4 and not KDE-3.5. In the meanwhile Raúl has stabled 3.5.10 in both alpha and sparc.
KDE 3 is not in tree any more. CC us again if you need anything. thanks
GLSA Vote: no.
(In reply to comment #19) > GLSA Vote: no. > Thanks; closing noglsa.