Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 370201 (CVE-2011-1753) - <net-im/ejabberd-2.1.8: Denial of Service (CVE-2011-1753)
Summary: <net-im/ejabberd-2.1.8: Denial of Service (CVE-2011-1753)
Status: RESOLVED FIXED
Alias: CVE-2011-1753
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-05 22:18 UTC by Federico Cuello
Modified: 2012-06-21 18:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Federico Cuello 2011-06-05 22:18:22 UTC
From http://www.ejabberd.im/ejabberd-2.1.7:

ejabberd 2.1.7, and ejabberd 3.0.0-alpha-3, and exmpp 0.9.7 have been released, after a few months of development. They contain a lot of bugfixes, improvements and some new features.

If you have ejabberd running in a public server, please update it immediately: those releases contain a security fix that disables entity expansion completely to prevent billion laughs DoS attack (CVE-2011-1753).

Reproducible: Always
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-06-07 14:46:51 UTC
Looks like ejabberd-2.1.8 was released also.

http://www.ejabberd.im/ejabberd-2.1.8

The ejabberd 2.1.7 released yesterday contains a bug that breaks PubSub.

If you use ejabberd 2.1.7 and PubSub, you can find the patch and the fixed mod_pubsub.beam in the page EJAB-1457.
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2011-06-14 11:43:07 UTC
Thank you for report Federico. New version is in the tree. Arch teams, please, stabilize.
Comment 3 Andreas Schürch gentoo-dev 2011-06-15 05:23:15 UTC
USE=mod_statsdx seems a bit broken as the upstream filename has changed...
Besides that, it looks good here on x86.

                ewarn "mod_statsdx is not a part of upstream tarball but is a third-party module"
                ewarn "taken from here: http://www.ejabberd.im/mod_stats2file"
-                epatch "${WORKDIR}/2.1.1-mod_statsdx.patch"
+                epatch "${WORKDIR}/ejabberd-mod_statsdx-1080.patch"
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2011-06-15 15:52:46 UTC
(In reply to comment #3)
> USE=mod_statsdx seems a bit broken as the upstream filename has changed...

This is intentional change. I guess file was removed before I've commited ebuild and now I put it on mirrors another time.
Comment 5 Ian Delaney (RETIRED) gentoo-dev 2011-06-15 17:24:26 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > USE=mod_statsdx seems a bit broken as the upstream filename has changed...
> 
> This is intentional change. I guess file was removed before I've commited
> ebuild and now I put it on mirrors another time.

amd64:

ditto x86.  emerges fine but for the mod_statsdx.
Is the ebuild up for a final adjustment?
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2011-06-16 04:18:39 UTC
(In reply to comment #5)
> ditto x86.  emerges fine but for the mod_statsdx.

Guys could you at least show error message or something?
Comment 7 Andreas Schürch gentoo-dev 2011-06-16 04:36:49 UTC
(In reply to comment #6)
> Guys could you at least show error message or something?


>>> Unpacking source...                                                                                                                                                           
>>> Unpacking ejabberd-2.1.8.tar.gz to /var/tmp/portage/net-im/ejabberd-2.1.8/work                                                                                                
>>> Unpacking ejabberd-mod_statsdx-1080.patch.gz to /var/tmp/portage/net-im/ejabberd-2.1.8/work                                                                                   
>>> Source unpacked in /var/tmp/portage/net-im/ejabberd-2.1.8/work                                                                                                                
>>> Preparing source in /var/tmp/portage/net-im/ejabberd-2.1.8/work/ejabberd-2.1.8/src ...                                                                                        
 * mod_statsdx is not a part of upstream tarball but is a third-party module                                                                                                      
 * taken from here: http://www.ejabberd.im/mod_stats2file                                                                                                                         

 * Cannot find $EPATCH_SOURCE!  Value for $EPATCH_SOURCE is:
 *                                                          
 *   /var/tmp/portage/net-im/ejabberd-2.1.8/work/2.1.1-mod_statsdx.patch
 *   ( 2.1.1-mod_statsdx.patch )

# ls -l /var/tmp/portage/net-im/ejabberd-2.1.8/work/*.patch
-rw-r--r-- 1 root root 69688 Jun 16 06:12 /var/tmp/portage/net-im/ejabberd-2.1.8/work/ejabberd-mod_statsdx-1080.patch
Comment 8 Peter Volkov (RETIRED) gentoo-dev 2011-06-16 05:01:40 UTC
Thank you andreas. I forgot to push all changes from overlay... Now everything should be in place.
Comment 9 Markos Chandras (RETIRED) gentoo-dev 2011-06-18 08:09:54 UTC
amd64 done
Comment 10 Markus Meier gentoo-dev 2011-06-19 13:44:11 UTC
x86 stable, thanks Andreas. all arches done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-06-20 03:37:13 UTC
Thanks, folks. GLSA Vote: yes.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 00:09:56 UTC
CVE-2011-1753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1753):
  expat_erl.c in ejabberd before 2.1.7 and 3.x before 3.0.0-alpha-3, and exmpp
  before 0.9.7, does not properly detect recursion during entity expansion,
  which allows remote attackers to cause a denial of service (memory and CPU
  consumption) via a crafted XML document containing a large number of nested
  entity references, a similar issue to CVE-2003-1564.
Comment 13 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:37:52 UTC
Vote: YES. Added to pending GLSA request.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 18:20:28 UTC
This issue was resolved and addressed in
 GLSA 201206-10 at http://security.gentoo.org/glsa/glsa-201206-10.xml
by GLSA coordinator Stefan Behte (craig).