First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 99754
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
kdenetwork-3.3.2-r2.ebuild kdenetwork-3.3.2-r2.ebuild text/plain Carsten Lohrke 2005-07-21 01:44 0000 1.46 KB Details
kdenetwork-3.4.1-r1.ebuild kdenetwork-3.4.1-r1.ebuild text/plain Carsten Lohrke 2005-07-21 01:45 0000 1.58 KB Details
kopete-3.4.1-r1.ebuild kopete-3.4.1-r1.ebuild text/plain Carsten Lohrke 2005-07-21 01:46 0000 559 bytes Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 99754 depends on: Show dependency tree
Bug 99754 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-07-20 22:33 0000 
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
KDE Security Advisory: libgadu vulnerabilities  
Original Release Date: 2005-07-21  
URL: http://www.kde.org/info/security/advisory-20050721-1.txt  
  
0. References  
        CVE CAN-2005-1852  
  
  
1. Systems affected:  
  
        All versions of Kopete as included in KDE 3.2.3 up to including  
        KDE 3.4.1. KDE 3.2.2 and older are not affected.  
  
        Kopete 0.9.x releases starting with 0.9.4 and Kopete 0.10.3  
        or newer are unaffected.  
  
  
2. Overview:  
  
	Kopete contains a copy of libgadu that is used if  
        no compatible version is installed in the system. Several  
        input validation errors have been reported in libgadu  
        that can lead to integer overflows and remote DoS or  
        arbitrary code execution.  
  
  
3. Impact:  
  
	If the Gadu-Gadu protocol handler in Kopete is used,  
        remote users can DoS the Kopete client or possibly even  
        execute arbitrary code.  
  
  
4. Solution:  
  
        Source code patches have been made available that update  
        the included copy of libgadu to 1.6rc3 which fix these  
        vulnerabilities. Contact your OS vendor / binary package provider  
        for information about how to obtain updated binary packages.  
  
  
5. Patch:  
  
        A patch for KDE 3.4.1 is available from  
        ftp://ftp.kde.org/pub/kde/security_patches :  
  
        675008c8bc9d7edf4d0034a398d15cf0  post-3.4.1-kdenetwork-libgadu.patch  
  
        A patch for KDE 3.3.2 is available from  
        ftp://ftp.kde.org/pub/kde/security_patches :  
  
        73ebcef42173bf567d473414693898b0  post-3.3.2-kdenetwork-libgadu.patch  
  
        A patch for KDE 3.2.3 is available from  
        ftp://ftp.kde.org/pub/kde/security_patches :  
  
        69e3379085aeaeecf034468d18a900f6  post-3.2.3-kdenetwork-libgadu.patch  
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.0 (GNU/Linux)  
  
iD8DBQFC3w5pvsXr+iuy1UoRAuAyAKC5MQPmvhpYiOtypx50dk7fkLCxWACgg0Lv  
XiS2yq32alcX2bEhEArot+Y=  
=FoUx  
-----END PGP SIGNATURE-----

------- Comment #1 From Sune Kloppenborg Jeppesen 2005-07-20 22:35:03 0000 ------- 
KDE please provide an updated ebuild.

------- Comment #2 From Carsten Lohrke 2005-07-21 01:44:50 0000 ------- 
Created an attachment (id=63954) [edit]
kdenetwork-3.3.2-r2.ebuild

I don't have time. If someone would test the ebuilds, please?!	What bothers me
is that the dependency is not listed as an optional one, since the shared
libgadu can be used, too. Also Portage doesn't seem to treat SRC_URI
culmulative as it seems.

------- Comment #3 From Carsten Lohrke 2005-07-21 01:45:31 0000 ------- 
Created an attachment (id=63955) [edit]
kdenetwork-3.4.1-r1.ebuild

------- Comment #4 From Carsten Lohrke 2005-07-21 01:46:07 0000 ------- 
Created an attachment (id=63956) [edit]
kopete-3.4.1-r1.ebuild

------- Comment #5 From Carsten Lohrke 2005-07-21 01:53:48 0000 ------- 
arch herds: The patches apply and I don't see why there should be a problem,
testers are welcome.

------- Comment #6 From Sune Kloppenborg Jeppesen 2005-07-21 02:06:54 0000 ------- 
Thx Carlo.

------- Comment #7 From Jason Wever (RETIRED) 2005-07-21 04:51:44 0000 ------- 
So based on what I'm seeing in this bug, I'm assuming that only the 3.3.x and
3.4.x series of kdenetwork/kopete are being patched by us and that 3.2.x is no
longer supported?

------- Comment #8 From Sune Kloppenborg Jeppesen 2005-07-21 05:26:40 0000 ------- 
Afair GLSA 200412-17 was the first one to not include a fix for 3.2.x. I'm sure 
there are several others after that.

------- Comment #9 From Gregorio Guidi (RETIRED) 2005-07-21 07:16:30 0000 ------- 
I tested the ebuilds and committed: 
 
kdenetwork-3.4.1-r1.ebuild 
kdenetwork-3.3.2-r2.ebuild 
kopete-3.4.1-r1.ebuild

------- Comment #10 From René Nussbaumer 2005-07-21 11:51:40 0000 ------- 
Stable on hppa

------- Comment #11 From Markus Rothe 2005-07-21 12:16:44 0000 ------- 
stable on ppc64

------- Comment #12 From Chris Gianelloni (RETIRED) 2005-07-21 13:58:41 0000 ------- 
Is it OK to mark these bad boys as blocker during release time when we're under
crunch time if it is holding us up?

Heh...

Well... this is blocking the release at the moment... thanks all

------- Comment #13 From Stefan Cornelius (RETIRED) 2005-07-21 14:16:39 0000 ------- 
Upgrading severity to blocker as requested by wolf31o2.

------- Comment #14 From Carsten Lohrke 2005-07-21 16:11:58 0000 ------- 
(In reply to comment #7)
> So based on what I'm seeing in this bug, I'm assuming that only the 3.3.x and
> 3.4.x series of kdenetwork/kopete are being patched by us and that 3.2.x is no
> longer supported?

Supporting two stable releases should suffice. While adding the fixes for KDE
3.2 as well, wouldn't be a big issue in this case, but the KDE team is small,
some arch teams are, too and not everyone is as sparctastic fast & resposive as
you. ;)

(In reply to comment #8)
> Afair GLSA 200412-17
> 	 was the first one to not include a fix for 3.2.x. I'm sure 
> there are several others after that. 

No. KDE 3.2 wasn't affected in this case. Bug 98735 and this one are the first two.


In case anyone raised an eyebrowe: No portage bug, a kde eclass speciality as I
found out.

------- Comment #15 From Joe Jezak 2005-07-21 19:06:52 0000 ------- 
Marked ppc stable.

------- Comment #16 From Hardave Riar (RETIRED) 2005-07-22 08:42:15 0000 ------- 
kdenetwork-3.3.2-r2 stable on mips, 3.4 hasn't gone stable on mips yet.

------- Comment #17 From Danny van Dyk (RETIRED) 2005-07-22 10:57:59 0000 ------- 
stable on amd64.

------- Comment #18 From Bryan Østergaard (RETIRED) 2005-07-22 11:53:11 0000 ------- 
Stable on alpha.

------- Comment #19 From Bryan Østergaard (RETIRED) 2005-07-22 15:00:54 0000 ------- 
Stable on ia64.

------- Comment #20 From Gustavo Zacarias (RETIRED) 2005-07-23 06:36:06 0000 ------- 
sparc stable.

------- Comment #21 From Sune Kloppenborg Jeppesen 2005-07-24 22:52:17 0000 ------- 
x86 already stable. This one is ready for GLSA.

------- Comment #22 From Sune Kloppenborg Jeppesen 2005-07-24 22:53:39 0000 ------- 
Still needing alpha keyword, back to stable.

------- Comment #23 From Bryan Østergaard (RETIRED) 2005-07-25 05:03:54 0000 ------- 
Alpha doesn't have any stable 3.4.x version and I already stabled
kdenetwork-3.3.2-r2. I don't think we're missing any keywords but feel free to
correct me if I'm wrong :)

------- Comment #24 From Sune Kloppenborg Jeppesen 2005-07-25 10:39:35 0000 ------- 
Kloeri sorry for the noise. This one is ready for GLSA.

------- Comment #25 From Sune Kloppenborg Jeppesen 2005-07-25 12:03:06 0000 ------- 
Rerating as B (Gadu-gadu is hardly default configuration). 
 
GLSA 200507-23
First Last Prev Next    No search results available      Search page      Enter new bug