Summary: | <net-im/gg-transport-2.2.4: uses embedded libgadu instead of net-libs/libgadu | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | skolima |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bug, nelchael, net-im, skolima |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 404175 | ||
Bug Blocks: | |||
Attachments: |
Description
skolima
2010-01-13 21:06:15 UTC
Created attachment 216448 [details, diff]
adding epatch and autotools to ebuild
Created attachment 216450 [details, diff]
unbundling libgadu and updating build system
Created attachment 216478 [details]
libgadu-1.9.0rc2 ebuild for test
I am currently testing above gg-transport ebuild patches and running gg-transport using libgadu-1.9.0-rc2. So far so good.
Reassigning since this issue has security impact. NEWS file has this: * Libgadu is now included in the sources. External libgadu is not required any more and won't be used even if available. Most available builds of libgadu didn't work well with the transport and changes in libgadu often break jggtrans. Probably all issues were resolved. And just found another security issue gg-transport: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/114327 Created attachment 216584 [details, diff]
gg-transport configuration patch, adding current server list
The configuration file shipped with jggtrans claims that a reasonable server list is included in the source code - this is not true, there is only a single, no longer used server hardcoded. In cases where the hub does not work, transport would not be able to connect. Attached patch contains a current list of working servers to try if the hub fails.
Just for the record, libgadu-1.9.0rc is handled in bug 289719 I've just committed 2.2.4 which uses systems libgadu. Security: can this bug be closed? Searching the NVD for libgadu I see one DoS that may impact the previous versions. http://web.nvd.nist.gov/view/vuln/search-results?query=libgadu&search_type=all&cves=on Using google translate on the upstream homepage I see two issues that may be relevant: DoS in <1.8.2 https://translate.googleusercontent.com/translate_c?act=url&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&twu=1&u=http://toxygen.net/libgadu/releases/1.8.2.html&usg=ALkJrhj2xoPp4I50IZdlXfTNFeq5gPwgvg "memory overwrite" in <1.7.1 https://translate.googleusercontent.com/translate_c?act=url&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&twu=1&u=http://toxygen.net/libgadu/releases/1.7.1.html&usg=ALkJrhjJ0ZduJGC6J-ZHZSSRUYRIRp58AA Rating this B2; GLSA request filed for gg-transport. This issue was resolved and addressed in GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml by GLSA coordinator Sean Amoss (ackle). |