Bug 300903

Summary:

<net-im/gg-transport-2.2.4: uses embedded libgadu instead of net-libs/libgadu

Product:

Gentoo Security

Reporter:

skolima

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

bug, nelchael, net-im, skolima

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

Whiteboard:

B2 [glsa]

Package list:

Runtime testing required:

---

Bug Depends on:

404175

Bug Blocks:

Attachments:

Description	Flags
adding epatch and autotools to ebuild	none
unbundling libgadu and updating build system	none
libgadu-1.9.0rc2 ebuild for test	none
gg-transport configuration patch, adding current server list	none

Description skolima 2010-01-13 21:06:15 UTC

net-im/gg-transport uses it's own copy of deprecated libgadu (1.6-rc3) instead of system libgadu (1.8.2 as of now, containing security fixes)

Reproducible: Always



Expected Results:  
gg-transport should build with system-wide libgadu

Comment 1 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2010-01-14 04:41:44 UTC

Created attachment 216448 [details, diff]
adding epatch and autotools to ebuild

Comment 2 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2010-01-14 04:42:37 UTC

Created attachment 216450 [details, diff]
unbundling libgadu and updating build system

Comment 3 skolima 2010-01-14 10:36:56 UTC

Created attachment 216478 [details]
libgadu-1.9.0rc2 ebuild for test

I am currently testing above gg-transport ebuild patches and running gg-transport using libgadu-1.9.0-rc2. So far so good.

Comment 4 Peter Volkov (RETIRED) gentoo-dev

2010-01-14 21:45:23 UTC

Reassigning since this issue has security impact.

NEWS file has this:

* Libgadu is now included in the sources. External libgadu is not
  required any more and won't be used even if available. Most available
  builds of libgadu didn't work well with the transport and changes in
  libgadu often break jggtrans.

Probably all issues were resolved.

Comment 5 Peter Volkov (RETIRED) gentoo-dev

2010-01-14 21:46:21 UTC

And just found another security issue gg-transport:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/114327

Comment 6 skolima 2010-01-15 10:19:41 UTC

Created attachment 216584 [details, diff]
gg-transport configuration patch, adding current server list

The configuration file shipped with jggtrans claims that a reasonable server list is included in the source code - this is not true, there is only a single, no longer used server hardcoded. In cases where the hub does not work, transport would not be able to connect. Attached patch contains a current list of working servers to try if the hub fails.

Comment 7 Maciej Mrozowski gentoo-dev

2010-02-02 14:49:39 UTC

Just for the record, libgadu-1.9.0rc is handled in bug 289719

Comment 8 Krzysztof Pawlik (RETIRED) gentoo-dev

2010-04-17 23:16:35 UTC

I've just committed 2.2.4 which uses systems libgadu.

Security: can this bug be closed?

Comment 9 Tim Sammut (RETIRED) gentoo-dev

2012-02-24 19:53:11 UTC

Searching the NVD for libgadu I see one DoS that may impact the previous versions.

http://web.nvd.nist.gov/view/vuln/search-results?query=libgadu&search_type=all&cves=on

Using google translate on the upstream homepage I see two issues that may be relevant:

DoS in <1.8.2
https://translate.googleusercontent.com/translate_c?act=url&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&twu=1&u=http://toxygen.net/libgadu/releases/1.8.2.html&usg=ALkJrhj2xoPp4I50IZdlXfTNFeq5gPwgvg

"memory overwrite" in <1.7.1
https://translate.googleusercontent.com/translate_c?act=url&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&twu=1&u=http://toxygen.net/libgadu/releases/1.7.1.html&usg=ALkJrhjJ0ZduJGC6J-ZHZSSRUYRIRp58AA

Rating this B2; GLSA request filed for gg-transport.

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2014-12-12 00:39:56 UTC

This issue was resolved and addressed in
 GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml
by GLSA coordinator Sean Amoss (ackle).