Gentoo Bug 212362 - net-im/silc-toolkit <1.1.6 silc_fingerprint() Buffer Overflow (CVE-2008-1227)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	212362
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 212362 depends on:			Show dependency tree
Bug 212362 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-03-05 09:58 0000

Secunia:

A vulnerability has been reported in SILC (Secure Internet Live Conferencing)
Toolkit, which potentially can be exploited by malicious people to compromise
an application using the toolkit.

The vulnerability is caused due to a boundary error within the function
"silc_fingerprint()" in lib/silcutil/silcutil.c, which can be exploited to
cause a stack-based buffer overflow if overly long data is passed to the
function.

The vulnerability is reported in versions prior to 1.1.6.

------- Comment #1 From Robert Buchholz 2008-03-05 10:02:03 0000 -------

I'm not sure how an attacker can generate input to that function, maybe you
guys from net-irc can help here.

Also, is 1.1.6 good to go stable?

------- Comment #2 From Robert Buchholz 2008-03-08 17:03:51 0000 -------

net-irc, please advise.

------- Comment #3 From Raúl Porcel 2008-03-10 14:23:02 0000 -------

Its safe to go to stable, but i have no idea about that thing :)

------- Comment #4 From Robert Buchholz 2008-03-10 15:37:55 0000 -------

Arches, please test and mark stable:
=net-im/silc-toolkit-1.1.6
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 release sparc x86"

------- Comment #5 From Markus Rothe 2008-03-10 19:25:26 0000 -------

ppc64 stable

------- Comment #6 From Raúl Porcel 2008-03-11 18:13:51 0000 -------

alpha/ia64/sparc/x86 stable

------- Comment #7 From Jeroen Roovers 2008-03-11 18:18:52 0000 -------

Stable for HPPA.

------- Comment #8 From Santiago M. Mola 2008-03-11 21:55:24 0000 -------

amd64 stable

------- Comment #9 From Tobias Scherbaum 2008-03-14 08:22:56 0000 -------

ppc stable

------- Comment #10 From Peter Volkov 2008-03-14 17:52:19 0000 -------

Fixed in release snapshot.

------- Comment #11 From Robert Buchholz 2008-03-21 02:19:55 0000 -------

request filed

------- Comment #12 From Ryan Hill 2008-03-21 18:48:09 0000 -------

no mips stable.

------- Comment #13 From Tobias Heinlein 2008-04-24 16:34:04 0000 -------

GLSA 200804-27.

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 212362

net-im/silc-toolkit <1.1.6 silc_fingerprint() Buffer Overflow (CVE-2008-1227)

Last modified: 2008-04-24 16:34:04 0000