First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 236160
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 236160 depends on: Show dependency tree
Bug 236160 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-08-30 02:16 0000 
Version 1.2.2 (released 2008-08-26) hilights:
    * Fixed a security issue where it was possible to recreate/hijack already
      existing accounts.


Patch:
http://code.bitlbee.org/hgweb/release?cmd=revision;revid=wilmer%40gaast.net-20080825204848-bzp7ye1i07bpnole

------- Comment #1 From Cédric Krier 2008-08-30 09:05:36 0000 ------- 
Version bump to 1.2.2

------- Comment #2 From Pierre-Yves Rofes 2008-08-30 10:58:46 0000 ------- 
Arches, please test and mark stable net-im/bitlbee-1.2.2.
Target keywords "alpha amd64 ia64 ppc sparc x86 ~x86-fbsd"

------- Comment #3 From Markus Meier 2008-08-30 15:10:05 0000 ------- 
test suite fails (regression) on amd64/x86:
net-im/bitlbee-1.2.2 [1.2] USE="ipv6 jabber oscar ssl* test yahoo -debug
-gnutls* -msn* -nss* -xinetd"

* Linking check
./check 
Warning: Unable to read configuration file `(null)'.
Running suite(s): Util
 Nick
 MD5
 ArcFour
 IRC
 Help
 User
 Crypting
 Set
 jabber/sasl
 jabber/util
97%: Checks: 46, Failures: 1, Errors: 0
check_set.c:102:F:Core:test_setstr_implicit:0: Assertion 'set_find(&s, "name")
!= NULL' failed
make[1]: *** [all] Error 1
make[1]: Leaving directory
`/var/tmp/portage/net-im/bitlbee-1.2.2/work/bitlbee-1.2.2/tests'
make: *** [check] Error 2
 * 
 * ERROR: net-im/bitlbee-1.2.2 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_test
 *             environment, line 2468:  Called die
 * The specific snippet of code:
 *               hasq test $FEATURES && die "Make check failed. See above for
details.";
 *  The die message:
 *   Make check failed. See above for details.


Portage 2.1.4.4 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0,
2.6.26.3 i686)
=================================================================
System uname: 2.6.26.3 i686 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz
Timestamp of tree: Sat, 30 Aug 2008 14:06:01 +0000
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.5.2-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env
/usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind
/var/lib/hsqldb /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/
/etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/
/etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild
/etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox
sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
PKGDIR="/mnt/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles
--exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl acpi alsa apache2 berkdb bluetooth branding bzip2 cairo cdr cli
cracklib crypt cups dbus doc dri dvd dvdr dvdread eds emboss encode esd evo
examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6
isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mp3 mpeg mudflap
ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd
python qt3 qt3support qt4 quicktime readline reflection sdl session source
spell spl ssl startup-notification svg sysfs tcpd test tiff truetype unicode
usb vorbis win32codecs x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp
atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968
fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul
mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions
alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file
authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user
autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires
ext_filter file_cache filter headers include info log_config logio mem_cache
mime mime_magic negotiation rewrite setenvif speling status unique_id userdir
usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev"
KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001
mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga
neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG,
LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

------- Comment #4 From Cédric Krier 2008-08-30 16:01:00 0000 ------- 
(In reply to comment #3)

Tests suite fixed in cvs

------- Comment #5 From Tobias Heinlein 2008-08-30 19:33:23 0000 ------- 
amd64 stable

------- Comment #6 From Markus Meier 2008-08-31 12:35:41 0000 ------- 
thanks for fixing, x86 stable.

------- Comment #7 From Ferris McCormick 2008-08-31 15:01:36 0000 ------- 
Sparc stable.

------- Comment #8 From Raúl Porcel 2008-08-31 15:49:58 0000 ------- 
alpha/ia64 stable

------- Comment #9 From Tobias Scherbaum 2008-08-31 15:54:08 0000 ------- 
ppc stable

------- Comment #10 From Tobias Heinlein 2008-09-02 16:59:32 0000 ------- 
Ready for vote, I vote YES.

------- Comment #11 From Cédric Krier 2008-09-04 20:54:58 0000 ------- 
I vote also YES

------- Comment #12 From Pierre-Yves Rofes 2008-09-05 20:45:05 0000 ------- 
(In reply to comment #11)
> I vote also YES
> 

Well, theoretically only security team members are voting, but having
maintainer point of view is always interesting. Anyway, voting YES too and GLSA
request filed.

------- Comment #13 From Robert Buchholz 2008-09-10 10:53:51 0000 ------- 
Back to [ebuild], quoting Tomas Hoger of RedHat:

This issue fixed in 1.2.2 was assigned CVE id CVE-2008-3920:

  Unspecified vulnerability in BitlBee before 1.2.2 allows remote
  attackers to "recreate" and "hijack" existing accounts via unspecified
  vectors.

However, upstream released 1.2.3 in the meantime, fixing the incomplete
fix in 1.2.2.  Quoting news page:

  Unfortunately 1.2.2 did not fix all possible account hijacking
  loopholes. Another very similar flaw was found by Tero Marttila. In
  the migration to the user configuration storage abstraction layer, a
  few safeguards that prevent overwriting existing accounts disappeared.
  Over the week I went over all the related code to make sure that
  everything's done in a sane, safe and consistent way.

  http://www.bitlbee.org/main.php/news.r.html

And changelog:

  Version 1.2.3 (released 2008-09-07) hilights:
    * Fixed a security issue similar to the previous account overwrite/hijack
bug.

  http://www.bitlbee.org/main.php/changelog.html

------- Comment #14 From Cédric Krier 2008-09-10 11:15:13 0000 ------- 
(In reply to comment #13)
Version bump to 1.2.3 in cvs

------- Comment #15 From Robert Buchholz 2008-09-10 11:23:50 0000 ------- 
Arches, please test and mark stable:
=net-im/bitlbee-1.2.3
Target keywords : "alpha amd64 ia64 ppc sparc x86"

------- Comment #16 From Ferris McCormick 2008-09-10 13:40:00 0000 ------- 
Sparc stable, everything looks good.

------- Comment #17 From Raúl Porcel 2008-09-11 10:05:24 0000 ------- 
alpha/ia64/x86 stable

------- Comment #18 From Tobias Heinlein 2008-09-11 17:25:43 0000 ------- 
amd64 stable

------- Comment #19 From Robert Buchholz 2008-09-12 14:14:49 0000 ------- 
CVE-2008-3969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3969):
  Multiple unspecified vulnerabilities in BitlBee before 1.2.3 allow
  remote attackers to "overwrite" and "hijack" existing accounts via
  unknown vectors.  NOTE: this issue exists because of an incomplete
  fix for CVE-2008-3920.

------- Comment #20 From Tobias Scherbaum 2008-09-19 19:05:28 0000 ------- 
ppc stable

------- Comment #21 From Pierre-Yves Rofes 2008-09-23 21:37:36 0000 ------- 
GLSA 200809-14
First Last Prev Next    No search results available      Search page      Enter new bug