Gentoo Bug 99890 - net-im/centericq: Denial of Service or remote code execution (CAN-2005-1852)

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bug#:	99890
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Stefan Cornelius (RETIRED) <dercorny@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
external-libgadu.patch	external-libgadu.patch	patch	Marcin Kryczek (RETIRED)	2005-07-22 09:57 0000	397 bytes	Details \| Diff
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 99890 depends on:			Show dependency tree
Bug 99890 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2005-07-22 03:21 0000

Karol Pasternak found two bugs in libgadu,
They can provide attacker to execute remote code or crash gg client.

------- Comment #1 From Stefan Cornelius (RETIRED) 2005-07-22 03:22:26 0000 -------

net-im already working on ebuilds.

------- Comment #2 From Karol Wojtaszek (RETIRED) 2005-07-22 06:17:51 0000 -------

centericq-4.20.0-r3 in portage. It forces centericq to use external gadu-gadu
library.

------- Comment #3 From Stefan Cornelius (RETIRED) 2005-07-22 06:25:59 0000 -------

Arches, plz test and mark centericq-4.20.0-r3 (and the external lib it needs)
stable. Thanks.

------- Comment #4 From Wolfram Schlich 2005-07-22 08:13:49 0000 -------

eek! please change the libgadu $DEPEND entry from

>=net-libs/libgadu-20050719

to

gg? ( >=net-libs/libgadu-20050719 )

if the gg USE flag is off, the user doesn't want it
to be built with gadu-gadu support.

------- Comment #5 From Wolfram Schlich 2005-07-22 08:17:46 0000 -------

applying the patch for using the external libgadu is also
unnecessary when USE="-gg" is used btw...

------- Comment #6 From Stefan Cornelius (RETIRED) 2005-07-22 08:26:44 0000 -------

Back to ebuild status

------- Comment #7 From Stefan Cornelius (RETIRED) 2005-07-22 08:27:38 0000 -------

blah, i seem to fail removing CC'ed arches today :(

------- Comment #8 From Marcin Kryczek (RETIRED) 2005-07-22 09:55:57 0000 -------

kopete checking for external libgadu is also broken. look at the code (from 
kopete/protocols/configure.in.in):
    int main()
    {
#if defined __GG_LIBGADU_HAVE_PTHREAD && defined GG_LOGIN60
        int maj, min, date;
        sscanf( gg_libgadu_version(), "%u.%u.%u", &maj,&min,&date );
        if ( maj != 1 ) {
            return 1;
        }
        if ( ( min == 4 || min == 5 ) && date < 20040520 ) {
            return 1;
        }

        if ( min == 5 ){
            return 0;
        }

#endif
        return 1;
    }

currently gg_libgadu_version() returns only date of release, not minor and major 
version:
#include <libgadu.h>
#include <stdio.h>
#include <string.h>

int main() {
                int maj, min, date;
                sscanf( gg_libgadu_version(), "%u.%u.%u", &maj,&min,&date );
                printf("%u   %u   %u", maj, min, date);
}
after executing this program we've got:
20050719   0   3086475252

so the condition 'if ( maj !=1 ) from configure is always true and thus 
kopete'll *never* link against external libgadu

------- Comment #9 From Marcin Kryczek (RETIRED) 2005-07-22 09:57:18 0000 -------

Created an attachment (id=64068) [details]
external-libgadu.patch

just a workaround until upstream won't fix that

------- Comment #10 From Stefan Cornelius (RETIRED) 2005-07-23 07:25:47 0000 -------

net-im, any comments to the patch by Marcin 'aye' Kryczek and the useflag
issue?
Are you working on a new ebuild?

------- Comment #11 From Karol Wojtaszek (RETIRED) 2005-07-24 01:37:00 0000 -------

Fixed optional gg depenency in centericq ebuild. Kopete has his own patch
provided by upstream.

------- Comment #12 From Stefan Cornelius (RETIRED) 2005-07-24 03:19:34 0000 -------

Arches, please test and mark 4.20.0-r3 stable.

------- Comment #13 From Tobias Scherbaum 2005-07-24 10:10:11 0000 -------

ppc stable

------- Comment #14 From Karol Wojtaszek (RETIRED) 2005-07-25 05:23:50 0000 -------

x86 done

------- Comment #15 From Gustavo Zacarias (RETIRED) 2005-07-25 10:31:42 0000 -------

sparc stable.
note that gadu-gadu support doesn't seem to be working right (at least on sparc,
seems the same on x86 according to sekretarz) so he just removed it for now,
that being the reason i didn't stable libgadu yet.

------- Comment #16 From Stefan Cornelius (RETIRED) 2005-07-26 13:01:35 0000 -------

ready for glsa

------- Comment #17 From Sune Kloppenborg Jeppesen 2005-07-27 01:08:23 0000 -------

GLSA 200507-26

Bug List: (This bug is not in your last search results) Show last search results Search page Enter new bug

Bugzilla Bug 99890

net-im/centericq: Denial of Service or remote code execution (CAN-2005-1852)

Last modified: 2005-07-27 01:08:23 0000