Comment 1 Cédric Krier 2008-08-30 09:05:36 UTC

Version bump to 1.2.2

Comment 2 Pierre-Yves Rofes (RETIRED) 2008-08-30 10:58:46 UTC

Arches, please test and mark stable net-im/bitlbee-1.2.2.
Target keywords "alpha amd64 ia64 ppc sparc x86 ~x86-fbsd"

Comment 3 Markus Meier 2008-08-30 15:10:05 UTC

test suite fails (regression) on amd64/x86:
net-im/bitlbee-1.2.2 [1.2] USE="ipv6 jabber oscar ssl* test yahoo -debug -gnutls* -msn* -nss* -xinetd"

* Linking check
./check 
Warning: Unable to read configuration file `(null)'.
Running suite(s): Util
 Nick
 MD5
 ArcFour
 IRC
 Help
 User
 Crypting
 Set
 jabber/sasl
 jabber/util
97%: Checks: 46, Failures: 1, Errors: 0
check_set.c:102:F:Core:test_setstr_implicit:0: Assertion 'set_find(&s, "name") != NULL' failed
make[1]: *** [all] Error 1
make[1]: Leaving directory `/var/tmp/portage/net-im/bitlbee-1.2.2/work/bitlbee-1.2.2/tests'
make: *** [check] Error 2
 * 
 * ERROR: net-im/bitlbee-1.2.2 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_test
 *             environment, line 2468:  Called die
 * The specific snippet of code:
 *               hasq test $FEATURES && die "Make check failed. See above for details.";
 *  The die message:
 *   Make check failed. See above for details.


Portage 2.1.4.4 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.26.3 i686)
=================================================================
System uname: 2.6.26.3 i686 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz
Timestamp of tree: Sat, 30 Aug 2008 14:06:01 +0000
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.5.2-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
PKGDIR="/mnt/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl acpi alsa apache2 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus doc dri dvd dvdr dvdread eds emboss encode esd evo examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session source spell spl ssl startup-notification svg sysfs tcpd test tiff truetype unicode usb vorbis win32codecs x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 4 Cédric Krier 2008-08-30 16:01:00 UTC

(In reply to comment #3)

Tests suite fixed in cvs

Comment 5 Tobias Heinlein (RETIRED) 2008-08-30 19:33:23 UTC

amd64 stable

Comment 6 Markus Meier 2008-08-31 12:35:41 UTC

thanks for fixing, x86 stable.

Comment 7 Ferris McCormick (RETIRED) 2008-08-31 15:01:36 UTC

Sparc stable.

Comment 8 Raúl Porcel (RETIRED) 2008-08-31 15:49:58 UTC

alpha/ia64 stable

Comment 9 Tobias Scherbaum (RETIRED) 2008-08-31 15:54:08 UTC

ppc stable

Comment 10 Tobias Heinlein (RETIRED) 2008-09-02 16:59:32 UTC

Ready for vote, I vote YES.

Comment 11 Cédric Krier 2008-09-04 20:54:58 UTC

I vote also YES

Comment 12 Pierre-Yves Rofes (RETIRED) 2008-09-05 20:45:05 UTC

(In reply to comment #11)
> I vote also YES
> 

Well, theoretically only security team members are voting, but having maintainer point of view is always interesting. Anyway, voting YES too and GLSA request filed.

Comment 13 Robert Buchholz (RETIRED) 2008-09-10 10:53:51 UTC

Back to [ebuild], quoting Tomas Hoger of RedHat:

This issue fixed in 1.2.2 was assigned CVE id CVE-2008-3920:

  Unspecified vulnerability in BitlBee before 1.2.2 allows remote
  attackers to "recreate" and "hijack" existing accounts via unspecified
  vectors.

However, upstream released 1.2.3 in the meantime, fixing the incomplete
fix in 1.2.2.  Quoting news page:

  Unfortunately 1.2.2 did not fix all possible account hijacking
  loopholes. Another very similar flaw was found by Tero Marttila. In
  the migration to the user configuration storage abstraction layer, a
  few safeguards that prevent overwriting existing accounts disappeared.
  Over the week I went over all the related code to make sure that
  everything's done in a sane, safe and consistent way.

  http://www.bitlbee.org/main.php/news.r.html

And changelog:

  Version 1.2.3 (released 2008-09-07) hilights:
    * Fixed a security issue similar to the previous account overwrite/hijack bug.

  http://www.bitlbee.org/main.php/changelog.html

Comment 14 Cédric Krier 2008-09-10 11:15:13 UTC

(In reply to comment #13)
Version bump to 1.2.3 in cvs

Comment 15 Robert Buchholz (RETIRED) 2008-09-10 11:23:50 UTC

Arches, please test and mark stable:
=net-im/bitlbee-1.2.3
Target keywords : "alpha amd64 ia64 ppc sparc x86"

Comment 16 Ferris McCormick (RETIRED) 2008-09-10 13:40:00 UTC

Sparc stable, everything looks good.

Comment 17 Raúl Porcel (RETIRED) 2008-09-11 10:05:24 UTC

alpha/ia64/x86 stable

Comment 18 Tobias Heinlein (RETIRED) 2008-09-11 17:25:43 UTC

amd64 stable

Comment 19 Robert Buchholz (RETIRED) 2008-09-12 14:14:49 UTC

CVE-2008-3969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3969):
  Multiple unspecified vulnerabilities in BitlBee before 1.2.3 allow
  remote attackers to "overwrite" and "hijack" existing accounts via
  unknown vectors.  NOTE: this issue exists because of an incomplete
  fix for CVE-2008-3920.

Comment 20 Tobias Scherbaum (RETIRED) 2008-09-19 19:05:28 UTC

ppc stable

Comment 21 Pierre-Yves Rofes (RETIRED) 2008-09-23 21:37:36 UTC

GLSA 200809-14