Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 236160 (CVE-2008-3920) - net-im/bitlbee <1.2.3 NULL dereference leading to account hijacking (CVE-2008-3920,CVE-2008-3969)
Summary: net-im/bitlbee <1.2.3 NULL dereference leading to account hijacking (CVE-2008...
Status: RESOLVED FIXED
Alias: CVE-2008-3920
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://bitlbee.org/main.php/changelog...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-30 02:16 UTC by Robert Buchholz (RETIRED)
Modified: 2008-09-23 21:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-08-30 02:16:34 UTC
Version 1.2.2 (released 2008-08-26) hilights:
    * Fixed a security issue where it was possible to recreate/hijack already
      existing accounts.


Patch:
http://code.bitlbee.org/hgweb/release?cmd=revision;revid=wilmer%40gaast.net-20080825204848-bzp7ye1i07bpnole
Comment 1 Cédric Krier gentoo-dev 2008-08-30 09:05:36 UTC
Version bump to 1.2.2
Comment 2 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-08-30 10:58:46 UTC
Arches, please test and mark stable net-im/bitlbee-1.2.2.
Target keywords "alpha amd64 ia64 ppc sparc x86 ~x86-fbsd"
Comment 3 Markus Meier gentoo-dev 2008-08-30 15:10:05 UTC
test suite fails (regression) on amd64/x86:
net-im/bitlbee-1.2.2 [1.2] USE="ipv6 jabber oscar ssl* test yahoo -debug -gnutls* -msn* -nss* -xinetd"

* Linking check
./check 
Warning: Unable to read configuration file `(null)'.
Running suite(s): Util
 Nick
 MD5
 ArcFour
 IRC
 Help
 User
 Crypting
 Set
 jabber/sasl
 jabber/util
97%: Checks: 46, Failures: 1, Errors: 0
check_set.c:102:F:Core:test_setstr_implicit:0: Assertion 'set_find(&s, "name") != NULL' failed
make[1]: *** [all] Error 1
make[1]: Leaving directory `/var/tmp/portage/net-im/bitlbee-1.2.2/work/bitlbee-1.2.2/tests'
make: *** [check] Error 2
 * 
 * ERROR: net-im/bitlbee-1.2.2 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_test
 *             environment, line 2468:  Called die
 * The specific snippet of code:
 *               hasq test $FEATURES && die "Make check failed. See above for details.";
 *  The die message:
 *   Make check failed. See above for details.


Portage 2.1.4.4 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.6.1-r0, 2.6.26.3 i686)
=================================================================
System uname: 2.6.26.3 i686 Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz
Timestamp of tree: Sat, 30 Aug 2008 14:06:01 +0000
app-shells/bash:     3.2_p33
dev-java/java-config: 1.3.7, 2.1.6
dev-lang/python:     2.5.2-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/bind /var/lib/hsqldb /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
PKGDIR="/mnt/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl acpi alsa apache2 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus doc dri dvd dvdr dvdread eds emboss encode esd evo examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde kerberos ldap libnotify mad midi mikmod mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session source spell spl ssl startup-notification svg sysfs tcpd test tiff truetype unicode usb vorbis win32codecs x86 xml xorg xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 4 Cédric Krier gentoo-dev 2008-08-30 16:01:00 UTC
(In reply to comment #3)

Tests suite fixed in cvs
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2008-08-30 19:33:23 UTC
amd64 stable
Comment 6 Markus Meier gentoo-dev 2008-08-31 12:35:41 UTC
thanks for fixing, x86 stable.
Comment 7 Ferris McCormick (RETIRED) gentoo-dev 2008-08-31 15:01:36 UTC
Sparc stable.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-08-31 15:49:58 UTC
alpha/ia64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-08-31 15:54:08 UTC
ppc stable
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-02 16:59:32 UTC
Ready for vote, I vote YES.
Comment 11 Cédric Krier gentoo-dev 2008-09-04 20:54:58 UTC
I vote also YES
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-05 20:45:05 UTC
(In reply to comment #11)
> I vote also YES
> 

Well, theoretically only security team members are voting, but having maintainer point of view is always interesting. Anyway, voting YES too and GLSA request filed.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-09-10 10:53:51 UTC
Back to [ebuild], quoting Tomas Hoger of RedHat:

This issue fixed in 1.2.2 was assigned CVE id CVE-2008-3920:

  Unspecified vulnerability in BitlBee before 1.2.2 allows remote
  attackers to "recreate" and "hijack" existing accounts via unspecified
  vectors.

However, upstream released 1.2.3 in the meantime, fixing the incomplete
fix in 1.2.2.  Quoting news page:

  Unfortunately 1.2.2 did not fix all possible account hijacking
  loopholes. Another very similar flaw was found by Tero Marttila. In
  the migration to the user configuration storage abstraction layer, a
  few safeguards that prevent overwriting existing accounts disappeared.
  Over the week I went over all the related code to make sure that
  everything's done in a sane, safe and consistent way.

  http://www.bitlbee.org/main.php/news.r.html

And changelog:

  Version 1.2.3 (released 2008-09-07) hilights:
    * Fixed a security issue similar to the previous account overwrite/hijack bug.

  http://www.bitlbee.org/main.php/changelog.html
Comment 14 Cédric Krier gentoo-dev 2008-09-10 11:15:13 UTC
(In reply to comment #13)
Version bump to 1.2.3 in cvs
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-09-10 11:23:50 UTC
Arches, please test and mark stable:
=net-im/bitlbee-1.2.3
Target keywords : "alpha amd64 ia64 ppc sparc x86"
Comment 16 Ferris McCormick (RETIRED) gentoo-dev 2008-09-10 13:40:00 UTC
Sparc stable, everything looks good.
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2008-09-11 10:05:24 UTC
alpha/ia64/x86 stable
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2008-09-11 17:25:43 UTC
amd64 stable
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2008-09-12 14:14:49 UTC
CVE-2008-3969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3969):
  Multiple unspecified vulnerabilities in BitlBee before 1.2.3 allow
  remote attackers to "overwrite" and "hijack" existing accounts via
  unknown vectors.  NOTE: this issue exists because of an incomplete
  fix for CVE-2008-3920.
Comment 20 Tobias Scherbaum (RETIRED) gentoo-dev 2008-09-19 19:05:28 UTC
ppc stable
Comment 21 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-09-23 21:37:36 UTC
GLSA 200809-14