Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 251492 - media-sound/teamspeak2-{client,server}-bin bundles copies of vuln. system libraries
Summary: media-sound/teamspeak2-{client,server}-bin bundles copies of vuln. system lib...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2? [glsa]
Keywords:
Depends on: 297577
Blocks: bundled-libs
  Show dependency tree
 
Reported: 2008-12-18 15:50 UTC by Diego Elio Pettenò (RETIRED)
Modified: 2014-12-12 00:55 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Diego Elio Pettenò (RETIRED) gentoo-dev 2008-12-18 15:50:16 UTC
Plus I don't know how much more stuff that can be found in there, I've seen a libspeex at least.

yamato ~ # ./test-zlib /opt/teamspeak2-client/libborqt-6.9-qt2.3.so
zlib version in /opt/teamspeak2-client/libborqt-6.9-qt2.3.so: 1.1.3
yamato ~ # ./test-libpng /opt/teamspeak2-client/libborqt-6.9-qt2.3.so
libpng version in /opt/teamspeak2-client/libborqt-6.9-qt2.3.so: 1.0.9

[yes I know this cannot be fixed by us, but it's still a bug to track]
Comment 1 Samuli Suominen (RETIRED) gentoo-dev 2009-07-21 12:55:12 UTC
# Samuli Suominen <ssuominen@gentoo.org> (21 Jul 2009)
# Security problems. Internal copies of vulnerable libraries,
# such as libpng. See, http://bugs.gentoo.org/show_bug.cgi?id=251492
# Masked for removal.
media-sound/teamspeak2-server-bin
media-sound/teamspeak2-client-bin

Security, any chance of getting a list of CVE for libpng? Has to be dozens.
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2009-07-21 13:07:33 UTC
Also speex is affected to GLSA 200804-17
Comment 3 Samuli Suominen (RETIRED) gentoo-dev 2009-07-21 14:01:31 UTC
strings hints me also that server_linux in teamspeak2-server-bin ships a copy of ancient openssl, which has a long history of vulnerabilities.
Comment 4 Samuli Suominen (RETIRED) gentoo-dev 2009-07-21 14:02:22 UTC
and a old version of sqlite-2; don't know the status of that one
Comment 5 Christian Parpart (RETIRED) gentoo-dev 2009-07-21 15:32:52 UTC
is there any chance in contacting the teamspeak developers that they should bump their binaries with up-to-date builtin dependencies?

IMHO, the development of teamspeak seems pretty dead {just an asumption}, but it's still a very wide used tool in lots of game-related communities.
Comment 6 Patrick 2009-07-22 02:35:25 UTC
(In reply to comment #5)
> is there any chance in contacting the teamspeak developers that they should
> bump their binaries with up-to-date builtin dependencies?

I explained the situation to one of the developers (by e-mail) and provided a link to this page. Lets hope he reacts.

> IMHO, the development of teamspeak seems pretty dead {just an asumption}, but
> it's still a very wide used tool in lots of game-related communities.

It seems they are working on a re-write ("TeamSpeak 3"), which seems to be in alpha stage.
Comment 7 Samuli Suominen (RETIRED) gentoo-dev 2009-07-22 09:30:31 UTC
Oh, I almost missed. The zlib appears to be vulnerable as well. ;-)

  11 Mar 2002; Bruce A. Locke <blocke@shivan.org> zlib-1.1.4.ebuild :

  - upstream security update (possible exploitable buffer overflow)
  - website moved
  - src_install is now version independent
Comment 8 Patrick 2009-07-23 08:43:46 UTC
This is the answer I got from Peter Kirk, a TeamSpeak developer. I translated it from German to English:

"The problem is, that the TS2 Linux port had been made with Borland Kylix, which never really had been maintained by Borland, and which has been abandoned a long time ago... that's why it always was an adventure to get the TS2 client compiled for Linux at all. Even if we tried, it would probably be impossible to change most of the libraries (which are a part of the Qt-2 "copy" that comes with Kylix), and since Kylix isn't being maintained anymore, there won't be any updates...
In short: With TeamSpeak 3 at the horizon (C/C++ instead of Delphi!), it's unlikely that the TS2 Linux client can be changed. There is also the question, if TS2 is actually using the stated libraries in a manner that they [the vulnerabilities] are exploitable (at least I have never heard of any successful exploit), and that's why I just hope that the TS2 users can live with the TS2 Linux version for those few remaining months until TS3 will be released."
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-07-23 10:09:22 UTC
(In reply to comment #8)
> In short: With TeamSpeak 3 at the horizon (C/C++ instead of Delphi!), it's
> unlikely that the TS2 Linux client can be changed. There is also the question,
> if TS2 is actually using the stated libraries in a manner that they [the
> vulnerabilities] are exploitable (at least I have never heard of any successful
> exploit)

The non-existence of an exploit should not be taken to assume it is not exploitable. It's rather exhausting to audit the binaries they provide to see whether exploitable code paths through the libraries exist. Since there has been no update since 2004 I fully support the removal. Who knows when TS3 is out.

Comment 10 Jarry 2009-07-23 18:07:56 UTC
Does it mean, only TS-client is affected? I could live with it, but I do not like the idea of having TS-server vulnerable. Now, when the Pandora's box has been opened, it is just a question of time when some exploit shows up. A few months, that's a plenty of time for that. Moreover, I doubt TS3 is just a few months away from being released...
Comment 11 Martin von Gagern 2009-07-30 19:05:03 UTC
Have you considered keeping the stuff in portage but masked until TS3 comes along? As teamspeak is often used in trusted nets only, I assume there might be a lot of people who are willing to run it despite these issues. By keeping it in portage, people could use it by simply unmasking it.
Comment 12 Samuli Suominen (RETIRED) gentoo-dev 2009-07-30 19:44:53 UTC
(In reply to comment #11)
> Have you considered keeping the stuff in portage but masked until TS3 comes
> along? As teamspeak is often used in trusted nets only, I assume there might be
> a lot of people who are willing to run it despite these issues. By keeping it
> in portage, people could use it by simply unmasking it.
> 

I've been bouncing between and back with that idea. Unintrested in maintaining binary apps, but on otherhand this seems to be widely used.
Comment 13 Lee Simpson 2009-07-30 22:27:17 UTC
Might be nice to also suggest an alternative open source gaming voip solution like Mumble? http://mumble.sourceforge.net/
Comment 14 Samuli Suominen (RETIRED) gentoo-dev 2009-07-31 06:04:27 UTC
Leaving masked; but not maintaining this -> maintainer-needed
Comment 15 DavidH 2009-08-04 00:11:27 UTC
Just wanted to chime in here as a gentoo sysadmin and a longtime TS2 (server) user, I would much prefer to see it just masked, at least for the immediate future.  There is significant inertia for TS2 in various communities (I shepherd one myself), and it will take a concerted effort to migrate them to something like mumble.  I consider ventrilo a non-option, due to licensing issues.

Cheers -- and thanks for all the hard (and unheralded) gentoo work.
Comment 16 Sascha Jüngling 2009-12-19 17:03:38 UTC
The bug can be finally fixed, ts3 is out ;)

http://www.teamspeak.com/
Comment 17 Samuli Suominen (RETIRED) gentoo-dev 2010-01-07 11:53:57 UTC
(In reply to comment #16)
> The bug can be finally fixed, ts3 is out ;)
> 
> http://www.teamspeak.com/
> 

Indeed, closing.
Comment 18 Stefan Behte (RETIRED) gentoo-dev Security 2010-01-07 18:54:29 UTC
This might need a glsa.
Comment 19 Benjamin Börngen-Schmidt 2010-11-19 16:10:26 UTC
Since Teamspeak2 is not anymore available through portage this bug should be closed.
Comment 20 Pacho Ramos gentoo-dev 2012-02-27 19:49:31 UTC
(In reply to comment #19)
> Since Teamspeak2 is not anymore available through portage this bug should be
> closed.

@security team, ping! :)
Comment 21 Tim Sammut (RETIRED) gentoo-dev 2012-03-01 01:14:35 UTC
(In reply to comment #20)
> (In reply to comment #19)
> > Since Teamspeak2 is not anymore available through portage this bug should be
> > closed.
> 
> @security team, ping! :)

Hi, we need to keep the bug open until a GLSA is published for these issues.
Comment 22 Pacho Ramos gentoo-dev 2012-03-01 06:46:59 UTC
OK, fine
Comment 23 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:55:44 UTC
Given that this package was replaced > 4 years ago, it will not receive a GLSA. 

Closing as resolved.