Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 432756 (CVE-2012-3534) - <net-voip/gnugk-3.2.2: Status port DoS (CVE-2012-3534)
Summary: <net-voip/gnugk-3.2.2: Status port DoS (CVE-2012-3534)
Status: RESOLVED FIXED
Alias: CVE-2012-3534
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/50343/
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-08-25 18:33 UTC by Agostino Sarubbo
Modified: 2013-12-30 08:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-08-25 18:33:36 UTC 
Description
A vulnerability with an unknown impact has been reported in GNU Gatekeeper.

The vulnerability is caused due to an unspecified error. No further information is currently available.

The vulnerability is reported in versions prior to 3.1.


Solution
Update to version 3.1.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-08-25 19:33:51 UTC 
http://www.openwall.com/lists/oss-security/2012/08/25/4:

"Could you please shed some light on the security issue? is it related to the 
status port connection limit feature that was recently added in [2] and 
similar?"

"But you are right, the possibility to create an unlimited number of
connections each with its own thread handling it is the issue that
creates an easy possibility for a DOS attack."
Comment 2 Agostino Sarubbo gentoo-dev 2012-08-25 19:40:31 UTC 
(In reply to comment #1)
> http://www.openwall.com/lists/oss-security/2012/08/25/4:
> 
> "Could you please shed some light on the security issue? is it related to
> the 
> status port connection limit feature that was recently added in [2] and 
> similar?"
> 
> "But you are right, the possibility to create an unlimited number of
> connections each with its own thread handling it is the issue that
> creates an easy possibility for a DOS attack."

I didn't look at oss-security

~3 since the package is only ~arch
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-08 15:44:01 UTC 
CVE-2012-3534 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3534):
  GNU Gatekeeper before 3.1 does not limit the number of connections to the
  status port, which allows remote attackers to cause a denial of service
  (connection and thread consumption) via a large number of connections.
Comment 4 Chí-Thanh Christopher Nguyễn gentoo-dev 2013-03-06 02:12:01 UTC 
gnugk-3.2.2 is now in CVS.
Older versions cannot be dropped yet, because pwlib->ptlib (bug 290062) / openh323->h323plus (bug 290063) migration is not complete.
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-07 00:48:40 UTC 
This is the second security bug in less than 24 hours that you have closed improperly. Stop.
Comment 6 Agostino Sarubbo gentoo-dev 2013-03-07 17:04:33 UTC 
(In reply to comment #5)
> This is the second security bug in less than 24 hours that you have closed
> improperly. Stop.

What you did in bug 430718? Seems your criteria is random.

Also, I don't see interest to punt vulnerable version for packages evaluated as "A" and now, you are reopening this bug for a ~arch package only? :D
Comment 7 Dion Moult (RETIRED) gentoo-dev 2013-12-15 13:49:26 UTC 
(In reply to Chí-Thanh Christopher Nguyễn from comment #4)
> gnugk-3.2.2 is now in CVS.
> Older versions cannot be dropped yet, because pwlib->ptlib (bug 290062) /
> openh323->h323plus (bug 290063) migration is not complete.

The old packges (masked since 11 July 2013) have been treecleaned.

dev-libs/pwlib
net-libs/openh323
<=net-libs/opal-2.2.11
<=net-voip/ekiga-2.0.12
<=net-voip/gnugk-2.2.8
<=net-voip/openmcu-2.2.1
<=net-voip/yate-2.0.0

Perhaps that means this bug can be closed?
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2013-12-30 08:11:18 UTC 
Dion, 

Thank you for cleanup.

No stable version ~ no glsa needed.