Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 99890 - net-im/centericq: Denial of Service or remote code execution (CAN-2005-1852)
Summary: net-im/centericq: Denial of Service or remote code execution (CAN-2005-1852)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.cve.mitre.org/cgi-bin/cven...
Whiteboard: B1 [glsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-22 03:21 UTC by Stefan Cornelius (RETIRED)
Modified: 2005-07-27 01:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
external-libgadu.patch (external-libgadu.patch,397 bytes, patch)
2005-07-22 09:57 UTC, Marcin Kryczek (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Cornelius (RETIRED) gentoo-dev 2005-07-22 03:21:34 UTC
Karol Pasternak found two bugs in libgadu,
They can provide attacker to execute remote code or crash gg client.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-22 03:22:26 UTC
net-im already working on ebuilds.
Comment 2 Karol Wojtaszek (RETIRED) gentoo-dev 2005-07-22 06:17:51 UTC
centericq-4.20.0-r3 in portage. It forces centericq to use external gadu-gadu
library.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-22 06:25:59 UTC
Arches, plz test and mark centericq-4.20.0-r3 (and the external lib it needs)
stable. Thanks.
Comment 4 Wolfram Schlich (RETIRED) gentoo-dev 2005-07-22 08:13:49 UTC
eek! please change the libgadu $DEPEND entry from

>=net-libs/libgadu-20050719

to

gg? ( >=net-libs/libgadu-20050719 )

if the gg USE flag is off, the user doesn't want it
to be built with gadu-gadu support.
Comment 5 Wolfram Schlich (RETIRED) gentoo-dev 2005-07-22 08:17:46 UTC
applying the patch for using the external libgadu is also
unnecessary when USE="-gg" is used btw...
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-22 08:26:44 UTC
Back to ebuild status
Comment 7 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-22 08:27:38 UTC
blah, i seem to fail removing CC'ed arches today :(
Comment 8 Marcin Kryczek (RETIRED) gentoo-dev 2005-07-22 09:55:57 UTC
kopete checking for external libgadu is also broken. look at the code (from 
kopete/protocols/configure.in.in):
    int main()
    {
#if defined __GG_LIBGADU_HAVE_PTHREAD && defined GG_LOGIN60
        int maj, min, date;
        sscanf( gg_libgadu_version(), "%u.%u.%u", &maj,&min,&date );
        if ( maj != 1 ) {
            return 1;
        }
        if ( ( min == 4 || min == 5 ) && date < 20040520 ) {
            return 1;
        }

        if ( min == 5 ){
            return 0;
        }

#endif
        return 1;
    }

currently gg_libgadu_version() returns only date of release, not minor and major 
version:
#include <libgadu.h>
#include <stdio.h>
#include <string.h>

int main() {
                int maj, min, date;
                sscanf( gg_libgadu_version(), "%u.%u.%u", &maj,&min,&date );
                printf("%u   %u   %u", maj, min, date);
}
after executing this program we've got:
20050719   0   3086475252

so the condition 'if ( maj !=1 ) from configure is always true and thus 
kopete'll *never* link against external libgadu
Comment 9 Marcin Kryczek (RETIRED) gentoo-dev 2005-07-22 09:57:18 UTC
Created attachment 64068 [details, diff]
external-libgadu.patch

just a workaround until upstream won't fix that
Comment 10 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-23 07:25:47 UTC
net-im, any comments to the patch by Marcin 'aye' Kryczek and the useflag issue?
Are you working on a new ebuild?
Comment 11 Karol Wojtaszek (RETIRED) gentoo-dev 2005-07-24 01:37:00 UTC
Fixed optional gg depenency in centericq ebuild. Kopete has his own patch
provided by upstream.
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-24 03:19:34 UTC
Arches, please test and mark 4.20.0-r3 stable.
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2005-07-24 10:10:11 UTC
ppc stable
Comment 14 Karol Wojtaszek (RETIRED) gentoo-dev 2005-07-25 05:23:50 UTC
x86 done
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2005-07-25 10:31:42 UTC
sparc stable.
note that gadu-gadu support doesn't seem to be working right (at least on sparc,
seems the same on x86 according to sekretarz) so he just removed it for now,
that being the reason i didn't stable libgadu yet.
Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-26 13:01:35 UTC
ready for glsa
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-07-27 01:08:23 UTC
GLSA 200507-26