| Summary: | net-im/centericq: 4.20.0-r3 remote crash (CVE-2005-3694) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Wernfried Haas (RETIRED) <amne> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | minor | CC: | wschlich | ||||
| Priority: | High | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=334089 | ||||||
| Whiteboard: | B3 [glsa] jaervosz | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Bug Depends on: | 114038 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Wernfried Haas (RETIRED)
2005-07-27 14:42:32 UTC
DerCorny just found out the option "Enable peer-to-peer communications" needs to be set to yes for the listening port to appear. It seems to be set to no by default. We've been able to verify the Segfault on his box. Created attachment 64566 [details]
centericq PoC "exploit"
well yeah, check my dirty attachment. sends nothing but 0x01 to centericq and crashes it. i had not enough time to find out where exactly it crashes, but i guess during Client::ParseCh2 in Client.cpp of the icq2000-lib, but i'm not sure. This has been around for a month now, any activity on this? If not, what about just reporting it upstream so they can fix it? Auditors you want to check on this or should we CC upstream? Rob confirms this, moving into vulnerabilities. Someone volunteers to push it upstream ? Mail sent to upstream. No news, Wolfram, could you check with your upstream friends what they are up to ? the only reaction from thekonst so far: "I am on business trip in California now" "actually, I don't even know what crash it is about" I know it's not our job, but can someone here produce a patch that we can send him? I fear otherwise nothing will happen soon... :-( Tigger/Taviso/Vapier/Solar will you patch or recommend a mask? centericq probably misses several sanity checks on that connection, so it's more a rewrite than a patch. If upstream fails to see the need, we should probably mask it (but that implies going public). If it's just a crash I don't think it's worth masking... Maybe documenting the option as unsafe ? Auditors: any chance this can be used to execute code ? If nobody complains, I'll open this tomorrow Thursday at 1400 UTC, since it's not a big deal anyway. Opening. wolfram/wernfried could you put a warning somewhere in the documentation? Changing component until someone shows that RCE is possible. Feel free to change it back if you disagree. wschlich please provide an updated ebuild with the Debian patch. Let's put it back in "Vulnerabilities" scope Sorry for the delay, I'm working on it... Committed =net-im/centericq-4.21.0-r1 archmasked, so the arches can check and mark it stable. Arches are: amd64 hppa ppc ppc64 sparc x86 Thanks Wolfram. Arches please test and mark stable... gnah, if i knew that there is an open security bug where 4.21.1 is affected too i wouldn't have marked it stable yesterday. -r1 stable on amd64 sparc stable. x86 stable. Marked ppc stable. Ready for GLSA vote, I tend to vote yes. A weak YES from me. Full yes and glsa-ed Hm. Maybe we should wait for bug 113683 to be resolved ? Both are ready now. GLSA 200512-11 |