Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 212362

Summary: net-im/silc-toolkit <1.1.6 silc_fingerprint() Buffer Overflow (CVE-2008-1227)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: net-irc
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://silcnet.org/docs/changelog/SILC%20Toolkit%201.1.6
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 09:58:32 UTC 
Secunia:

A vulnerability has been reported in SILC (Secure Internet Live Conferencing) Toolkit, which potentially can be exploited by malicious people to compromise an application using the toolkit.

The vulnerability is caused due to a boundary error within the function "silc_fingerprint()" in lib/silcutil/silcutil.c, which can be exploited to cause a stack-based buffer overflow if overly long data is passed to the function.

The vulnerability is reported in versions prior to 1.1.6.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 10:02:03 UTC 
I'm not sure how an attacker can generate input to that function, maybe you guys from net-irc can help here.

Also, is 1.1.6 good to go stable?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-08 17:03:51 UTC 
net-irc, please advise.
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2008-03-10 14:23:02 UTC 
Its safe to go to stable, but i have no idea about that thing :)
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-10 15:37:55 UTC 
Arches, please test and mark stable:
=net-im/silc-toolkit-1.1.6
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 release sparc x86"
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2008-03-10 19:25:26 UTC 
ppc64 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-03-11 18:13:51 UTC 
alpha/ia64/sparc/x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-11 18:18:52 UTC 
Stable for HPPA.
Comment 8 Santiago M. Mola (RETIRED) gentoo-dev 2008-03-11 21:55:24 UTC 
amd64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-14 08:22:56 UTC 
ppc stable
Comment 10 Peter Volkov (RETIRED) gentoo-dev 2008-03-14 17:52:19 UTC 
Fixed in release snapshot.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-03-21 02:19:55 UTC 
request filed
Comment 12 Ryan Hill (RETIRED) gentoo-dev 2008-03-21 18:48:09 UTC 
no mips stable.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-04-24 16:34:04 UTC 
GLSA 200804-27.