Summary: | net-im/psi <0.12.1 Remote DoS (CVE-2008-6393) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | fmccor, net-im, pva, welp |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/Advisories/33311/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 248038 | ||
Bug Blocks: |
Description
Alex Legler (RETIRED)
2008-12-28 17:25:35 UTC
The exploit on http://milw0rm.com/exploits/7555 crashed 0.1.2 here on ~amd64. New ebuild, psi-0.12.1 was added to the tree, which includes fix for this problem. Arch teams, please, stabilize. Security, please, note that there exist exploit for this issue. Sparc stable. It seems to work and because it's a security bug. amd64 stable. Stable for HPPA. ppc64 done x86 stable ppc look done: 25 Feb 2009; Tobias Scherbaum <dertobi123@gentoo.org> psi-0.12.1.ebuild: ppc stable, bug #252830 I requested a CVE for this on oss-sec. Please vote for a GLSA. Sure. it's more-or-less a client DoS but i would hardly agree with that bug because it concerns a server-like service (embedded file transfer service). Still, the impact remains very low. So i vote noglsa. NO as well, closing. CVE-2008-6393 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6393): PSI Jabber client before 0.12.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a file transfer request with a negative value in a SOCKS5 option, which bypasses a signed integer check and triggers an integer overflow and a heap-based buffer overflow. |