Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 505558 (CVE-2013-6487)

Summary: <net-libs/libgadu-1.11.4: Integer overflow (CVE-2013-6487)
Product: Gentoo Security Reporter: Piotr Szymaniak <bugzie>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: net-im, reavertm
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6487
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Piotr Szymaniak 2014-03-24 16:20:29 UTC
"Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow."

Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2014-03-25 09:37:15 UTC
thanks for the report.
Comment 2 Piotr Szymaniak 2014-05-06 20:16:15 UTC
I know this isn't some high priority, used widely package, but the fix is something like:
mv libgadu-1.11.{2,3}.ebuild
and it's been over a month… ;)
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2014-05-06 21:41:24 UTC
*libgadu-1.11.3 (06 May 2014)

  06 May 2014; Manuel Rüger <mrueg@gentoo.org> +libgadu-1.11.3.ebuild,
  -libgadu-1.11.2.ebuild:
  Version bump. See bug #505558


Ebuild in tree. Package has stable keywords. Stabilization required, before removing vulnerable versions.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-05-09 23:51:13 UTC
Please advise when ready to proceed with stabilization.
Comment 5 Maciej Mrozowski gentoo-dev 2014-08-13 02:35:53 UTC
=net-libs/libgadu-1.11.4 is ready to be stabilized.

libgadu-1.11.4 instead of 1.11.3, because of bug 510714.
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2014-08-17 04:37:02 UTC
Arches, please test and mark stable:

=net-libs/libgadu-1.11.4

Target Keywords : "alpha amd64 hppa ia64 ppc ppc64 spark x86"

Thank you!
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2014-08-17 09:17:43 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2014-08-19 06:43:23 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-08-19 06:44:10 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-08-19 07:36:35 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-08-19 08:48:51 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-08-21 09:49:41 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-08-24 09:02:58 UTC
alpha stable
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-08-25 04:51:18 UTC
CVE-2013-6487 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6487):
  Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg)
  parser in Pidgin before 2.10.8 allows remote attackers to have an
  unspecified impact via a large Content-Length value, which triggers a buffer
  overflow.
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2014-08-25 11:53:12 UTC
sparc stable
Comment 16 Nikoli 2014-08-26 08:41:04 UTC
New stable has regression: bug #520946
Comment 17 Agostino Sarubbo gentoo-dev 2014-09-10 13:06:08 UTC
missing arm..
Comment 18 Markus Meier gentoo-dev 2014-09-21 20:08:48 UTC
arm stable, all arches done.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2014-09-22 04:02:49 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 20 Maciej Mrozowski gentoo-dev 2014-09-23 00:56:07 UTC
Affected versions dropped.
Comment 21 Sean Amoss (RETIRED) gentoo-dev Security 2014-09-26 21:05:54 UTC
Thanks, Maciej!
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2015-08-15 13:00:09 UTC
This issue was resolved and addressed in
 GLSA 201508-02 at https://security.gentoo.org/glsa/201508-02
by GLSA coordinator Yury German (BlueKnight).