Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 607764 (CVE-2016-10188, CVE-2016-10189, CVE-2017-5668)

Summary: <net-im/bitlbee-3.5.1: Multiple vulnerabilities
Product: Gentoo Security Reporter: Francis Booth <boothf>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: radhermit
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugs.bitlbee.org/ticket/1281
Whiteboard: B3 [noglsa cve]
Package list:
=net-im/bitlbee-3.5.1
 Runtime testing required: No

Description Francis Booth 2017-01-31 02:49:52 UTC 
From URL:

Pending file transfer requests expire after 120 seconds, which may result in use after free if the corresponding account is disconnected. A malicious remote server could force this disconnection.

Impact

This results in denial of service (remote crash of the BitlBee instance), or remote code execution (theoretically).

For BitlBee servers configured in ForkDaemon mode (default) or inetd mode, the crash is limited to one user connection, who may just reconnect.


This bug only effects Gentoo systems built with the USE=purple flag.

~ eleix (Security Padawan)

Reproducible: Didn't try
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2017-01-31 10:00:22 UTC 
Upstream mentions this is theoretical and there is no PoC.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-02-01 01:30:23 UTC 
Issue 1:

https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2

Use CVE-2016-10188.

 
Issue 2:

https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f

Use CVE-2016-10189 for the issue with Jabber file transfers that was
fixed by this commit.


Issue 3:

https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441

Use CVE-2017-5668.

CVE-2017-5668 exists because of an incomplete fix for CVE-2016-10189.
Comment 3 Tim Harder gentoo-dev 2017-02-01 22:39:13 UTC 
Fixes in 3.5.1 now in the tree. Feel free to start the stabilization process if wanted.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-02-02 07:39:40 UTC 
@arches, please stabilize.
Comment 5 Agostino Sarubbo gentoo-dev 2017-02-04 15:23:16 UTC 
amd64 stable
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-02-08 02:05:36 UTC 
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-02-12 15:46:36 UTC 
x86 stable.

Maintainer(s), please cleanup.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-13 02:09:55 UTC 
GLSA Vote: No


@ Maintainer(s): Please cleanup and drop <net-im/bitlbee-3.5.1!
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-07-09 23:44:41 UTC 
tree is clean.