Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 64741

Summary: net-im/jabberd DoS vulnerability in 1.4.3
Product: Gentoo Security Reporter: Justin <justin-gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: humpback
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: B3 [glsa] vorlon
Package list:
Runtime testing required: ---

Description Justin 2004-09-20 04:46:55 UTC
http://http://www.jabber.org/pipermail/jadmin/2004-September/018046.html

That post to the jadmin list pretty much sums it up. Pasted here:

jabberd up to and including version 1.4.3 and jadc2s up to and including
version 0.9.0 are vulnerable against a DoS attack reported by Jose
Antonio Calvo yesterday on the jabberd mailing list.
(http://jabberstudio.org/pipermail/jabberd/2004-September/002004.html)

An attacker can crash a running jabberd14 server, if it has access to
one of the following types of network sockets:
- Socket accepting client connections
- Socket accepting connections from other servers
- Socket connecting to an other Jabber server
- Socket accepting connections from server components
- Socket connecting to server components
(All connections on which XML is parsed by jabberd14.)

An attacker can crash a running jadc2s component, if it has access to on
of the following types of network sockets:
- Socket accepting client connections
- Socket connecting to the main Jabber server
(All connections on which XML is parsed by jadc2s.)

The attack can be tested by sending the byte sequence 0xEF, 0xBB, 0xBF
to any of the above sockets.

The bug has been fixed in the CVS versions of both projects already some
time ago as the affected code already had been removed from both
projects. Therefore you are not affected if you are running CVS
snapshots that are newer than 2004-05-22 (jabberd14) or 2004-09-07
(jadc2s).

A patch for jabberd 1.4.3 is available at the URI
http://devel.amessage.info/jabberd14/, a patch for jadc2s has not yet
been published but will be available on
http://devel.amessage.info/jadc2s/ shortly.

Related software:
- jabberd2 version 2.0s3 is not affected by this bug.
- Other projects, that incorporate jabberd14 code might be affected by
  this bug as well. This might include the Jabber module of CenterICQ
  (only vulnerable by a Jabber server CenterICQ connects to), but I have
  not tested this yet.

Reproducible: Always
Steps to Reproduce:
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-20 05:41:08 UTC
Gustavo: please apply fix and bump ebuild :)
Comment 2 Gustavo Felisberto (RETIRED) gentoo-dev 2004-09-20 15:26:50 UTC
Fixed.. Thanks for the info
Comment 3 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-20 22:19:37 UTC
Reopening for GLSA decision.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-09-21 04:27:42 UTC
I would say a GLSA is needed. Remote DoS on public Internet service is bad.
Comment 5 Gustavo Felisberto (RETIRED) gentoo-dev 2004-09-21 10:45:32 UTC
Well that is work for the sec team. The bug is fixed and the new package marked stable on the stable arches (altough this bug probably is a bit more obscure because the exploit would not work on my server that is x86 )
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-21 12:47:46 UTC
Gustavo, maybe the new revision should depend on dev-libs/expat, since it does not ship it anymore after the patch according to http://jabberstudio.org/pipermail/jabberd/2004-September/002010.html
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-09-22 08:37:02 UTC
Back to ebuild status until dependency question gets resolved.
Comment 8 Gustavo Felisberto (RETIRED) gentoo-dev 2004-09-22 10:13:01 UTC
I did not add here but i added the expat dep, i did not notice it because my system already had expat.
Comment 9 Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-22 10:23:50 UTC
Should be ready for GLSA now, only minor changes to the ebuild.
Thx, Gustavo.
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-23 03:03:47 UTC
Thx humpback.

GLSA 200409-31