Bug 99816

Summary:	net-im/gnugadu: Denial of Service or remote code execution (CAN-2005-1852)
Product:	Gentoo Security	Reporter:	Stefan Cornelius (RETIRED) <dercorny>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	sekretarz
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.securityfocus.com/archive/1/406026/30/0/threaded
Whiteboard:	B1 [glsa] DerCorny
Package list:		Runtime testing required:	---

Description Stefan Cornelius (RETIRED) gentoo-dev

2005-07-21 10:26:26 UTC

Karol Pasternak found two bugs in libgadu,
They can provide attacker to execute remote code or crash gg client

Reproducible: Always
Steps to Reproduce:
1. aplly patch for libgady from:
http://cvs.toxygen.net/ekg/lib/libgadu.c.diff?r1=1.147&r2=1.148&f=u
http://cvs.toxygen.net/ekg/lib/events.c.diff?r1=1.95&r2=1.96&f=u

Comment 1 Stefan Cornelius (RETIRED) gentoo-dev

2005-07-21 10:28:06 UTC

Probably doesn't need to be secret, but I don't want to be the one who leaked
it. CC'ed sekretarz because he is the maintainer and working on ebuilds.

Comment 2 Karol Wojtaszek (RETIRED) gentoo-dev

2005-07-21 12:11:39 UTC

Bumped to gnugadu-2.2.6-r1. This ebuild forces gnugadu to use external libgadu.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-21 21:38:41 UTC

Karol is upstream aware of this and could you test and mark stable on x86?

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-21 22:27:52 UTC

Opening. x86/sekretarz please test and mark stable.

Comment 5 Karol Wojtaszek (RETIRED) gentoo-dev

2005-07-22 01:35:00 UTC

Marked stable on x86

Comment 6 Stefan Cornelius (RETIRED) gentoo-dev

2005-07-22 01:39:53 UTC

Thanks for bumping and marking stable, ready for GLSA.

Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-07-27 01:08:18 UTC

GLSA 200507-26