CenterICQ contains support for LiveJournal (http://www.livejournal.com/), such as posting to your own blog, reading other blogs' RSS feeds, and other community-related functions, such as showing whether a user has added or removed your own users to/from the friend list, all via a unified HTTP interface provided by LiveJournal. The latter functionality is vulnerable to a buffer overflow and possible remote code execution. Reproducible: Didn't try
We are at centericq-4.21.0-r2, are we still vulnerable?
Well, it seems like our source looks like the affected source in the advisory, so I guess we failed to dodge the bullet here and are vulnerable (i havent checked the actual exploitability, but seems reasonable enough)
"Executioner", I see you CCd me on this bug, but I don't know why. Could you explain please? :)
oh, thats what i get for not checking the maintainer! wschlich, pls have a look, thx
I am not the maintainer anymore :) See bug #81422, bug #88640, bug #116962, bug #131426, bug #138154, bug #138740 and net-im/centericq ChangeLog entry from 14 Jul 2006. Sorry.
-dev mailed. Unless someone is willing to take over this package I propose a mask.
seems like centericq is unmaintained upstream...
I masked it (for net-im).
*** Bug 117358 has been marked as a duplicate of this bug. ***
If C2 rating is correct this one needs a mask GLSA.
(In reply to comment #10) > If C2 rating is correct this one needs a mask GLSA. > it seems so. GLSA request filled.
Not sure if the point is moot with this being masked for removal but here's a mailing list posting with links to a patch from Debian for the buffer overflow and an additional bug fix. http://article.gmane.org/gmane.network.centericq/4252
Created attachment 107457 [details, diff] Live journal buffer overflow patch
Created attachment 107458 [details, diff] jabber segmentation fault fix
(In reply to comment #12) > Not sure if the point is moot with this being masked for removal but here's a > mailing list posting with links to a patch from Debian for the buffer overflow > and an additional bug fix. > > http://article.gmane.org/gmane.network.centericq/4252 > but there was no maintainer having answered to the gentoo-dev@ call :( Olivier, want to have a look?
(In reply to Comment #12: You know, we have lots of patches attached to the bugs quoted above, but with completely unresponsive upstream they are basically useless. Noone's willing to become upstream for this thing and waste more time on this.
mask GLSA 200701-20
Is there any other text-based ICQ client ?
there is gaim-text and naim at least
(In reply to comment #16) > Noone's willing to become upstream for this thing Digging around a little I found some people are trying to keep centericq alive. http://thread.gmane.org/gmane.network.centericq/4294 The repository of the fork is online here: http://repo.or.cz/w/centerim.git So maybe its possible to keep center(icq/im) in portage somehow
(In reply to comment #20) > Digging around a little I found some people are trying to keep centericq > alive. > > http://thread.gmane.org/gmane.network.centericq/4294 > > [...] > > So maybe its possible to keep center(icq/im) in portage somehow Dear CenterICQ-users, the future of CenterICQ has begone and is named CenterIM! :) Please look at the Forums under http://forums.gentoo.org/viewtopic-t-548358.html and in the Bugtracker at https://bugs.gentoo.org/show_bug.cgi?id=171682 for further informations. please look at the "new" CenterICQ-fork: CenterIM. The first CenterIM-ebuild (4.22.0) is available
Whats up? Centericq is masked, full of void* to int cast errors (fixed them), still lacks of jabber support for amd64. And now I'm reading about centerim, which isn't in the portage tree. Can someone tell me whats up?
CenterICQ will at some point in the near future be remove from the tree. And there is no gentoo developer who has decided to add centerim to the tree for now. maybe I'll do it at some point
(In reply to comment #23) > CenterICQ will at some point in the near future be remove from the tree. And > there is no gentoo developer who has decided to add centerim to the tree for > now. maybe I'll do it at some point centerim is in the tree, so please remove centericq.
Its now out of the tree. You may want to amend the GLSA to reflect that and also suggest users to use finch (from the pidgin package with the ncurses use flag) or centerim.
Gone from the tree since September. Thanks!