Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212362 - net-im/silc-toolkit <1.1.6 silc_fingerprint() Buffer Overflow (CVE-2008-1227)
Summary: net-im/silc-toolkit <1.1.6 silc_fingerprint() Buffer Overflow (CVE-2008-1227)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://silcnet.org/docs/changelog/SIL...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-05 09:58 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-06 21:01 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 09:58:32 UTC
Secunia:

A vulnerability has been reported in SILC (Secure Internet Live Conferencing) Toolkit, which potentially can be exploited by malicious people to compromise an application using the toolkit.

The vulnerability is caused due to a boundary error within the function "silc_fingerprint()" in lib/silcutil/silcutil.c, which can be exploited to cause a stack-based buffer overflow if overly long data is passed to the function.

The vulnerability is reported in versions prior to 1.1.6.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 10:02:03 UTC
I'm not sure how an attacker can generate input to that function, maybe you guys from net-irc can help here.

Also, is 1.1.6 good to go stable? 
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-03-08 17:03:51 UTC
net-irc, please advise.
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2008-03-10 14:23:02 UTC
Its safe to go to stable, but i have no idea about that thing :)
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-10 15:37:55 UTC
Arches, please test and mark stable:
=net-im/silc-toolkit-1.1.6
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 release sparc x86"
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2008-03-10 19:25:26 UTC
ppc64 stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-03-11 18:13:51 UTC
alpha/ia64/sparc/x86 stable
Comment 7 Jeroen Roovers gentoo-dev 2008-03-11 18:18:52 UTC
Stable for HPPA.
Comment 8 Santiago M. Mola (RETIRED) gentoo-dev 2008-03-11 21:55:24 UTC
amd64 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-14 08:22:56 UTC
ppc stable
Comment 10 Peter Volkov (RETIRED) gentoo-dev 2008-03-14 17:52:19 UTC
Fixed in release snapshot.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-03-21 02:19:55 UTC
request filed
Comment 12 Ryan Hill (RETIRED) gentoo-dev 2008-03-21 18:48:09 UTC
no mips stable.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2008-04-24 16:34:04 UTC
GLSA 200804-27.