Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 510714 (CVE-2014-3775) - <net-libs/libgadu-1.11.4: memory corruption (CVE-2014-3775)
Summary: <net-libs/libgadu-1.11.4: memory corruption (CVE-2014-3775)
Alias: CVE-2014-3775
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
Depends on:
Reported: 2014-05-19 07:38 UTC by Agostino Sarubbo
Modified: 2015-08-15 13:00 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-19 07:38:23 UTC
From ${URL} :

A crafted message from the file relay server may cause memory to
beoverwritten. The memory is not overwritten with data sent directly by the
server, but security implications cannot be ruled out.

The bug is public:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Maciej Mrozowski gentoo-dev 2014-08-13 02:34:18 UTC
libgadu-1.11.4 and 1.12.0 are in tree.

=net-libs/libgadu-1.11.4 should be stabilized also because of bug 505558.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2014-08-17 04:40:47 UTC
Being stabilized as part of bug #505558
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2014-08-17 04:43:09 UTC
CVE-2014-3775 (
  libgadu before 1.11.4 and 1.12.0 before 1.12.0-rc3, as used in Pidgin and
  other products, allows remote Gadu-Gadu file relay servers to cause a denial
  of service (memory overwrite) or possibly execute arbitrary code via a
  crafted message.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-09-22 04:03:14 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

Added to existing GLSA Request
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2015-08-15 13:00:17 UTC
This issue was resolved and addressed in
 GLSA 201508-02 at
by GLSA coordinator Yury German (BlueKnight).