Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 219708 (CVE-2008-1996) - net-im/licq < 1.3.6 DoS via large number of connections (CVE-2008-1996)
Summary: net-im/licq < 1.3.6 DoS via large number of connections (CVE-2008-1996)
Status: RESOLVED FIXED
Alias: CVE-2008-1996
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
: 233654 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-04-29 11:38 UTC by Matthias Geerdsen (RETIRED)
Modified: 2008-08-02 10:53 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-29 11:38:37 UTC
CVE-2008-1996 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1996):
  licq before 1.3.6 allows remote attackers to cause a denial of service
  (file-descriptor exhaustion and application crash) via a large number of
  connections.
Comment 1 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-29 11:46:30 UTC
net-im, please provide an updated ebuild
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-06-17 12:03:39 UTC
hmpf...

any news here?
upstream ticket can be found here: http://www.licq.org/ticket/1623
Comment 3 Markus 2008-07-04 13:23:00 UTC
Saving the patch from the ticket to net-im/licq/files/1.3.5-connectionlimit.patch and add:
epatch ${FILESDIR}/1.3.5-connectionlimit.patch
to the ebuild of 1.3.5 will work.
Comment 4 Santiago M. Mola (RETIRED) gentoo-dev 2008-07-04 15:19:43 UTC
+*licq-1.3.5-r1 (04 Jul 2008)
+
+  04 Jul 2008; Santiago M. Mola <coldwind@gentoo.org>
+  +files/licq-1.3.5-gcc43.patch, +files/licq-1.3.5-logonfix.patch,
+  +files/licq-1.3.5-prevent-dos.patch, +licq-1.3.5-r1.ebuild:
+  Fix security bug #219708, gcc-4.3 and glibc-4.8 fixes (bugs #218814 and
+  #228373) and ICQ protocol upgrade (bug #230387).
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-04 15:26:41 UTC
Arches, please test and mark stable:
=net-im/licq-1.3.5-r1
Target keywords : "alpha amd64 ia64 ppc release sparc x86"
Comment 6 Matthias Geerdsen (RETIRED) gentoo-dev 2008-07-04 15:28:17 UTC
thanks Markus and Santiago
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-07-04 18:39:32 UTC
x86 stable
Comment 8 Markus 2008-07-04 23:54:05 UTC
using 1.3.5 since the beginning of this year... and now 1.3.5-r1 is stable on amd64 ;)
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-07-05 10:28:54 UTC
ppc stable
Comment 10 Markus Meier gentoo-dev 2008-07-05 15:55:16 UTC
amd64 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-07-05 16:48:05 UTC
alpha/ia64/sparc stable
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-06 18:12:58 UTC
time for vote here... AFAICT, It's a client DoS, so voting no.
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2008-07-06 21:28:28 UTC
NO, closing.
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-08-02 10:53:41 UTC
*** Bug 233654 has been marked as a duplicate of this bug. ***