Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 244888 (CVE-2008-4776) - net-libs/libgadu<1.8.2 contact description DOS (CVE-2008-4776)
Summary: net-libs/libgadu<1.8.2 contact description DOS (CVE-2008-4776)
Status: RESOLVED FIXED
Alias: CVE-2008-4776
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 244424
Blocks: 264607 264613
  Show dependency tree
 
Reported: 2008-10-29 14:05 UTC by Stefan Behte (RETIRED)
Modified: 2009-02-12 19:44 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2008-10-29 14:05:21 UTC
CVE-2008-4776 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4776):
  libgadu before 1.8.2 allows remote servers to cause a denial of
  service (crash) via a contact description with a large length, which
  triggers a buffer over-read.
Comment 1 stupendoussteve 2008-11-10 20:10:00 UTC
Any word on an updated ebuild? The goal for a B4 fix is 20 days.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-05 22:55:01 UTC
*PING* as timeline for B4 is 40 days
Comment 4 Piotr Szymaniak 2009-02-04 15:22:57 UTC
This bug should be merged with version bump request in bug #244424 maybe?
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-02-04 17:27:29 UTC
*libgadu-1.8.2 (04 Feb 2009)

  04 Feb 2009; Robert Buchholz <rbu@gentoo.org>
  -libgadu-1.7.0_pre20050719.ebuild, -libgadu-1.7.0.ebuild,
  -libgadu-1.8.0.ebuild, +libgadu-1.8.2.ebuild:
  Version bump (bug #244424), fixing a buffer overread vulnerability (bug
  #244888)

Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-02-07 14:42:09 UTC
Arches, please test and mark stable:
=net-libs/libgadu-1.8.2
Target keywords : "alpha amd64 hppa ia64 ppc sparc x86"
Comment 7 Tobias Klausmann gentoo-dev 2009-02-07 15:17:39 UTC
Stable on alpha.
Comment 8 Jeroen Roovers gentoo-dev 2009-02-07 18:16:11 UTC
Stable for HPPA.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-02-07 20:08:06 UTC
For anyone who missed that, bug 245572 has kadu waiting for your stable markings as well.
Comment 10 Markus Meier gentoo-dev 2009-02-08 14:06:11 UTC
amd64/x86 stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-02-10 17:04:09 UTC
ia64/sparc stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2009-02-11 17:01:15 UTC
ppc stable
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2009-02-12 19:16:41 UTC
vote: NO, as this is a client library.
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-12 19:44:03 UTC
"Successful exploitation would require a man-in-the-middle attack or hacking the Gadu-Gadu servers. No known exploits."

That's why voting no, too. Closing noglsa.