539534 – (CVE-2015-2058) <net-im/jabberd2-2.3.3-r2: Information disclosure

Bug 539534 (CVE-2015-2058) - <net-im/jabberd2-2.3.3-r2: Information disclosure

Summary: <net-im/jabberd2-2.3.3-r2: Information disclosure

Status:	RESOLVED FIXED

Alias:	CVE-2015-2058

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	http://seclists.org/oss-sec/2015/q1/487
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-02-09 22:32 UTC by Kristian Fiskerstrand (RETIRED)
Modified:	2016-11-19 16:52 UTC (History)
CC List:	2 users (show)

See Also:	https://github.com/jabberd2/jabberd2/issues/85 CVE-2015-2059
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2015-02-09 22:32:29 UTC

From ${URL}:
Hello,

A buffer overflow was found in the XMPP server jabberd2 when normalizing
strings that can lead to remote information disclosure [1]. When parsing a
JID, jabberd2 version 2.3.2 and below truncate the data but do not verify
whether the result is valid UTF8 before passing it to libidn. If the data ends
with an unterminated multi-byte UTF8 sequence then libidn may copy data past
the buffer into the result. This can be exploited by remote clients or remote
servers.

Could you please assign a CVE for this issue?

[1] = https://github.com/jabberd2/jabberd2/issues/85

Best regards,
Thijs Alkemade

Comment 1 Julian Ospald 2015-08-16 13:47:26 UTC

bumped https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6745a49a8922fa8847fb9aea39d7da7b987e768c

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2016-06-30 13:40:42 UTC

@arches, please stabilize:

=net-im/jabberd2-2.3.4-r1

Comment 3 Agostino Sarubbo gentoo-dev

2016-07-01 08:29:54 UTC

amd64 stable

Comment 4 Agostino Sarubbo gentoo-dev

2016-07-01 08:31:33 UTC

x86 stable

Comment 5 Agostino Sarubbo gentoo-dev

2016-07-08 07:55:12 UTC

ppc stable

Comment 6 Agostino Sarubbo gentoo-dev

2016-07-08 10:03:54 UTC

sparc stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 7 Aaron Bauman (RETIRED) gentoo-dev

2016-10-14 13:43:45 UTC

@maintainer(s), please clean the vulnerable versions from the tree.

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-19 16:47:30 UTC

The package has no maintainer anymore so I dropped the vulnerable versions by myself: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=574c5385652099a0587e8607c3e46ed8d2965a54


@ Security: Please vote!

Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-11-19 16:52:10 UTC

GLSA Vote: No