Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 607764 (CVE-2016-10188, CVE-2016-10189, CVE-2017-5668) - <net-im/bitlbee-3.5.1: Multiple vulnerabilities
Summary: <net-im/bitlbee-3.5.1: Multiple vulnerabilities
Alias: CVE-2016-10188, CVE-2016-10189, CVE-2017-5668
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Reported: 2017-01-31 02:49 UTC by Francis Booth
Modified: 2017-07-09 23:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: No
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Francis Booth 2017-01-31 02:49:52 UTC
From URL:

Pending file transfer requests expire after 120 seconds, which may result in use after free if the corresponding account is disconnected. A malicious remote server could force this disconnection.


This results in denial of service (remote crash of the BitlBee instance), or remote code execution (theoretically).

For BitlBee servers configured in ForkDaemon mode (default) or inetd mode, the crash is limited to one user connection, who may just reconnect.

This bug only effects Gentoo systems built with the USE=purple flag.

~ eleix (Security Padawan)

Reproducible: Didn't try
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2017-01-31 10:00:22 UTC
Upstream mentions this is theoretical and there is no PoC.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-02-01 01:30:23 UTC
Issue 1:

Use CVE-2016-10188.

Issue 2:

Use CVE-2016-10189 for the issue with Jabber file transfers that was
fixed by this commit.

Issue 3:

Use CVE-2017-5668.

CVE-2017-5668 exists because of an incomplete fix for CVE-2016-10189.
Comment 3 Tim Harder gentoo-dev 2017-02-01 22:39:13 UTC
Fixes in 3.5.1 now in the tree. Feel free to start the stabilization process if wanted.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-02-02 07:39:40 UTC
@arches, please stabilize.
Comment 5 Agostino Sarubbo gentoo-dev 2017-02-04 15:23:16 UTC
amd64 stable
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-02-08 02:05:36 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-02-12 15:46:36 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-13 02:09:55 UTC
GLSA Vote: No

@ Maintainer(s): Please cleanup and drop <net-im/bitlbee-3.5.1!
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-07-09 23:44:41 UTC
tree is clean.