Pending file transfer requests expire after 120 seconds, which may result in use after free if the corresponding account is disconnected. A malicious remote server could force this disconnection.
This results in denial of service (remote crash of the BitlBee instance), or remote code execution (theoretically).
For BitlBee servers configured in ForkDaemon mode (default) or inetd mode, the crash is limited to one user connection, who may just reconnect.
This bug only effects Gentoo systems built with the USE=purple flag.
~ eleix (Security Padawan)
Reproducible: Didn't try
Upstream mentions this is theoretical and there is no PoC.
Use CVE-2016-10189 for the issue with Jabber file transfers that was
fixed by this commit.
CVE-2017-5668 exists because of an incomplete fix for CVE-2016-10189.
Fixes in 3.5.1 now in the tree. Feel free to start the stabilization process if wanted.
@arches, please stabilize.
Maintainer(s), please cleanup.
GLSA Vote: No
@ Maintainer(s): Please cleanup and drop <net-im/bitlbee-3.5.1!
tree is clean.