Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 607764 (CVE-2016-10188, CVE-2016-10189, CVE-2017-5668) - <net-im/bitlbee-3.5.1: Multiple vulnerabilities
Summary: <net-im/bitlbee-3.5.1: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2016-10188, CVE-2016-10189, CVE-2017-5668
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugs.bitlbee.org/ticket/1281
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-31 02:49 UTC by Francis Booth
Modified: 2017-07-09 23:44 UTC (History)
1 user (show)

See Also:
Package list:
=net-im/bitlbee-3.5.1
Runtime testing required: No
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Francis Booth 2017-01-31 02:49:52 UTC
From URL:

Pending file transfer requests expire after 120 seconds, which may result in use after free if the corresponding account is disconnected. A malicious remote server could force this disconnection.

Impact

This results in denial of service (remote crash of the BitlBee instance), or remote code execution (theoretically).

For BitlBee servers configured in ForkDaemon mode (default) or inetd mode, the crash is limited to one user connection, who may just reconnect.


This bug only effects Gentoo systems built with the USE=purple flag.

~ eleix (Security Padawan)

Reproducible: Didn't try
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2017-01-31 10:00:22 UTC
Upstream mentions this is theoretical and there is no PoC.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2017-02-01 01:30:23 UTC
Issue 1:

https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2

Use CVE-2016-10188.

 
Issue 2:

https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f

Use CVE-2016-10189 for the issue with Jabber file transfers that was
fixed by this commit.


Issue 3:

https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441

Use CVE-2017-5668.

CVE-2017-5668 exists because of an incomplete fix for CVE-2016-10189.
Comment 3 Tim Harder gentoo-dev 2017-02-01 22:39:13 UTC
Fixes in 3.5.1 now in the tree. Feel free to start the stabilization process if wanted.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-02-02 07:39:40 UTC
@arches, please stabilize.
Comment 5 Agostino Sarubbo gentoo-dev 2017-02-04 15:23:16 UTC
amd64 stable
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-02-08 02:05:36 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-02-12 15:46:36 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-13 02:09:55 UTC
GLSA Vote: No


@ Maintainer(s): Please cleanup and drop <net-im/bitlbee-3.5.1!
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2017-07-09 23:44:41 UTC
tree is clean.