From URL: Pending file transfer requests expire after 120 seconds, which may result in use after free if the corresponding account is disconnected. A malicious remote server could force this disconnection. Impact This results in denial of service (remote crash of the BitlBee instance), or remote code execution (theoretically). For BitlBee servers configured in ForkDaemon mode (default) or inetd mode, the crash is limited to one user connection, who may just reconnect. This bug only effects Gentoo systems built with the USE=purple flag. ~ eleix (Security Padawan) Reproducible: Didn't try
Upstream mentions this is theoretical and there is no PoC.
Issue 1: https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2 Use CVE-2016-10188. Issue 2: https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f Use CVE-2016-10189 for the issue with Jabber file transfers that was fixed by this commit. Issue 3: https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441 Use CVE-2017-5668. CVE-2017-5668 exists because of an incomplete fix for CVE-2016-10189.
Fixes in 3.5.1 now in the tree. Feel free to start the stabilization process if wanted.
@arches, please stabilize.
amd64 stable
ppc stable
x86 stable. Maintainer(s), please cleanup.
GLSA Vote: No @ Maintainer(s): Please cleanup and drop <net-im/bitlbee-3.5.1!
tree is clean.