607764 – (CVE-2016-10188, CVE-2016-10189, CVE-2017-5668) <net-im/bitlbee-3.5.1: Multiple vulnerabilities

Bug 607764 (CVE-2016-10188, CVE-2016-10189, CVE-2017-5668) - <net-im/bitlbee-3.5.1: Multiple vulnerabilities

Summary: <net-im/bitlbee-3.5.1: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2016-10188, CVE-2016-10189, CVE-2017-5668

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugs.bitlbee.org/ticket/1281
Whiteboard:	B3 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2017-01-31 02:49 UTC by Francis Booth
Modified:	2017-07-09 23:44 UTC (History)
CC List:	1 user (show)

See Also:
Package list:	=net-im/bitlbee-3.5.1
Runtime testing required:	No

Flags:	stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Francis Booth 2017-01-31 02:49:52 UTC

From URL:

Pending file transfer requests expire after 120 seconds, which may result in use after free if the corresponding account is disconnected. A malicious remote server could force this disconnection.

Impact

This results in denial of service (remote crash of the BitlBee instance), or remote code execution (theoretically).

For BitlBee servers configured in ForkDaemon mode (default) or inetd mode, the crash is limited to one user connection, who may just reconnect.


This bug only effects Gentoo systems built with the USE=purple flag.

~ eleix (Security Padawan)

Reproducible: Didn't try

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2017-01-31 10:00:22 UTC

Upstream mentions this is theoretical and there is no PoC.

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2017-02-01 01:30:23 UTC

Issue 1:

https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2

Use CVE-2016-10188.

 
Issue 2:

https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f

Use CVE-2016-10189 for the issue with Jabber file transfers that was
fixed by this commit.


Issue 3:

https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441

Use CVE-2017-5668.

CVE-2017-5668 exists because of an incomplete fix for CVE-2016-10189.

Comment 3 Tim Harder gentoo-dev

2017-02-01 22:39:13 UTC

Fixes in 3.5.1 now in the tree. Feel free to start the stabilization process if wanted.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2017-02-02 07:39:40 UTC

@arches, please stabilize.

Comment 5 Agostino Sarubbo gentoo-dev

2017-02-04 15:23:16 UTC

amd64 stable

Comment 6 Michael Weber (RETIRED) gentoo-dev

2017-02-08 02:05:36 UTC

ppc stable

Comment 7 Agostino Sarubbo gentoo-dev

2017-02-12 15:46:36 UTC

x86 stable.

Maintainer(s), please cleanup.

Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev

2017-02-13 02:09:55 UTC

GLSA Vote: No


@ Maintainer(s): Please cleanup and drop <net-im/bitlbee-3.5.1!

Comment 9 Aaron Bauman (RETIRED) gentoo-dev

2017-07-09 23:44:41 UTC

tree is clean.