Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 817791 (CVE-2021-41055) - <net-im/gajim-1.3.3: DoS via crafted XMPP message (CVE-2021-41055)
Summary: <net-im/gajim-1.3.3: DoS via crafted XMPP message (CVE-2021-41055)
Status: RESOLVED FIXED
Alias: CVE-2021-41055
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://dev.gajim.org/gajim/gajim/-/i...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 818799 823614
Blocks:
  Show dependency tree
 
Reported: 2021-10-11 14:04 UTC by John Helmert III
Modified: 2022-03-05 17:05 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-11 14:04:20 UTC
CVE-2021-41055 (https://dev.gajim.org/gajim/gajim/-/tags/gajim-1.3.3):

Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a denial of service (crash) via a crafted XMPP Last Message Correction (XEP-0308) message in multi-user chat, where the message ID equals the correction ID.

Please bump.
Comment 1 Larry the Git Cow gentoo-dev 2021-10-19 14:36:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0323090c3c3607e8f6c419f211d05c68f0a1190

commit d0323090c3c3607e8f6c419f211d05c68f0a1190
Author:     Hanno Böck <hanno@gentoo.org>
AuthorDate: 2021-10-19 14:36:20 +0000
Commit:     Hanno Böck <hanno@gentoo.org>
CommitDate: 2021-10-19 14:36:20 +0000

    net-im/gajim: Version bump
    
    Fixes CVE-2021-41055 (DoS via crafted message).
    Fix DISTUTILS_USE_SETUPTOOLS warning.
    Remove historymanager patch, merged upstream.
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=817791
    Closes: https://bugs.gentoo.org/show_bug.cgi?id=809050
    Closes: https://bugs.gentoo.org/show_bug.cgi?id=818799
    Signed-off-by: Hanno Böck <hanno@gentoo.org>
    Package-Manager: Portage-3.0.28, Repoman-3.0.3

 net-im/gajim/Manifest           |  1 +
 net-im/gajim/gajim-1.3.3.ebuild | 93 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 94 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-19 14:39:21 UTC
Thanks! Please file a stable request and block this bug when ready
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-11-13 22:07:42 UTC
Please cleanup
Comment 4 Larry the Git Cow gentoo-dev 2022-03-05 11:05:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cf577c73fc89c64cd405687fcd482fba1ddcebc

commit 4cf577c73fc89c64cd405687fcd482fba1ddcebc
Author:     Hanno Böck <hanno@gentoo.org>
AuthorDate: 2022-03-05 11:04:57 +0000
Commit:     Hanno Böck <hanno@gentoo.org>
CommitDate: 2022-03-05 11:04:57 +0000

    net-im/gajim: Cleanup old versions
    
    Bug: https://bugs.gentoo.org/817791
    Signed-off-by: Hanno Böck <hanno@gentoo.org>
    Package-Manager: Portage-3.0.30, Repoman-3.0.3

 net-im/gajim/Manifest                              |  2 -
 .../files/gajim-1.3.2-fix-historymanager.diff      | 44 ----------
 net-im/gajim/gajim-1.3.1_p2.ebuild                 | 88 --------------------
 net-im/gajim/gajim-1.3.2.ebuild                    | 97 ----------------------
 4 files changed, 231 deletions(-)
Comment 5 Hanno Böck gentoo-dev 2022-03-05 11:06:46 UTC
Sorry, took a bit longer as 1.3.3 originally had an issue with the plugin installer (resolved in 1.3.3_p2 which is now also stable).

IMHO we don't necessarily need a GLSA for this one, as it's "just" a crash.
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-05 17:05:30 UTC
(In reply to Hanno Böck from comment #5)
> Sorry, took a bit longer as 1.3.3 originally had an issue with the plugin
> installer (resolved in 1.3.3_p2 which is now also stable).
> 
> IMHO we don't necessarily need a GLSA for this one, as it's "just" a crash.

Fine by me, thank you!