Debian Bug report logs - #334089
remotely segfaultable, DOS

version graph

Package: centericq; Maintainer for centericq is (unknown);

Reported by: nion@debian.org

Date: Sat, 15 Oct 2005 13:18:01 UTC

Severity: grave

Tags: patch, security

Found in version centericq/4.21.0-3

Fixed in version centericq/4.21.0-4

Done: Julien Lemoine <speedblue@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Julien LEMOINE <speedblue@debian.org>:
Bug#334089; Package centericq. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nico@ngolde.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Julien LEMOINE <speedblue@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nico@ngolde.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: remotely segfaultable, DOS
Date: Sat, 15 Oct 2005 15:14:09 +0200
[Message part 1 (text/plain, inline)]
Package: centericq
Version: 4.21.0-3
Severity: grave
Tags: security
Hi,
Yesterday I discovered the same bug as described on:
https://bugs.gentoo.org/show_bug.cgi?id=100519

All versions of centericq in Debian are vulnerable.
You can find a backtrace, coredump and strace on:
http://nion.modprobe.de/centericq-bug/
Regards Nico


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to de_DE@euro)

Versions of packages centericq depends on:
ii  centericq-common              4.21.0-3   A text-mode multi-protocol instant
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libcurl3                      7.14.1-5   Multi-protocol file transfer libra
ii  libgcc1                       1:4.0.2-2  GCC support library
ii  libgnutls12                   1.2.6-1    the GNU TLS library - runtime libr
ii  libgpg-error0                 1.1-4      library for common error values an
ii  libgpgme11                    1.1.0-1    GPGME - GnuPG Made Easy
ii  libidn11                      0.5.18-1   GNU libidn library, implementation
ii  libjpeg62                     6b-10      The Independent JPEG Group's JPEG 
ii  libncurses5                   5.4-9      Shared libraries for terminal hand
ii  libssl0.9.7                   0.9.7g-4   SSL shared libraries
ii  libstdc++6                    4.0.2-2    The GNU Standard C++ Library v3
ii  zlib1g                        1:1.2.3-4  compression library - runtime

Versions of packages centericq recommends:
ii  dillo [www-browser]           0.8.5-1    GTK-based web browser
ii  elinks [www-browser]          0.10.6-1   advanced text-mode WWW browser
ii  links2 [www-browser]          2.1pre18-2 Web browser running in both graphi
ii  lynx [www-browser]            2.8.5-2    Text-mode WWW Browser
ii  mozilla-firefox [www-browser] 1.0.7-1    lightweight web browser based on M
ii  sox                           12.17.8-1  A universal sound sample translato
ii  w3m [www-browser]             0.5.1-4    WWW browsable pager with excellent

-- no debconf information

-- 
Nico Golde - JAB: nion@jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org 
$ route add default roma.it
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Julien LEMOINE <speedblue@debian.org>:
Bug#334089; Package centericq. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Julien LEMOINE <speedblue@debian.org>. Full text and rfc822 format available.

Message #10 received at 334089@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 334089@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: remotely segfaultable, DOS
Date: Sat, 19 Nov 2005 06:32:08 -0800
[Message part 1 (text/plain, inline)]
tags 334089 patch
thanks

Hello,

I've tracked this bug in centericq down to a failure to deal with short
packets (or packets declaring their own length to be zero).  The attached
patch fixes this segfault, by stopping without further processing of the
packet when its length is determined to be zero.

Someone should also check what happens when the parser reads a packet length
value of 1 or 2; there may be other bugs handling those cases as well.

I don't see any obvious way that this bug could be exploited to gain remote
access, but unfortunately there may be a non-obvious way...  I've cc:ed the
security team, so they can evaluate whether this warrants a security upload
-- perhaps the DoS alone is enough reason for an update.

Also, I've attached a second patch, unrelated to any known crasher bugs,
that includes some fixes for memory handling which turned up when trying to
valgrind centericq.  I don't suspect that it's relevant to a stable security
update, but the maintainer may want to consider including it in his next
upload to unstable.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/
[centericq-334089.diff (text/plain, attachment)]
[centericq-334089.diff2 (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Julien LEMOINE <speedblue@debian.org>:
Bug#334089; Package centericq. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Julien LEMOINE <speedblue@debian.org>. Full text and rfc822 format available.

Message #17 received at 334089@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Steve Langasek <vorlon@debian.org>
Cc: 334089@bugs.debian.org, team@security.debian.org
Subject: Re: remotely segfaultable, DOS
Date: Sat, 19 Nov 2005 22:21:24 +0100
Hi!

Steve Langasek wrote:
> I've tracked this bug in centericq down to a failure to deal with short
> packets (or packets declaring their own length to be zero).  The attached
> patch fixes this segfault, by stopping without further processing of the
> packet when its length is determined to be zero.

Two words: You rock!

> I don't see any obvious way that this bug could be exploited to gain remote
> access, but unfortunately there may be a non-obvious way...  I've cc:ed the
> security team, so they can evaluate whether this warrants a security upload
> -- perhaps the DoS alone is enough reason for an update.

Crashing arbitrary user applications has been considered a vulnerability
since it's a remote denial of service in this case.  I guess that we should
update.

To Julien: Please let me know the version in sid that will fix this
problem.  I'll provide a CVE name asap.

Regards,

	Joey

-- 
GNU GPL: "The source will be with you... always."

Please always Cc to me when replying to me on the lists.



Reply sent to Julien Lemoine <speedblue@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nico@ngolde.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #22 received at 334089-close@bugs.debian.org (full text, mbox):

From: Julien Lemoine <speedblue@debian.org>
To: 334089-close@bugs.debian.org
Subject: Bug#334089: fixed in centericq 4.21.0-4
Date: Sun, 20 Nov 2005 03:47:05 -0800
Source: centericq
Source-Version: 4.21.0-4

We believe that the bug you reported is fixed in the latest version of
centericq, which is due to be installed in the Debian FTP archive:

centericq-common_4.21.0-4_i386.deb
  to pool/main/c/centericq/centericq-common_4.21.0-4_i386.deb
centericq-fribidi_4.21.0-4_i386.deb
  to pool/main/c/centericq/centericq-fribidi_4.21.0-4_i386.deb
centericq-utf8_4.21.0-4_i386.deb
  to pool/main/c/centericq/centericq-utf8_4.21.0-4_i386.deb
centericq_4.21.0-4.diff.gz
  to pool/main/c/centericq/centericq_4.21.0-4.diff.gz
centericq_4.21.0-4.dsc
  to pool/main/c/centericq/centericq_4.21.0-4.dsc
centericq_4.21.0-4_i386.deb
  to pool/main/c/centericq/centericq_4.21.0-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 334089@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julien Lemoine <speedblue@debian.org> (supplier of updated centericq package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 20 Nov 2005 12:02:52 +0100
Source: centericq
Binary: centericq-common centericq-utf8 centericq-fribidi centericq
Architecture: source i386
Version: 4.21.0-4
Distribution: unstable
Urgency: high
Maintainer: Julien LEMOINE <speedblue@debian.org>
Changed-By: Julien Lemoine <speedblue@debian.org>
Description: 
 centericq  - A text-mode multi-protocol instant messenger client
 centericq-common - A text-mode multi-protocol instant messenger client (data files)
 centericq-fribidi - A text-mode multi-protocol instant messenger client (Hebrew)
 centericq-utf8 - A text-mode multi-protocol instant messenger client
Closes: 334089
Changes: 
 centericq (4.21.0-4) unstable; urgency=high
 .
   * Applied two patchs from Steve Langasek <vorlon@debian.org> :
     * Fix for ICQ direct client handler, which fails to handle undersized
       requests from remote hosts, leading to a segfault (closes: #334089).
     * Miscellaneous other memory handling clean-ups
Files: 
 4da2b95c792765ec2892f7f9390435ca 861 net optional centericq_4.21.0-4.dsc
 895d80f87ad599f8b76c3194e62b14b5 116931 net optional centericq_4.21.0-4.diff.gz
 2eaf827b41a8faa85b69d1a5e0a716cd 345430 net optional centericq-common_4.21.0-4_i386.deb
 89947cd7e8b712ed07a20168412fbee6 1258572 net optional centericq_4.21.0-4_i386.deb
 bc7cd1e30bfe125954262f212c032e6e 1258624 net optional centericq-utf8_4.21.0-4_i386.deb
 de329e00c31f168dc1df8650f741bd6a 1259144 net optional centericq-fribidi_4.21.0-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDgGDoc29c8N2YKnURAgI1AJwLTJLe7D5MCqsHzlf8hTav7e7PsACfadzn
G0/FiJ8wrpQ6cWzSveNYCcw=
=rRYq
-----END PGP SIGNATURE-----




Changed Bug submitter from Nico Golde <nico@ngolde.de> to nion@debian.org. Request was from Nico Golde <nico@ngolde.de> to control@bugs.debian.org. (Tue, 27 Mar 2007 23:33:44 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 00:52:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:26:39 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.