Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Julien LEMOINE <speedblue@debian.org>: Bug#334089; Package centericq.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nico@ngolde.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Julien LEMOINE <speedblue@debian.org>.
(full text, mbox, link).
Package: centericq
Version: 4.21.0-3
Severity: grave
Tags: security
Hi,
Yesterday I discovered the same bug as described on:
https://bugs.gentoo.org/show_bug.cgi?id=100519
All versions of centericq in Debian are vulnerable.
You can find a backtrace, coredump and strace on:
http://nion.modprobe.de/centericq-bug/
Regards Nico
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15) (ignored: LC_ALL set to de_DE@euro)
Versions of packages centericq depends on:
ii centericq-common 4.21.0-3 A text-mode multi-protocol instant
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libcurl3 7.14.1-5 Multi-protocol file transfer libra
ii libgcc1 1:4.0.2-2 GCC support library
ii libgnutls12 1.2.6-1 the GNU TLS library - runtime libr
ii libgpg-error0 1.1-4 library for common error values an
ii libgpgme11 1.1.0-1 GPGME - GnuPG Made Easy
ii libidn11 0.5.18-1 GNU libidn library, implementation
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG
ii libncurses5 5.4-9 Shared libraries for terminal hand
ii libssl0.9.7 0.9.7g-4 SSL shared libraries
ii libstdc++6 4.0.2-2 The GNU Standard C++ Library v3
ii zlib1g 1:1.2.3-4 compression library - runtime
Versions of packages centericq recommends:
ii dillo [www-browser] 0.8.5-1 GTK-based web browser
ii elinks [www-browser] 0.10.6-1 advanced text-mode WWW browser
ii links2 [www-browser] 2.1pre18-2 Web browser running in both graphi
ii lynx [www-browser] 2.8.5-2 Text-mode WWW Browser
ii mozilla-firefox [www-browser] 1.0.7-1 lightweight web browser based on M
ii sox 12.17.8-1 A universal sound sample translato
ii w3m [www-browser] 0.5.1-4 WWW browsable pager with excellent
-- no debconf information
--
Nico Golde - JAB: nion@jabber.ccc.de | GPG: 0x73647CFF
http://www.ngolde.de | http://www.muttng.org | http://grml.org
$ route add default roma.it
Information forwarded to debian-bugs-dist@lists.debian.org, Julien LEMOINE <speedblue@debian.org>: Bug#334089; Package centericq.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Julien LEMOINE <speedblue@debian.org>.
(full text, mbox, link).
tags 334089 patch
thanks
Hello,
I've tracked this bug in centericq down to a failure to deal with short
packets (or packets declaring their own length to be zero). The attached
patch fixes this segfault, by stopping without further processing of the
packet when its length is determined to be zero.
Someone should also check what happens when the parser reads a packet length
value of 1 or 2; there may be other bugs handling those cases as well.
I don't see any obvious way that this bug could be exploited to gain remote
access, but unfortunately there may be a non-obvious way... I've cc:ed the
security team, so they can evaluate whether this warrants a security upload
-- perhaps the DoS alone is enough reason for an update.
Also, I've attached a second patch, unrelated to any known crasher bugs,
that includes some fixes for memory handling which turned up when trying to
valgrind centericq. I don't suspect that it's relevant to a stable security
update, but the maintainer may want to consider including it in his next
upload to unstable.
Thanks,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Tags added: patch
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Julien LEMOINE <speedblue@debian.org>: Bug#334089; Package centericq.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Julien LEMOINE <speedblue@debian.org>.
(full text, mbox, link).
Hi!
Steve Langasek wrote:
> I've tracked this bug in centericq down to a failure to deal with short
> packets (or packets declaring their own length to be zero). The attached
> patch fixes this segfault, by stopping without further processing of the
> packet when its length is determined to be zero.
Two words: You rock!
> I don't see any obvious way that this bug could be exploited to gain remote
> access, but unfortunately there may be a non-obvious way... I've cc:ed the
> security team, so they can evaluate whether this warrants a security upload
> -- perhaps the DoS alone is enough reason for an update.
Crashing arbitrary user applications has been considered a vulnerability
since it's a remote denial of service in this case. I guess that we should
update.
To Julien: Please let me know the version in sid that will fix this
problem. I'll provide a CVE name asap.
Regards,
Joey
--
GNU GPL: "The source will be with you... always."
Please always Cc to me when replying to me on the lists.
Reply sent to Julien Lemoine <speedblue@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nico@ngolde.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: centericq
Source-Version: 4.21.0-4
We believe that the bug you reported is fixed in the latest version of
centericq, which is due to be installed in the Debian FTP archive:
centericq-common_4.21.0-4_i386.deb
to pool/main/c/centericq/centericq-common_4.21.0-4_i386.deb
centericq-fribidi_4.21.0-4_i386.deb
to pool/main/c/centericq/centericq-fribidi_4.21.0-4_i386.deb
centericq-utf8_4.21.0-4_i386.deb
to pool/main/c/centericq/centericq-utf8_4.21.0-4_i386.deb
centericq_4.21.0-4.diff.gz
to pool/main/c/centericq/centericq_4.21.0-4.diff.gz
centericq_4.21.0-4.dsc
to pool/main/c/centericq/centericq_4.21.0-4.dsc
centericq_4.21.0-4_i386.deb
to pool/main/c/centericq/centericq_4.21.0-4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 334089@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Lemoine <speedblue@debian.org> (supplier of updated centericq package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 20 Nov 2005 12:02:52 +0100
Source: centericq
Binary: centericq-common centericq-utf8 centericq-fribidi centericq
Architecture: source i386
Version: 4.21.0-4
Distribution: unstable
Urgency: high
Maintainer: Julien LEMOINE <speedblue@debian.org>
Changed-By: Julien Lemoine <speedblue@debian.org>
Description:
centericq - A text-mode multi-protocol instant messenger client
centericq-common - A text-mode multi-protocol instant messenger client (data files)
centericq-fribidi - A text-mode multi-protocol instant messenger client (Hebrew)
centericq-utf8 - A text-mode multi-protocol instant messenger client
Closes: 334089
Changes:
centericq (4.21.0-4) unstable; urgency=high
.
* Applied two patchs from Steve Langasek <vorlon@debian.org> :
* Fix for ICQ direct client handler, which fails to handle undersized
requests from remote hosts, leading to a segfault (closes: #334089).
* Miscellaneous other memory handling clean-ups
Files:
4da2b95c792765ec2892f7f9390435ca 861 net optional centericq_4.21.0-4.dsc
895d80f87ad599f8b76c3194e62b14b5 116931 net optional centericq_4.21.0-4.diff.gz
2eaf827b41a8faa85b69d1a5e0a716cd 345430 net optional centericq-common_4.21.0-4_i386.deb
89947cd7e8b712ed07a20168412fbee6 1258572 net optional centericq_4.21.0-4_i386.deb
bc7cd1e30bfe125954262f212c032e6e 1258624 net optional centericq-utf8_4.21.0-4_i386.deb
de329e00c31f168dc1df8650f741bd6a 1259144 net optional centericq-fribidi_4.21.0-4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDgGDoc29c8N2YKnURAgI1AJwLTJLe7D5MCqsHzlf8hTav7e7PsACfadzn
G0/FiJ8wrpQ6cWzSveNYCcw=
=rRYq
-----END PGP SIGNATURE-----
Changed Bug submitter from Nico Golde <nico@ngolde.de> to nion@debian.org.
Request was from Nico Golde <nico@ngolde.de>
to control@bugs.debian.org.
(Tue, 27 Mar 2007 23:33:44 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 00:52:12 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.