Debian Bug report logs - #488630
linuxdcpp: Two remote DoS

version graph

Package: linuxdcpp; Maintainer for linuxdcpp is Romain Beauxis <toots@rastageeks.org>; Source for linuxdcpp is src:linuxdcpp.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Mon, 30 Jun 2008 07:54:59 UTC

Severity: grave

Tags: patch, security

Found in version linuxdcpp/1.0.1-1

Fixed in version linuxdcpp/1.0.1-2

Done: Romain Beauxis <toots@rastageeks.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Romain Beauxis <toots@rastageeks.org>:
Bug#488630; Package linuxdcpp. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Romain Beauxis <toots@rastageeks.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: linuxdcpp: Two remote DoS
Date: Mon, 30 Jun 2008 09:53:15 +0200
Package: linuxdcpp
Version: 1.0.1-1
Severity: grave
Tags: security, patch
Justification: user security hole

Hi

The following email came over one of the security lists:

Hey,

Linux DC++ (linuxdcpp) is a Direct Connect client based on the same 
client code as DC++, so it is vulnerable to the recently reported

[1] NULL pointer dereference remote DoS via partial file list requests
http://secunia.com/advisories/30812/
http://sourceforge.net/project/shownotes.php?release_id=608612&group_id=40287
https://bugs.launchpad.net/dcplusplus/+bug/238333 [Can't view]

Patch for linuxdcpp:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp/client/ShareManager.cpp.diff?r1=1.14&r2=1.15&sortby=date

[2] Empty message Remote DoS
When an attacker sends an empty message, he can cause the client to 
abort with "std::out_of_range" in substr().

Patch for linuxdcpp:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/linuxdcpp/linuxdcpp/client/NmdcHub.cpp.diff?r1=1.14&r2=1.15&sortby=date


Robert

The patchsets are not included in the current sid version. CVE ids for both DoS
are pending.
Please also upload with high urgency, so that the package hits testing soon.

Cheers
Steffen




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#488630; Package linuxdcpp. Full text and rfc822 format available.

Acknowledgement sent to Romain Beauxis <toots@rastageeks.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 488630@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 488630@bugs.debian.org
Subject: Re: Bug#488630: linuxdcpp: Two remote DoS
Date: Mon, 30 Jun 2008 10:53:10 +0200
Le Monday 30 June 2008 09:53:15 Steffen Joeris, vous avez écrit :
> The patchsets are not included in the current sid version. CVE ids for both
> DoS are pending.
> Please also upload with high urgency, so that the package hits testing
> soon.

Thanks for the report.

However, I have an issue with linuxdcpp's licence and SSL link. I have filed a 
bug upstream months ago, tried to contact the main developper to fix it, but 
so far, nothing happened.

Hence, if this licence issue is not fixed very soon, I will have no choice but 
to ask for a removal from the archive, at least until this gets fixed.

Of course, you can expect a quick upload otherwise.

Romain




Information forwarded to debian-bugs-dist@lists.debian.org, Romain Beauxis <toots@rastageeks.org>:
Bug#488630; Package linuxdcpp. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Romain Beauxis <toots@rastageeks.org>. Full text and rfc822 format available.

Message #15 received at 488630@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Romain Beauxis <toots@rastageeks.org>
Cc: 488630@bugs.debian.org
Subject: Re: Bug#488630: linuxdcpp: Two remote DoS
Date: Mon, 30 Jun 2008 11:18:18 +0200
[Message part 1 (text/plain, inline)]
Hi Romain

On Mon, 30 Jun 2008 10:53:10 am Romain Beauxis wrote:
> Le Monday 30 June 2008 09:53:15 Steffen Joeris, vous avez écrit :
> > The patchsets are not included in the current sid version. CVE ids for
> > both DoS are pending.
> > Please also upload with high urgency, so that the package hits testing
> > soon.
>
> Thanks for the report.
>
> However, I have an issue with linuxdcpp's licence and SSL link. I have
> filed a bug upstream months ago, tried to contact the main developper to
> fix it, but so far, nothing happened.
>
> Hence, if this licence issue is not fixed very soon, I will have no choice
> but to ask for a removal from the archive, at least until this gets fixed.
>
> Of course, you can expect a quick upload otherwise.
Thanks for the information. However, we are still distributing the package in 
our archives at the moment. It might be a good idea to fix the issue in 
unstable and let it migrate to testing. You can still ask for a removal later 
on, which is fine. But in the meanwhile, the fixes are included and the 
package would be distributed anyway.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#488630; Package linuxdcpp. Full text and rfc822 format available.

Acknowledgement sent to Romain Beauxis <toots@rastageeks.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 488630@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 488630@bugs.debian.org
Subject: Re: Bug#488630: linuxdcpp: Two remote DoS
Date: Mon, 30 Jun 2008 14:59:13 +0200
Le Monday 30 June 2008 11:18:18 Steffen Joeris, vous avez écrit :
> > Of course, you can expect a quick upload otherwise.
>
> Thanks for the information. However, we are still distributing the package
> in our archives at the moment. It might be a good idea to fix the issue in
> unstable and let it migrate to testing. You can still ask for a removal
> later on, which is fine. But in the meanwhile, the fixes are included and
> the package would be distributed anyway.

If the RC bug is not fixed quickly, the package will automatically be droped 
from testing.

Besides, I don't want to upload again with the SSL issue. First time it was by 
mistake, now that I'm aware of it, I wouldn't like to do it on purpose.


Romain




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#488630; Package linuxdcpp. Full text and rfc822 format available.

Acknowledgement sent to Romain Beauxis <toots@rastageeks.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #25 received at 488630@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: 488630@bugs.debian.org
Subject: SSL about to be fixed..
Date: Tue, 1 Jul 2008 14:13:27 +0200
	Hi !

Steven Sheehy told me he should make SSL compilation optional very soon.

Hence, I'll upload a package fixing these bugs very soon, and proceed with SSL 
later.


Romain




Reply sent to Romain Beauxis <toots@rastageeks.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 488630-close@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: 488630-close@bugs.debian.org
Subject: Bug#488630: fixed in linuxdcpp 1.0.1-2
Date: Tue, 01 Jul 2008 13:32:09 +0000
Source: linuxdcpp
Source-Version: 1.0.1-2

We believe that the bug you reported is fixed in the latest version of
linuxdcpp, which is due to be installed in the Debian FTP archive:

linuxdcpp0.691_1.0.1-2_all.deb
  to pool/main/l/linuxdcpp/linuxdcpp0.691_1.0.1-2_all.deb
linuxdcpp_1.0.1-2.diff.gz
  to pool/main/l/linuxdcpp/linuxdcpp_1.0.1-2.diff.gz
linuxdcpp_1.0.1-2.dsc
  to pool/main/l/linuxdcpp/linuxdcpp_1.0.1-2.dsc
linuxdcpp_1.0.1-2_amd64.deb
  to pool/main/l/linuxdcpp/linuxdcpp_1.0.1-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 488630@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Romain Beauxis <toots@rastageeks.org> (supplier of updated linuxdcpp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 01 Jul 2008 14:18:16 +0200
Source: linuxdcpp
Binary: linuxdcpp0.691 linuxdcpp
Architecture: source all amd64
Version: 1.0.1-2
Distribution: unstable
Urgency: high
Maintainer: Romain Beauxis <toots@rastageeks.org>
Changed-By: Romain Beauxis <toots@rastageeks.org>
Description: 
 linuxdcpp  - Port of the Windows file-sharing program, DC++
 linuxdcpp0.691 - Port of the Windows file-sharing program DC++
Closes: 488630
Changes: 
 linuxdcpp (1.0.1-2) unstable; urgency=high
 .
   * Fix two remote DoS. Closes: #488630
     Thanks to Steffen Joeris for the accurate report
   * Updated standards to 3.8.0
   * Added watch file
Checksums-Sha1: 
 ba7ccf61638ed6634f4ea465f96a4cba524d9e5e 1425 linuxdcpp_1.0.1-2.dsc
 ba83242de131a606c673b841de2e8354237cedd6 15858 linuxdcpp_1.0.1-2.diff.gz
 313a39eaa78790476e908becdbdf8bdd386f477c 3560 linuxdcpp0.691_1.0.1-2_all.deb
 b069373e0f5dca2549e88f6ba2c55b38607f8890 918804 linuxdcpp_1.0.1-2_amd64.deb
Checksums-Sha256: 
 90921d9e06d75ad5ad0b28b072c7d66f7f73726d75860e9c46e5cddb5225595b 1425 linuxdcpp_1.0.1-2.dsc
 0e215afc7cf301b762386ddafd611dd90dffefde77a2391b25546926075981b9 15858 linuxdcpp_1.0.1-2.diff.gz
 8b5bd00b3029adea42b6c2d9d001c31495fb79492613d1b9162c531c6de19949 3560 linuxdcpp0.691_1.0.1-2_all.deb
 0dbdf118d6de9a433a36880babd83d3bd1907e9e97df8677c1916751b6c447da 918804 linuxdcpp_1.0.1-2_amd64.deb
Files: 
 e0c4e4abc7a08d7b4804e06f3bcdc1a3 1425 net optional linuxdcpp_1.0.1-2.dsc
 24a10a831a82bf766798cb11e6a2b645 15858 net optional linuxdcpp_1.0.1-2.diff.gz
 e65c2fed45ab91df92e5e787a32dddb5 3560 net optional linuxdcpp0.691_1.0.1-2_all.deb
 260e79f842ea5e7076b7d6caf09ebee2 918804 net optional linuxdcpp_1.0.1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJIajBJAAoJEAC5aaocqV0ZNmYH/2O4yasZY72gAz8hp9gmOco4
TPkRDvjxE+x41VGxx4D7uZxk/E4Q085RCw9tkY56PuN641vxaOk4dwv9W3Su4Z3v
UpwueP70i9DuWnQs/m9ZUpO/RnrNTboGD5dPtQBs+RHng5udhxut03LqLL8WwfIS
s7lM5mf/pSmxXKcK2RMMQV48T6a09GhZQygUKg8jQAzS5Ig3qt4OMyaq9M7RSzE0
hlqRSLfbhZwXvXBFVOYx03UmcJyKJ2P8TXhepn7XMF87oiVAxlToGb9tArJzut/y
0QZIl4qoC8DWXvR/spm4F2qqTa/obayZquF7PYkVkk2WfRloKZNb7b4eRkR8Pt0=
=hnjG
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Romain Beauxis <toots@rastageeks.org>:
Bug#488630; Package linuxdcpp. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Romain Beauxis <toots@rastageeks.org>. Full text and rfc822 format available.

Message #35 received at 488630@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Romain Beauxis <toots@rastageeks.org>
Cc: Steffen Joeris <steffen.joeris@skolelinux.de>, 488630@bugs.debian.org
Subject: Re: Bug#488630: linuxdcpp: Two remote DoS
Date: Wed, 2 Jul 2008 23:13:52 +0200
Romain Beauxis wrote:
> Le Monday 30 June 2008 11:18:18 Steffen Joeris, vous avez écrit :
> > > Of course, you can expect a quick upload otherwise.
> >
> > Thanks for the information. However, we are still distributing the package
> > in our archives at the moment. It might be a good idea to fix the issue in
> > unstable and let it migrate to testing. You can still ask for a removal
> > later on, which is fine. But in the meanwhile, the fixes are included and
> > the package would be distributed anyway.
> 
> If the RC bug is not fixed quickly, the package will automatically be droped 
> from testing.
> 
> Besides, I don't want to upload again with the SSL issue. First time it was by 
> mistake, now that I'm aware of it, I wouldn't like to do it on purpose.

Can you make a separate RC bug about the SSL license issue?

The security issues itself doesn't seem important enough for a DSA. An attacker can't
inject code and a malicious DC peer could annoy a user just as well without
exploiting client bugs.

Cheers,
        Moritz




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#488630; Package linuxdcpp. Full text and rfc822 format available.

Acknowledgement sent to Romain Beauxis <toots@rastageeks.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #40 received at 488630@bugs.debian.org (full text, mbox):

From: Romain Beauxis <toots@rastageeks.org>
To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Steffen Joeris <steffen.joeris@skolelinux.de>, 488630@bugs.debian.org
Subject: Re: Bug#488630: linuxdcpp: Two remote DoS
Date: Thu, 3 Jul 2008 01:14:11 +0200
	Hi !

Le Wednesday 02 July 2008 23:13:52 Moritz Muehlenhoff, vous avez écrit :
> > Besides, I don't want to upload again with the SSL issue. First time it
> > was by mistake, now that I'm aware of it, I wouldn't like to do it on
> > purpose.
>
> Can you make a separate RC bug about the SSL license issue?

The SSL issue was less problematic than expected.

In fact, DC++'s original license allows linking against SSL, so linuxdcpp will 
be relicensed within the next few days as promised by Steven Sheehy.

Then I'll update the package immediately.


Romain




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 02 Aug 2008 07:32:28 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:10:41 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.