Debian Bug report logs -
#504429
kadu: CVE-2008-4776 remote DoS
Reported by: Nico Golde <nion@debian.org>
Date: Mon, 3 Nov 2008 21:18:38 UTC
Severity: grave
Tags: patch, security
Fixed in version kadu/0.6.0.2-3
Done: Patryk Cisek <patryk@prezu.one.pl>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Patryk Cisek <patryk@prezu.one.pl>:
Bug#504429; Package kadu.
(Mon, 03 Nov 2008 21:18:45 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Patryk Cisek <patryk@prezu.one.pl>.
(Mon, 03 Nov 2008 21:18:49 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: kadu
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kadu.
CVE-2008-4776[0]:
| libgadu before 1.8.2 allows remote servers to cause a denial of
| service (crash) via a contact description with a large length, which
| triggers a buffer over-read.
You seem to embeed libgadu and thus suffer from the same
problem. The patch for gadu which applies to the sources is
attached.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
http://security-tracker.debian.net/tracker/CVE-2008-4776
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[kadu.diff (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Reply sent
to Patryk Cisek <patryk@prezu.one.pl>:
You have taken responsibility.
(Wed, 05 Nov 2008 11:27:40 GMT) (full text, mbox, link).
Notification sent
to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(Wed, 05 Nov 2008 11:27:42 GMT) (full text, mbox, link).
Message #10 received at 504429-close@bugs.debian.org (full text, mbox, reply):
Source: kadu
Source-Version: 0.6.0.2-3
We believe that the bug you reported is fixed in the latest version of
kadu, which is due to be installed in the Debian FTP archive:
kadu-common_0.6.0.2-3_all.deb
to pool/main/k/kadu/kadu-common_0.6.0.2-3_all.deb
kadu-dev_0.6.0.2-3_all.deb
to pool/main/k/kadu/kadu-dev_0.6.0.2-3_all.deb
kadu-external-modules_0.6.0.2-3_amd64.deb
to pool/main/k/kadu/kadu-external-modules_0.6.0.2-3_amd64.deb
kadu-gtk-modules_0.6.0.2-3_amd64.deb
to pool/main/k/kadu/kadu-gtk-modules_0.6.0.2-3_amd64.deb
kadu-kde-modules_0.6.0.2-3_amd64.deb
to pool/main/k/kadu/kadu-kde-modules_0.6.0.2-3_amd64.deb
kadu-themes_0.6.0.2-3_all.deb
to pool/main/k/kadu/kadu-themes_0.6.0.2-3_all.deb
kadu_0.6.0.2-3.diff.gz
to pool/main/k/kadu/kadu_0.6.0.2-3.diff.gz
kadu_0.6.0.2-3.dsc
to pool/main/k/kadu/kadu_0.6.0.2-3.dsc
kadu_0.6.0.2-3_amd64.deb
to pool/main/k/kadu/kadu_0.6.0.2-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 504429@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patryk Cisek <patryk@prezu.one.pl> (supplier of updated kadu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 04 Nov 2008 15:37:05 +0100
Source: kadu
Binary: kadu kadu-common kadu-dev kadu-external-modules kadu-gtk-modules kadu-kde-modules kadu-themes
Architecture: source all amd64
Version: 0.6.0.2-3
Distribution: unstable
Urgency: high
Maintainer: Patryk Cisek <patryk@prezu.one.pl>
Changed-By: Patryk Cisek <patryk@prezu.one.pl>
Description:
kadu - Gadu-Gadu client for X11
kadu-common - Gadu-Gadu client for X11
kadu-dev - Development files for Kadu
kadu-external-modules - Additional modules for Kadu
kadu-gtk-modules - Additional modules for Kadu
kadu-kde-modules - Modules dependent on kdelibs
kadu-themes - Additional icons and emoticons for Kadu
Closes: 504429 504430
Changes:
kadu (0.6.0.2-3) unstable; urgency=high
.
* Now Kadu is linked against libgadu provided by libgadu3 package, instead
of the one shipped in Kadu's tarball. This fixes CVE-2008-4776
(Closes: #504429, #504430)
Checksums-Sha1:
05dff9e9dc4344032b21dbd1f30b43ec6228d807 1308 kadu_0.6.0.2-3.dsc
bef67e4fbb762532b3f5157f98c160bc40a825cd 18531 kadu_0.6.0.2-3.diff.gz
e006e65ae55fd9d992163b174549a3dd50878490 756290 kadu-common_0.6.0.2-3_all.deb
5e978e40e39a88efa9d40772274d267f2a21d2ac 213428 kadu-dev_0.6.0.2-3_all.deb
49326daf6293e8d2c1df239f96ddc784a19746a8 1302352 kadu-themes_0.6.0.2-3_all.deb
ffffadc1b45f1bfb20ed0793ad663f2dd9611684 1461240 kadu_0.6.0.2-3_amd64.deb
ab66b06db2e50b78f05b65f5b6efbf818088b988 1387640 kadu-external-modules_0.6.0.2-3_amd64.deb
007849d7c3994b9dad1544a2950df112c93e4e65 120798 kadu-gtk-modules_0.6.0.2-3_amd64.deb
040e4beed30b8cc2a4376bb1461fbf90e3c639de 119272 kadu-kde-modules_0.6.0.2-3_amd64.deb
Checksums-Sha256:
7fc21d1624cdfc041ec82ad59b5cd8831be17e8da85a27348be917ac0fc115e3 1308 kadu_0.6.0.2-3.dsc
bdde0114529be01f10f539e4ccae41ce442775fd1d99941161f5159a0788090c 18531 kadu_0.6.0.2-3.diff.gz
b9075a2054d2deb34565fd1b55da9684fbf39beaea87394f1e66dff454c5b021 756290 kadu-common_0.6.0.2-3_all.deb
0dd5fb199d2a22c6ce741e33bdb3ebf19ecea3edefa4e3b0a79edb169ebba08c 213428 kadu-dev_0.6.0.2-3_all.deb
e3380518f47ace109b92ab3e2b4ef18cc93631bc22cb8817ac4e43ffdda3e77d 1302352 kadu-themes_0.6.0.2-3_all.deb
9becf544e8550823a1678178d5e26248856649f34c3fcaa44509e0b9df4d7080 1461240 kadu_0.6.0.2-3_amd64.deb
454daa8d53961018688b1d955662747bc990935a868c7265dd6fd4e7b0959368 1387640 kadu-external-modules_0.6.0.2-3_amd64.deb
88ee7e8516467d911b5459b9f5fd7d98901d42ad19d1326ef3696556ec48286a 120798 kadu-gtk-modules_0.6.0.2-3_amd64.deb
1d6b43d2cf09dbcb0d4c2b6b7a9177d85eefd862ddd7b75f9474dd83f0224bd9 119272 kadu-kde-modules_0.6.0.2-3_amd64.deb
Files:
11f747c9a5cef8cd70a1a54ec0509155 1308 net optional kadu_0.6.0.2-3.dsc
cd97c1bae164503c83ba06470191b08d 18531 net optional kadu_0.6.0.2-3.diff.gz
a6b98dda7cea53d1b870289bfb40e3bd 756290 net optional kadu-common_0.6.0.2-3_all.deb
38a340d49bf5dc065e019891195475a2 213428 libdevel optional kadu-dev_0.6.0.2-3_all.deb
a20bc5d30df18e273b332acd18540c2a 1302352 net optional kadu-themes_0.6.0.2-3_all.deb
b83e4109f4725f535b3a4f3eb9a8bbad 1461240 net optional kadu_0.6.0.2-3_amd64.deb
f6c960d1ff73fa025a2698770512c521 1387640 net optional kadu-external-modules_0.6.0.2-3_amd64.deb
8eed8abcdf6c978542a10600322b8e58 120798 net optional kadu-gtk-modules_0.6.0.2-3_amd64.deb
de09855fedbc614f147e9d78ae8bfd70 119272 net optional kadu-kde-modules_0.6.0.2-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkRblQACgkQB01zfu119ZlD1wCgzzr//ApV6kSyPshVVFb5WuGd
gCMAniYEJjUJ0+Lo/fM19ZDdHE9g/5OE
=Dvr9
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 07 Dec 2008 07:27:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jan 11 02:54:12 2018;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.