Debian Bug report logs - #518468
CVE-2008-6393: possible DoS

version graph

Package: psi; Maintainer for psi is Jan Niehusmann <jan@debian.org>; Source for psi is src:psi.

Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>

Date: Fri, 6 Mar 2009 11:54:02 UTC

Severity: important

Tags: security

Fixed in versions psi/0.12.1-1, psi/0.11-9

Done: Jan Niehusmann <jan@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jan Niehusmann <jan@debian.org>:
Bug#518468; Package psi. (Fri, 06 Mar 2009 11:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Jan Niehusmann <jan@debian.org>. (Fri, 06 Mar 2009 11:54:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2008-6393: possible DoS
Date: Fri, 06 Mar 2009 22:52:17 +1100
Package: psi
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for psi.

CVE-2008-6393[0]:
| PSI Jabber client before 0.12.1 allows remote attackers to cause a
| denial of service (crash) and possibly execute arbitrary code via a
| file transfer request with a negative value in a SOCKS5 option, which
| bypasses a signed integer check and triggers an integer overflow and a
| heap-based buffer overflow.

The blogpost[1] has some more information. At the moment, I guess the
security impact is fairly low and only results in a client DoS. Maybe
you could check this further, just to be sure?

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Cheers
Steffen

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6393
    http://security-tracker.debian.net/tracker/CVE-2008-6393
[1] http://jolmos.blogspot.com/2008/12/psi-remote-integer-overflow.html




Information forwarded to debian-bugs-dist@lists.debian.org, Jan Niehusmann <jan@debian.org>:
Bug#518468; Package psi. (Fri, 06 Mar 2009 12:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Niehusmann <jan@gondor.com>:
Extra info received and forwarded to list. Copy sent to Jan Niehusmann <jan@debian.org>. (Fri, 06 Mar 2009 12:24:02 GMT) Full text and rfc822 format available.

Message #10 received at 518468@bugs.debian.org (full text, mbox):

From: Jan Niehusmann <jan@gondor.com>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 518468@bugs.debian.org
Subject: Re: Bug#518468: CVE-2008-6393: possible DoS
Date: Fri, 6 Mar 2009 13:22:34 +0100
On Fri, Mar 06, 2009 at 10:52:17PM +1100, Steffen Joeris wrote:
> Package: psi
> Severity: important
> Tags: security
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for psi.
> 
> CVE-2008-6393[0]:
> | PSI Jabber client before 0.12.1 allows remote attackers to cause a
> | denial of service (crash) and possibly execute arbitrary code via a
> | file transfer request with a negative value in a SOCKS5 option, which
> | bypasses a signed integer check and triggers an integer overflow and a
> | heap-based buffer overflow.
> 
> The blogpost[1] has some more information. At the moment, I guess the
> security impact is fairly low and only results in a client DoS. Maybe
> you could check this further, just to be sure?
> 
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.

Thanks for the report.

You can work around the published exploit by disabling the file transfer
port (set it to zero). But I'm not sure if that's sufficient: The
vulnerable code could also get triggered on outgoing connections. I
didn't follow all possible code paths to check that.

Jan





Information forwarded to debian-bugs-dist@lists.debian.org, Jan Niehusmann <jan@debian.org>:
Bug#518468; Package psi. (Fri, 06 Mar 2009 13:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Niehusmann <jan@gondor.com>:
Extra info received and forwarded to list. Copy sent to Jan Niehusmann <jan@debian.org>. (Fri, 06 Mar 2009 13:12:02 GMT) Full text and rfc822 format available.

Message #15 received at 518468@bugs.debian.org (full text, mbox):

From: Jan Niehusmann <jan@gondor.com>
To: 518468@bugs.debian.org
Subject: Re: Bug#518468: CVE-2008-6393: possible DoS
Date: Fri, 6 Mar 2009 14:10:21 +0100
Here is the fix for this DoS, from upstream git:


Author: Kevin Smith <kismith@aegeus.local>
Date:   Wed Dec 17 17:38:39 2008 +0000

    Justin's fix for DOS vulnerability in file transfer code

diff --git a/cutestuff/network/socks.cpp b/cutestuff/network/socks.cpp
index 31d728d..91e7e19 100644
--- a/cutestuff/network/socks.cpp
+++ b/cutestuff/network/socks.cpp
@@ -261,7 +261,8 @@ static int spc_get_version(QByteArray *from, SPCS_VERSION *s)
 		return -1;
 	if(from->size() < 2)
 		return 0;
-	int num = from->at(1);
+	unsigned char mlen = from->at(1);
+	int num = mlen;
 	if(num > 16) // who the heck has over 16 auth methods??
 		return -1;
 	if(from->size() < 2 + num)




Reply sent to Jan Niehusmann <jan@debian.org>:
You have taken responsibility. (Mon, 09 Mar 2009 22:06:25 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Mon, 09 Mar 2009 22:06:26 GMT) Full text and rfc822 format available.

Message #20 received at 518468-close@bugs.debian.org (full text, mbox):

From: Jan Niehusmann <jan@debian.org>
To: 518468-close@bugs.debian.org
Subject: Bug#518468: fixed in psi 0.12.1-1
Date: Mon, 09 Mar 2009 21:19:50 +0000
Source: psi
Source-Version: 0.12.1-1

We believe that the bug you reported is fixed in the latest version of
psi, which is due to be installed in the Debian FTP archive:

psi_0.12.1-1.diff.gz
  to pool/main/p/psi/psi_0.12.1-1.diff.gz
psi_0.12.1-1.dsc
  to pool/main/p/psi/psi_0.12.1-1.dsc
psi_0.12.1-1_i386.deb
  to pool/main/p/psi/psi_0.12.1-1_i386.deb
psi_0.12.1.orig.tar.gz
  to pool/main/p/psi/psi_0.12.1.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 518468@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Niehusmann <jan@debian.org> (supplier of updated psi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 09 Mar 2009 18:31:53 +0100
Source: psi
Binary: psi
Architecture: source i386
Version: 0.12.1-1
Distribution: unstable
Urgency: high
Maintainer: Jan Niehusmann <jan@debian.org>
Changed-By: Jan Niehusmann <jan@debian.org>
Description: 
 psi        - Jabber client using Qt
Closes: 504644 518468
Changes: 
 psi (0.12.1-1) unstable; urgency=high
 .
   * New Upstream Version
     This fixes remote DoS vulnerability CVE-2008-6393 found and reported
     by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
     The original advisory is available at:
     http://www.securityfocus.com/archive/1/499563
     (Closes: Bug#518468)
   * Depend on qt << 4.5.0 as psi needs some patches to work with qt 4.5
   * Psi currently doesn't handle missing ssl plugin gracefully. Therefore,
     depend on libqca2-plugin-ossl instead of only recommending it.
     (Closes: Bug#504644)
Checksums-Sha1: 
 cd13a3ce23ed4090cccd938604dae481f04ab6cd 1207 psi_0.12.1-1.dsc
 9663d3f68e252da0762a9cc4059023fba0b28974 2504019 psi_0.12.1.orig.tar.gz
 5a7983bbd5009f4e56eaf27800ce59194f2d9d58 10781 psi_0.12.1-1.diff.gz
 78ae448f1041a6cd14e8de339981462706362de0 2908170 psi_0.12.1-1_i386.deb
Checksums-Sha256: 
 29d6946b0ad7e90531a4336a8fb069c674cc16d47e917c7759fa8a472697b629 1207 psi_0.12.1-1.dsc
 3e0a1f0e01c3140b0f84c4553aeb41721f2e6ae3e6c9793eca75e47ab975b497 2504019 psi_0.12.1.orig.tar.gz
 371174557c75293600bcdaa7b34c95dc1a21e0a2a5713d50c2f6d1533ef38cdd 10781 psi_0.12.1-1.diff.gz
 54e9187a1ca11302ce5ac55e55cf53bfa05746bc7032e062849ad752ca66b7de 2908170 psi_0.12.1-1_i386.deb
Files: 
 f69dcdc49bcce922707e5aaca82a65bc 1207 net optional psi_0.12.1-1.dsc
 8b98247aed1ec126dfe47c15cf6c0230 2504019 net optional psi_0.12.1.orig.tar.gz
 f201e97ea5a6ca0f23e15bb34ba647ed 10781 net optional psi_0.12.1-1.diff.gz
 4221ee4975f1fe55c0d6f2968baf1d42 2908170 net optional psi_0.12.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iJwEAQECAAYFAkm1foMACgkQgUvx9im0397LFgP9FGQVUUQ5t2U7ZEw4/afC6WTj
LLjuLIJrdfcTwY4rYZ2xdc5UhRVi/rVAWKLHC/zyfXnU9aABvN2tUuwyRuv64ErK
QUq/e+PwUhM3ko4ZPv3oVh/yRfM/WeUWdLCOoVyfJcXcBXVnfMW31SdlqeYdzDmG
RJw0kt+df6jbwtz1uXQ=
=eU2x
-----END PGP SIGNATURE-----





Reply sent to Jan Niehusmann <jan@debian.org>:
You have taken responsibility. (Tue, 24 Mar 2009 20:12:19 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Tue, 24 Mar 2009 20:12:19 GMT) Full text and rfc822 format available.

Message #25 received at 518468-close@bugs.debian.org (full text, mbox):

From: Jan Niehusmann <jan@debian.org>
To: 518468-close@bugs.debian.org
Subject: Bug#518468: fixed in psi 0.11-9
Date: Tue, 24 Mar 2009 19:53:35 +0000
Source: psi
Source-Version: 0.11-9

We believe that the bug you reported is fixed in the latest version of
psi, which is due to be installed in the Debian FTP archive:

psi_0.11-9.diff.gz
  to pool/main/p/psi/psi_0.11-9.diff.gz
psi_0.11-9.dsc
  to pool/main/p/psi/psi_0.11-9.dsc
psi_0.11-9_amd64.deb
  to pool/main/p/psi/psi_0.11-9_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 518468@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Niehusmann <jan@debian.org> (supplier of updated psi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 09 Mar 2009 15:28:11 +0100
Source: psi
Binary: psi
Architecture: source amd64
Version: 0.11-9
Distribution: stable-security
Urgency: high
Maintainer: Jan Niehusmann <jan@debian.org>
Changed-By: Jan Niehusmann <jan@debian.org>
Description: 
 psi        - Jabber client using Qt
Closes: 518468
Changes: 
 psi (0.11-9) stable-security; urgency=high
 .
   * Fix for CVE-2008-6393, taken from upstream git repository.
     This fixes a remote DoS vulnerability found and reported
     by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
     The original advisory is available at:
     http://www.securityfocus.com/archive/1/499563
     (Closes: Bug#518468)
Checksums-Sha1: 
 aa6f538a01c37a430380806fb56a92b63a4e87eb 1010 psi_0.11-9.dsc
 05c5ca9c7b75f182c19e1de9456a87d8221f92c6 2315401 psi_0.11.orig.tar.gz
 0bef5109bd6b01bf3ab95d2346aeacf577c517ea 11710 psi_0.11-9.diff.gz
 51208828839003126ac40fc5d280ee549361bc78 2791050 psi_0.11-9_amd64.deb
Checksums-Sha256: 
 944d4fca8c52dde8e5b729928a793abbc2fdbe6ec434702fc4ff1cbb24d592ed 1010 psi_0.11-9.dsc
 a7f44285e27f60fd76d086239fd19c1d2bc562aee97f1021bf2466f52c54f2e5 2315401 psi_0.11.orig.tar.gz
 8f0384b05ec022e7f207084416307d31e7c9206ec03b222a98df43574c6e23e1 11710 psi_0.11-9.diff.gz
 ff366f7e5b2f35f7618aca15f606255b917b31fce8dd684dfc919f852a5f87d7 2791050 psi_0.11-9_amd64.deb
Files: 
 ebc7d52229204de80bd31de70c7f7c59 1010 net optional psi_0.11-9.dsc
 637941349f1c28ed88242d7e3e5abcbc 2315401 net optional psi_0.11.orig.tar.gz
 d2c26bc079fc6a2661f3a23cc90d34e7 11710 net optional psi_0.11-9.diff.gz
 5787e7983a52abfa5fdfa9433d0f8cee 2791050 net optional psi_0.11-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm1cRQACgkQXm3vHE4uylqPHwCgt0ubV1Yx7M5EvKhLc6TQ9WHu
H04AnjW5SvBRRvZr1OC5xMgHD0gMB4xD
=/w0m
-----END PGP SIGNATURE-----





Reply sent to Jan Niehusmann <jan@debian.org>:
You have taken responsibility. (Sat, 11 Apr 2009 17:21:15 GMT) Full text and rfc822 format available.

Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer. (Sat, 11 Apr 2009 17:21:15 GMT) Full text and rfc822 format available.

Message #30 received at 518468-close@bugs.debian.org (full text, mbox):

From: Jan Niehusmann <jan@debian.org>
To: 518468-close@bugs.debian.org
Subject: Bug#518468: fixed in psi 0.11-9
Date: Sat, 11 Apr 2009 16:47:39 +0000
Source: psi
Source-Version: 0.11-9

We believe that the bug you reported is fixed in the latest version of
psi, which is due to be installed in the Debian FTP archive:

psi_0.11-9.diff.gz
  to pool/main/p/psi/psi_0.11-9.diff.gz
psi_0.11-9.dsc
  to pool/main/p/psi/psi_0.11-9.dsc
psi_0.11-9_amd64.deb
  to pool/main/p/psi/psi_0.11-9_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 518468@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jan Niehusmann <jan@debian.org> (supplier of updated psi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 09 Mar 2009 15:28:11 +0100
Source: psi
Binary: psi
Architecture: source amd64
Version: 0.11-9
Distribution: stable-security
Urgency: high
Maintainer: Jan Niehusmann <jan@debian.org>
Changed-By: Jan Niehusmann <jan@debian.org>
Description: 
 psi        - Jabber client using Qt
Closes: 518468
Changes: 
 psi (0.11-9) stable-security; urgency=high
 .
   * Fix for CVE-2008-6393, taken from upstream git repository.
     This fixes a remote DoS vulnerability found and reported
     by Jesus Olmos Gonzalez (jolmos (at) isecauditors (dot) com).
     The original advisory is available at:
     http://www.securityfocus.com/archive/1/499563
     (Closes: Bug#518468)
Checksums-Sha1: 
 aa6f538a01c37a430380806fb56a92b63a4e87eb 1010 psi_0.11-9.dsc
 05c5ca9c7b75f182c19e1de9456a87d8221f92c6 2315401 psi_0.11.orig.tar.gz
 0bef5109bd6b01bf3ab95d2346aeacf577c517ea 11710 psi_0.11-9.diff.gz
 51208828839003126ac40fc5d280ee549361bc78 2791050 psi_0.11-9_amd64.deb
Checksums-Sha256: 
 944d4fca8c52dde8e5b729928a793abbc2fdbe6ec434702fc4ff1cbb24d592ed 1010 psi_0.11-9.dsc
 a7f44285e27f60fd76d086239fd19c1d2bc562aee97f1021bf2466f52c54f2e5 2315401 psi_0.11.orig.tar.gz
 8f0384b05ec022e7f207084416307d31e7c9206ec03b222a98df43574c6e23e1 11710 psi_0.11-9.diff.gz
 ff366f7e5b2f35f7618aca15f606255b917b31fce8dd684dfc919f852a5f87d7 2791050 psi_0.11-9_amd64.deb
Files: 
 ebc7d52229204de80bd31de70c7f7c59 1010 net optional psi_0.11-9.dsc
 637941349f1c28ed88242d7e3e5abcbc 2315401 net optional psi_0.11.orig.tar.gz
 d2c26bc079fc6a2661f3a23cc90d34e7 11710 net optional psi_0.11-9.diff.gz
 5787e7983a52abfa5fdfa9433d0f8cee 2791050 net optional psi_0.11-9_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm1cRQACgkQXm3vHE4uylqPHwCgt0ubV1Yx7M5EvKhLc6TQ9WHu
H04AnjW5SvBRRvZr1OC5xMgHD0gMB4xD
=/w0m
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 May 2009 07:33:58 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 16:19:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.