|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0007: gaim: 12 buffer overflows | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Thomas Biege <thomas> |
| Component: | Incidents | Assignee: | Thomas Biege <thomas> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0007: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
email by stefan esser
gaim.patch patchinfo-box.gaim patchinfo.gaim |
||
|
Description
Thomas Biege
2004-01-16 18:03:38 UTC
<!-- SBZ_reproduce --> - Created attachment 15668 [details]
email by stefan esser
There is no patch included but a detailed description of the bugs.
0.76 will include all fixes. Some fixes are already in their CVS. Hi Mads, please ask Chris (???) about an version-upgrade for all affected gaim versions. Thank you. Yes, if it's that simple, which I doubt. I checked their CVS, and I cannot see the fixes yet, and they still haven't release 0.76 yet. I'm monitoring it though. First off, I want to say a version upgrade is not a possibility. Second I've sat down and looked through the items, here's the deal: Last shipped version we have is gaim-0.67 which is fairly old. I could only find 3 of the holes mentioned, but they're present in all versions all the way back to 0.50 which we shipped in 8.0. What I need from you (the security responsible person) now, is that you doublecheck that I'm right, since it's possible I missed a bit. It's as you said really well described in the mail from S. Esser, so no big deal. ~mmj/gaim has all the trees, with the patch (gaim-%version-secfix.diff) I also need a PATCHINFO. Created attachment 15738 [details]
gaim.patch
patch from freebsd
Created attachment 15739 [details]
patchinfo-box.gaim
Created attachment 15740 [details]
patchinfo.gaim
patches look ok Good, do you have a PATCHINFO file? I wrote one. Submitted for 8.0 -> 9.0 and patchinfo in /work/src/done/PATCHINFO <!-- SBZ_reopen -->Reopened by thomas@suse.de at Tue Jan 27 08:38:43 2004 the patchinfos were in comment #8 and #9. reopened and reassigned for tracking Ah, feel free to change the one I made. The packages were checked in the respective distributions already. Hi Mads, one patch from Stefan eser was wrong. So, Harald will reject the current packages and we need new ones. Here his mail: Date: Tue, 27 Jan 2004 19:51:58 +0100 From: Stefan Esser <s.esser@e-matters.de> To: vendor-sec@lst.de Cc: gaim@marko.net, lowhalo@hush.com Subject: [vendor-sec] Problem with GAIM-Patch Hi, I was just contacted by a person that was confused by the Gaim patches. And he was right to be confused the patch is broken. This will result in gaim crashing on bad yahoo packets. while (pos + 1 < len) { if (data[pos] == 0xc0 && data[pos + 1] == 0x80) break; + if (x >= sizeof(key)-1) { + x++; + continue; + } key[x++] = data[pos++]; } + if (x >= sizeof(key)-1) { + x = 0; + } key[x] = 0; this code lacks a pos++; after the x++; before the continue. This will result in a very long loop and then a crash. (I suppose that the comparision is done signed, otherwise it will only loop and loop until x overflows and then start overwriting key from the beginning) Basicly I do not know why the patch was broken, because the version of 0.75 I have here is okay. Must have been a problem in the diff against the CVS. Stefan Are you our package is wrong Thomas? I took what the gaim people have in their CVS. I looked at the source and the patch seems wrong. It parses the paket and copies a byte from data[pos] to key[x]. When the code skips the loop it increments the x but not the pos index variable so we get out-of-sync. Agreed. But then we should wait for the gaim people to fix it correctly. No, we can't wait.
Their response to these bugs is not very positive and every other vendor
already released new packages.
We should hurry up to release ours too. The advisory is ready, we just need
the packages.
Just try:
+ if (x >= sizeof(key)-1) {
+ x++;pos++;
+ continue;
+ }
in the patch to avoid adjusting the line-numbers of the old diff file
or making new diff files from the source.
Ok, I did this and submitted for 8.0 -> 9.0. You take care of the patchinfos this time please Ok, I think my part is done here. Thomas, what should happen now? thanks Mads. packages approved. CVE-2004-0005 CVE-2004-0006 CVE-2004-0007 CVE-2004-0007: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |