Bug 97408 (CVE-2005-1916)

Summary:	VUL-0: CVE-2005-1916: kopete/gaim include vulnerable libgadu
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Ludwig Nussel <lnussel>
Component:	Incidents	Assignee:	Will Stephenson <wstephenson>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P5 - None	CC:	dmueller, gnome-bugs, kde-maintainers, security-team, wstephenson
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	All
Whiteboard:	CVE-2005-1916: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)
Found By:	Other	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	minimal patch gaim-libgadu-backport.patch gaim-1.4.0-libgg-mem.patch

Description Ludwig Nussel 2005-07-20 12:25:21 UTC

The issue is public.

Are our gaim and kopete compiled to use the vulnerable code?

---------- Forwarded message ----------
Date: Tue, 19 Jul 2005 18:39:06 +0200
From: Grzegorz Jaskiewicz <gj@kde.org.uk>
Reply-To: kopete-devel@kde.org
To: kopete-devel@kde.org
Cc: mueller@kde.org
Subject: [kopete-devel] libgadu security issues
Resent-From: Michal Svec <rebel@atrey.karlin.mff.cuni.cz>

Hi folks  

Currently, some smart dude found few security problems in libgadu. Since we  
supply libgadu along with kopete, I decided to upgrade all versions of libgadu  
up to 1.6b3. There is number of fixed errors, and security problems.  

Please test if you have older kde, and older versions of kopete. Don't give me  
"I can't test gadu" BS, get yourself 2 gadu accounts, it's childly easy stuff,  
and try some features out. Report any problems to me please. Anyone can  
contribute this way too. You don't have to write software/docs to support  
opensource, you can test too....  

Matt, we will have to release tarballz with fixes too.   

(debian) (draft) Advisory is attached.  

--   
GJ  

Binary system, you're either 1 or 0...  
dead or alive ;)  

PS. can someone finally make kmail notsocrashy, I have to send it via webmail  
interface, kmail keeps crashing on it. (yes,I'll upgrade to current trunk, and 
will bug kmail devels with BT).
Content-Description: adv

Subject: Multiple vulnerabilities in libgadu and ekg package

Multiple vulnerabilities have been found in libgadu, a library for 
handling Gadu-Gadu instant messaging protocol. It is a part of ekg, a 
Gadu-Gadu client, but is widely used in other clients. Also some of the 
user contributed scripts were found to behave in an insecure manner.

Bugs fixed in ekg-1.6rc3:

- integer overflow in libgadu (CAN-2005-1852) that could be triggered by
  an incomming message and lead to application crash and/or remote code
  execution (discovered by Marcin ?lusarz),

Bugs fixed in ekg-1.6rc2:

- insecure file creation in user contributed Python script (discovered
  by Eric Romang of ZATAZ audit, CAN-2005-1916)

- insecure file creation (CAN-2005-1850) and shell command injection
  (CAN-2005-1851) in other user contributed scripts (discovered by
  Marcin Owsiany and Wojtek Kaniewski),

- several signedness errors in libgadu that could be triggered by an
  incomming network data or an application passing invalid user input to
  the library (discovered by Grzegorz Ja?kiewicz),

- memory alignment errors in libgadu that could be triggered by an
  incomming message and lead to bus errors on architectures like SPARC
  (discovered by Szymon Zygmunt and Micha? Bartoszkiewicz),

- endianness errors in libgadu that could cause invalid behaviour of
  applications on big-endian architectures (discovered by Marcin
  ?lusarz).

Update is *strongly* recommended. The current version of ekg (including 
fixed libgadu) can be downloaded from:

   http://dev.null.pl/ekg/ekg-1.6rc3.tar.gz

Note that due to frequent protocol modifications that require API and 
ABI changes, several Gadu-Gadu clients include libgadu in their source 
trees and use it as a static library. If you use Gadu-Gadu client based 
on libgadu other than ekg, please consult your vendor whether an update 
is necessary.

A non-exhaustive list of projects which are known to use libgadu, and
may require additional attention, depending whether they were built
against libgadu source bundled with the program, are:
 - Gaim (includes libgadu source)
 - Kadu (includes libgadu source)
 - Konnekt (includes libgadu source)
 - EKG2 (uses system-provided libgadu)

Comment 1 Stephan Kulow 2005-07-20 12:31:47 UTC

both have a copy of that lib afaik ;(

Comment 2 Stanislav Brabec 2005-07-20 12:49:46 UTC

Gaim: Gadu-Gadu is compiled, at least in STABLE. Should I upgrade bundled GG
sources or try to search minimal change set?

Comment 3 Ludwig Nussel 2005-07-20 13:20:35 UTC

A minimal patch is always preferred of course. I suppose the libgadu interface 
is not exported outside of gaim though so If it still works after upgrading 
the whole thing you may do that as well.

Comment 4 Dirk Mueller 2005-07-20 15:19:09 UTC

most other distros compile against a system-installed libgadu btw.. perhaps we 
should plan to do that for STABLE.  
 
Kopete prefers a system-installed libgadu if found.

Comment 5 Dirk Mueller 2005-07-20 15:19:47 UTC

SL9.1-9.3, STABLE, and SLES9* is affected btw.

Comment 6 Dirk Mueller 2005-07-20 22:42:43 UTC

working on the patches anyway from the KDE side.

Comment 7 Dirk Mueller 2005-07-20 23:11:40 UTC

Created attachment 42706 [details]
minimal patch

Ok, trying to extract a minimal patch is no fun at all, since the advisory
doesn't contain a patchset, and their cvs repository almost exclusively uses
polnish comments. 

This is the minimal set of integer vulnerabilities I found to be fixed between
0.6rc1 and 0.6rc3. of course this is not known to be complete, because
according to the gadu author I interviewed they did most of the fixes "a few
months ago and he'd have to dig CVS to find all of them again". Doesn't sound
promising. 

of course this patch is nowhere near actually applying agains the variant
included in kopete.

Comment 8 Dirk Mueller 2005-07-21 01:12:15 UTC

hmm, correction. The copy of libgadu was added in KDE 3.2.3, which is not in  
SL9.1/SLES9.  
 
So this bug only affects SL9.2 and SL9.3. Updated kdenetwork3 packages are 
submitted. Only kdenetwork3-InstantMessenger is affected.

Comment 9 Stanislav Brabec 2005-07-21 11:25:25 UTC

I can understand Polish a little.

/usr/share/cvs/contrib/rcs2log | iconv -f ISO-8859-2 -t UTF-8 <ekg.ChangeLog

Following items should be security issues since May (2005-07-12 porridge seems
to be cummulative fix):

2005-07-16  wojtekka  <wojtekka>

        * lib/events.c, lib/libgadu.c, ChangeLog:
        - libgadu: poprawka dwóch błędów typu integer overflow -- ilość odbiorców
          wiadomości większa niż 0x3fffffff spowoduje przekroczenie zakresu
zmiennych
          i zaalokowanie zbyt małej ilości pamięci przy obsłudze konferencji
          (mslusarz/w)

2005-07-12  porridge  <porridge>

        * ChangeLog:
        udokumentowane wczorajsze i dzisiejsze poprawki bezpieczeństwa contribowych
        skryptów

        * contrib/scripts/ekgbot-pre1.py:
        - usunięte bezsensowne close() na zduplikowanym popen()
        - wywołania os.popen() zawierające niesprawdzone dane, zastąpione własną
          bezpieczną implementacją (nie używającą shella)
        - poprawione parę literówek

2005-07-11  wojtekka  <wojtekka>

        * contrib/scripts/linki.py:
        Poprawki bezpieczeństwa (http://www.zataz.net/adviso/ekg-06062005.txt)

Comment 10 Ludwig Nussel 2005-07-21 13:27:11 UTC

SM-Tracker-1858

Comment 11 Stanislav Brabec 2005-07-21 15:06:34 UTC

Created attachment 42823 [details]
gaim-libgadu-backport.patch

I have tried to identify rejects with gaim code. There is the result for
gaim-1.3.1.

It compiles. I have not yet tested it.

Note that above mentioned comment says, that Gadu-Gadu changes its protocol
often, so we can discuss with developers, whether backporting has any meaning.

Comment 12 Dirk Mueller 2005-07-21 15:33:03 UTC

is  
 
http://cvs.toxygen.net/ekg/lib/events.c.diff?r1=1.95&r2=1.96&f=u 
 
already in your gaim-libgadu patch? 
 
there indeed has been one minor protocol change in 0.6rc1->rc3, which seems to 
be necessary to use ddc.

Comment 13 Stanislav Brabec 2005-07-21 16:10:45 UTC

No. There is no occurrence of "packet_end" nor "malformed" in src/protocols/gg.

Comment 14 Stanislav Brabec 2005-07-22 14:22:04 UTC

If my patch is complete, it seems that GAIM is only affected by:

- several signedness errors in libgadu that could be triggered by an
  incomming network data or an application passing invalid user input to
  the library (discovered by Grzegorz Ja?kiewicz),

It has no CAN, but probably can have security impact, too.

Comment 15 Stanislav Brabec 2005-07-22 15:23:08 UTC

Above mentioned patch added and backported to:

sles8-slec-all, sles9-sld-all, sles9-sld-beta-all, 8.2-all, 9.0-all, 9.1-all,
9.2-all, 9.3-all.

stable-all and plus-all postponed and will wait for new version.

Please note that I have no evidence, that the patch is complete and if it has
any security impact.

Comment 16 Marcus Meissner 2005-07-22 15:25:36 UTC

8.2 fixes are not necessary for new reports (>97000), and the sld9-beta tree 
is frozen I think.

Comment 17 Stanislav Brabec 2005-07-28 11:44:39 UTC

Patch added to gaim in STABLE and PLUS.

Comment 18 Stanislav Brabec 2005-08-02 13:52:33 UTC

Created attachment 44436 [details]
gaim-1.4.0-libgg-mem.patch

This patch is fixes different parts of code than my patch.

Comment 19 Stanislav Brabec 2005-08-02 13:53:47 UTC

gentoo comment:
Patch for memory bug in libgadu.  Addresses
http://bugs.gentoo.org/show_bug.cgi?id=99881

Please review and decide, whether we need to update the patch.

Comment 20 Ludwig Nussel 2005-08-02 14:07:58 UTC

gaim is only maintained on i386 and x86_64, the memory alignment issue doesn't 
exist there. Your previous patch mainly fixed a missing check for zero return 
code from read().

Comment 21 Marcus Meissner 2005-08-13 10:10:38 UTC

this does not belong in needinfo state, right? 
 
gaim has been checked in now and is ready for qa 
 
kdenetwork3 is still not checked in ... mls, why?

Comment 22 Ludwig Nussel 2005-08-22 11:38:08 UTC

kdenetwork also released

Comment 23 Will Stephenson 2005-08-27 10:33:37 UTC

kdenetwork3-nld-InstantMessenger still needs fixing as this is KDE 3.3 code  
that contains the vulnerable code.  Dirk and I are working on it.

Comment 24 Dirk Mueller 2005-08-27 10:43:13 UTC

we need a patchinfo file for NLD.. security team anyone?

Comment 25 Will Stephenson 2005-08-27 13:36:11 UTC

I've submitted a fix for sles9-sld.

Comment 26 Dirk Mueller 2005-08-27 14:22:17 UTC

try the reassign one more time.

Comment 27 Marcus Meissner 2005-09-01 16:13:08 UTC

waiting for checkin

Comment 28 Heiko Rommel 2005-09-09 07:32:48 UTC

(SUSE QA):

I created two accounts in the gadu-gadu network and verified with kopete on
sl-9.3 that these accounts are operational.

However, I can't get them to work with kdenetwork3-nld-InstantMessenger (neither
on nld-i386 nore on nld-x86_64). I always get "incorrect password". This applies
both for GA and the current maintenance update
(22f4a8af3319e755b6c5d84dec9f6552, patch-10477).

Did somebody verify that the gadu-gadu interface on nld does work at all ?

Comment 29 Ludwig Nussel 2005-09-09 07:39:49 UTC

reassign to mr kopete

Comment 30 Will Stephenson 2005-09-09 07:45:37 UTC

I'm asking the Gadu author about protocol changes because I don't have an NLD 
handy right now.

Comment 31 Dirk Mueller 2005-09-09 09:17:00 UTC

good luck with that. when I developed the patch, he refused to test it at all, 
even though he committed it :) 
 
you just have to sign up two test accounts and send a message to each other..

Comment 34 Marcus Meissner 2005-09-12 14:59:06 UTC

Will, QA has an NLD machine for you if you need it.

Comment 35 Thomas Biege 2005-10-05 10:56:31 UTC

Any test results yet?

Comment 36 Marcus Meissner 2005-10-05 15:41:59 UTC

after talking to Will I have approved the updates now. 
 
the gadu gadu support in nld9 kopete might not work at all, but it was broken 
before too , so it is not our issue.

Comment 37 Thomas Biege 2009-10-13 21:34:36 UTC

CVE-2005-1916: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)