Bugzilla – Bug 97408
VUL-0: CVE-2005-1916: kopete/gaim include vulnerable libgadu
Last modified: 2021-11-10 10:57:09 UTC
The issue is public. Are our gaim and kopete compiled to use the vulnerable code? ---------- Forwarded message ---------- Date: Tue, 19 Jul 2005 18:39:06 +0200 From: Grzegorz Jaskiewicz <gj@kde.org.uk> Reply-To: kopete-devel@kde.org To: kopete-devel@kde.org Cc: mueller@kde.org Subject: [kopete-devel] libgadu security issues Resent-From: Michal Svec <rebel@atrey.karlin.mff.cuni.cz> Hi folks Currently, some smart dude found few security problems in libgadu. Since we supply libgadu along with kopete, I decided to upgrade all versions of libgadu up to 1.6b3. There is number of fixed errors, and security problems. Please test if you have older kde, and older versions of kopete. Don't give me "I can't test gadu" BS, get yourself 2 gadu accounts, it's childly easy stuff, and try some features out. Report any problems to me please. Anyone can contribute this way too. You don't have to write software/docs to support opensource, you can test too.... Matt, we will have to release tarballz with fixes too. (debian) (draft) Advisory is attached. -- GJ Binary system, you're either 1 or 0... dead or alive ;) PS. can someone finally make kmail notsocrashy, I have to send it via webmail interface, kmail keeps crashing on it. (yes,I'll upgrade to current trunk, and will bug kmail devels with BT). Content-Description: adv Subject: Multiple vulnerabilities in libgadu and ekg package Multiple vulnerabilities have been found in libgadu, a library for handling Gadu-Gadu instant messaging protocol. It is a part of ekg, a Gadu-Gadu client, but is widely used in other clients. Also some of the user contributed scripts were found to behave in an insecure manner. Bugs fixed in ekg-1.6rc3: - integer overflow in libgadu (CAN-2005-1852) that could be triggered by an incomming message and lead to application crash and/or remote code execution (discovered by Marcin ?lusarz), Bugs fixed in ekg-1.6rc2: - insecure file creation in user contributed Python script (discovered by Eric Romang of ZATAZ audit, CAN-2005-1916) - insecure file creation (CAN-2005-1850) and shell command injection (CAN-2005-1851) in other user contributed scripts (discovered by Marcin Owsiany and Wojtek Kaniewski), - several signedness errors in libgadu that could be triggered by an incomming network data or an application passing invalid user input to the library (discovered by Grzegorz Ja?kiewicz), - memory alignment errors in libgadu that could be triggered by an incomming message and lead to bus errors on architectures like SPARC (discovered by Szymon Zygmunt and Micha? Bartoszkiewicz), - endianness errors in libgadu that could cause invalid behaviour of applications on big-endian architectures (discovered by Marcin ?lusarz). Update is *strongly* recommended. The current version of ekg (including fixed libgadu) can be downloaded from: http://dev.null.pl/ekg/ekg-1.6rc3.tar.gz Note that due to frequent protocol modifications that require API and ABI changes, several Gadu-Gadu clients include libgadu in their source trees and use it as a static library. If you use Gadu-Gadu client based on libgadu other than ekg, please consult your vendor whether an update is necessary. A non-exhaustive list of projects which are known to use libgadu, and may require additional attention, depending whether they were built against libgadu source bundled with the program, are: - Gaim (includes libgadu source) - Kadu (includes libgadu source) - Konnekt (includes libgadu source) - EKG2 (uses system-provided libgadu)
both have a copy of that lib afaik ;(
Gaim: Gadu-Gadu is compiled, at least in STABLE. Should I upgrade bundled GG sources or try to search minimal change set?
A minimal patch is always preferred of course. I suppose the libgadu interface is not exported outside of gaim though so If it still works after upgrading the whole thing you may do that as well.
most other distros compile against a system-installed libgadu btw.. perhaps we should plan to do that for STABLE. Kopete prefers a system-installed libgadu if found.
SL9.1-9.3, STABLE, and SLES9* is affected btw.
working on the patches anyway from the KDE side.
Created attachment 42706 [details] minimal patch Ok, trying to extract a minimal patch is no fun at all, since the advisory doesn't contain a patchset, and their cvs repository almost exclusively uses polnish comments. This is the minimal set of integer vulnerabilities I found to be fixed between 0.6rc1 and 0.6rc3. of course this is not known to be complete, because according to the gadu author I interviewed they did most of the fixes "a few months ago and he'd have to dig CVS to find all of them again". Doesn't sound promising. of course this patch is nowhere near actually applying agains the variant included in kopete.
hmm, correction. The copy of libgadu was added in KDE 3.2.3, which is not in SL9.1/SLES9. So this bug only affects SL9.2 and SL9.3. Updated kdenetwork3 packages are submitted. Only kdenetwork3-InstantMessenger is affected.
I can understand Polish a little. /usr/share/cvs/contrib/rcs2log | iconv -f ISO-8859-2 -t UTF-8 <ekg.ChangeLog Following items should be security issues since May (2005-07-12 porridge seems to be cummulative fix): 2005-07-16 wojtekka <wojtekka> * lib/events.c, lib/libgadu.c, ChangeLog: - libgadu: poprawka dwóch błędów typu integer overflow -- ilość odbiorców wiadomości większa niż 0x3fffffff spowoduje przekroczenie zakresu zmiennych i zaalokowanie zbyt małej ilości pamięci przy obsłudze konferencji (mslusarz/w) 2005-07-12 porridge <porridge> * ChangeLog: udokumentowane wczorajsze i dzisiejsze poprawki bezpieczeństwa contribowych skryptów * contrib/scripts/ekgbot-pre1.py: - usunięte bezsensowne close() na zduplikowanym popen() - wywołania os.popen() zawierające niesprawdzone dane, zastąpione własną bezpieczną implementacją (nie używającą shella) - poprawione parę literówek 2005-07-11 wojtekka <wojtekka> * contrib/scripts/linki.py: Poprawki bezpieczeństwa (http://www.zataz.net/adviso/ekg-06062005.txt)
SM-Tracker-1858
Created attachment 42823 [details] gaim-libgadu-backport.patch I have tried to identify rejects with gaim code. There is the result for gaim-1.3.1. It compiles. I have not yet tested it. Note that above mentioned comment says, that Gadu-Gadu changes its protocol often, so we can discuss with developers, whether backporting has any meaning.
is http://cvs.toxygen.net/ekg/lib/events.c.diff?r1=1.95&r2=1.96&f=u already in your gaim-libgadu patch? there indeed has been one minor protocol change in 0.6rc1->rc3, which seems to be necessary to use ddc.
No. There is no occurrence of "packet_end" nor "malformed" in src/protocols/gg.
If my patch is complete, it seems that GAIM is only affected by: - several signedness errors in libgadu that could be triggered by an incomming network data or an application passing invalid user input to the library (discovered by Grzegorz Ja?kiewicz), It has no CAN, but probably can have security impact, too.
Above mentioned patch added and backported to: sles8-slec-all, sles9-sld-all, sles9-sld-beta-all, 8.2-all, 9.0-all, 9.1-all, 9.2-all, 9.3-all. stable-all and plus-all postponed and will wait for new version. Please note that I have no evidence, that the patch is complete and if it has any security impact.
8.2 fixes are not necessary for new reports (>97000), and the sld9-beta tree is frozen I think.
Patch added to gaim in STABLE and PLUS.
Created attachment 44436 [details] gaim-1.4.0-libgg-mem.patch This patch is fixes different parts of code than my patch.
gentoo comment: Patch for memory bug in libgadu. Addresses http://bugs.gentoo.org/show_bug.cgi?id=99881 Please review and decide, whether we need to update the patch.
gaim is only maintained on i386 and x86_64, the memory alignment issue doesn't exist there. Your previous patch mainly fixed a missing check for zero return code from read().
this does not belong in needinfo state, right? gaim has been checked in now and is ready for qa kdenetwork3 is still not checked in ... mls, why?
kdenetwork also released
kdenetwork3-nld-InstantMessenger still needs fixing as this is KDE 3.3 code that contains the vulnerable code. Dirk and I are working on it.
we need a patchinfo file for NLD.. security team anyone?
I've submitted a fix for sles9-sld.
try the reassign one more time.
waiting for checkin
(SUSE QA): I created two accounts in the gadu-gadu network and verified with kopete on sl-9.3 that these accounts are operational. However, I can't get them to work with kdenetwork3-nld-InstantMessenger (neither on nld-i386 nore on nld-x86_64). I always get "incorrect password". This applies both for GA and the current maintenance update (22f4a8af3319e755b6c5d84dec9f6552, patch-10477). Did somebody verify that the gadu-gadu interface on nld does work at all ?
reassign to mr kopete
I'm asking the Gadu author about protocol changes because I don't have an NLD handy right now.
good luck with that. when I developed the patch, he refused to test it at all, even though he committed it :) you just have to sign up two test accounts and send a message to each other..
Will, QA has an NLD machine for you if you need it.
Any test results yet?
after talking to Will I have approved the updates now. the gadu gadu support in nld9 kopete might not work at all, but it was broken before too , so it is not our issue.
CVE-2005-1916: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)