Bug 1022497 - (CVE-2016-10188) VUL-0: CVE-2016-10188: bitlbee: bitlbee-libpurple: Use after free when expiring file transfer requests
VUL-0: CVE-2016-10188: bitlbee: bitlbee-libpurple: Use after free when expiri...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other openSUSE 42.2
: P3 - Medium : Normal
: ---
Assigned To: Martin Caj
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-01-30 08:24 UTC by Andreas Stieger
Modified: 2017-02-28 09:17 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-01-30 08:24:17 UTC
EMBARGOED via distros
CRD: 2017-01-30 18:00 UTC

> I'm planning to release BitlBee 3.5.1 tomorrow 2017-01-30 at 18:00
> GMT, fixing the following issues:
> [...]

bitlbee-libpurple: Use after free when expiring file transfer requests.

> [...]
> The first two are public (fixed in 3.5, released 2017-01-08) but were
> not considered security issues before.


# bitlbee-libpurple: Use after free when expiring file transfer requests

## Description

Pending file transfer requests expire after 120 seconds, which may
result in use after free if the corresponding account is disconnected.
A malicious remote server could force this disconnection.

## Impact

This results in denial of service (remote crash of the BitlBee
instance), or remote code execution (theoretically).

For BitlBee servers configured in ForkDaemon mode (default) or inetd
mode, the crash is limited to one user connection, who may just

* Access Vector: Network
* Access Complexity: High
* Authentication: None
* Confidentiality Impact: None
* Integrity Impact: None
* Availability Impact: Partial
* Exploitability: Functional Exploit Exists
* Remediation Level: Official Fix
* Report Confidence: Confirmed
* Target Distribution: Medium
* CVSS v2 score: 1.6

## Affected versions

bitlbee-libpurple 3.4.2 or older

## Unaffected versions

bitlbee (non-libpurple builds), any version

bitlbee-libpurple 3.5

## Resolution

* Upgrade to 3.5 (released 2017-01-08)

* For 3.4.2 see the attached
0001-purple-fix-file-transfer-memory-management-3.4.2.patch [not
included in this email]

* For 3.4.1 and 3.4 see the attached
0001-purple-fix-file-transfer-memory-management-3.4-3.4.1.patch [not
included in this email]

* For earlier versions upgrading is strongly recommended because of
the amount of accumulated bugfixes, but the following line may be
removed from `protocols/purple/purple.c` to prevent any processing of
incoming file transfers:


## Discussion

This affects any libpurple protocol when used through BitlBee. It does
not affect other libpurple-based clients such as pidgin.

This is a very visible issue - all file transfer request attempts and
all disconnections will be logged in the control channel and visible
by the targeted user. File transfer requests look like this:

    <@root> [account] - File transfer request from [username] for
[filename] (0 kb).
    <@root> Accept the file transfer if you'd like the file. If you
don't, issue the 'transfer reject' command.

Cancelling the file transfer request using the "transfer reject"
command before the disconnection happens can prevent this. However,
using that command after the account is disconnected will result in an
immediate crash.

## References

Original bugfix commit:

Comment 1 Andreas Stieger 2017-01-30 08:28:36 UTC
This package is in openSUSE only. Please do not work on this in public OBS until the upstream release and announcement is out.
Comment 2 Andreas Stieger 2017-01-30 18:54:16 UTC
Public on http://seclists.org/oss-sec/2017/q1/233
Comment 3 Martin Caj 2017-02-27 08:44:13 UTC
Updated up to version 3.5.1 on OBS in server:irc/bitlbee.
Comment 4 Andreas Stieger 2017-02-27 08:58:07 UTC
Thanks, but please submit maintenance update
Comment 5 Swamp Workflow Management 2017-02-27 23:00:14 UTC
bugbot adjusting priority
Comment 6 Martin Caj 2017-02-28 09:17:50 UTC

Done see :