Bugzilla – Bug 1022497
VUL-0: CVE-2016-10188: bitlbee: bitlbee-libpurple: Use after free when expiring file transfer requests
Last modified: 2017-02-28 09:17:50 UTC
EMBARGOED via distros CRD: 2017-01-30 18:00 UTC > I'm planning to release BitlBee 3.5.1 tomorrow 2017-01-30 at 18:00 > GMT, fixing the following issues: > [...] bitlbee-libpurple: Use after free when expiring file transfer requests. > [...] > The first two are public (fixed in 3.5, released 2017-01-08) but were > not considered security issues before. https://bugs.bitlbee.org/ticket/1281 # bitlbee-libpurple: Use after free when expiring file transfer requests ## Description Pending file transfer requests expire after 120 seconds, which may result in use after free if the corresponding account is disconnected. A malicious remote server could force this disconnection. ## Impact This results in denial of service (remote crash of the BitlBee instance), or remote code execution (theoretically). For BitlBee servers configured in ForkDaemon mode (default) or inetd mode, the crash is limited to one user connection, who may just reconnect. * Access Vector: Network * Access Complexity: High * Authentication: None * Confidentiality Impact: None * Integrity Impact: None * Availability Impact: Partial * Exploitability: Functional Exploit Exists * Remediation Level: Official Fix * Report Confidence: Confirmed * Target Distribution: Medium * CVSS v2 score: 1.6 ## Affected versions bitlbee-libpurple 3.4.2 or older ## Unaffected versions bitlbee (non-libpurple builds), any version bitlbee-libpurple 3.5 ## Resolution * Upgrade to 3.5 (released 2017-01-08) * For 3.4.2 see the attached 0001-purple-fix-file-transfer-memory-management-3.4.2.patch [not included in this email] * For 3.4.1 and 3.4 see the attached 0001-purple-fix-file-transfer-memory-management-3.4-3.4.1.patch [not included in this email] * For earlier versions upgrading is strongly recommended because of the amount of accumulated bugfixes, but the following line may be removed from `protocols/purple/purple.c` to prevent any processing of incoming file transfers: purple_xfers_set_ui_ops(&bee_xfer_uiops); ## Discussion This affects any libpurple protocol when used through BitlBee. It does not affect other libpurple-based clients such as pidgin. This is a very visible issue - all file transfer request attempts and all disconnections will be logged in the control channel and visible by the targeted user. File transfer requests look like this: <@root> [account] - File transfer request from [username] for [filename] (0 kb). <@root> Accept the file transfer if you'd like the file. If you don't, issue the 'transfer reject' command. Cancelling the file transfer request using the "transfer reject" command before the disconnection happens can prevent this. However, using that command after the account is disconnected will result in an immediate crash. ## References Original bugfix commit: https://github.com/bitlbee/bitlbee/commit/ea902752503fc5b356d6513911081ec932d804f2
This package is in openSUSE only. Please do not work on this in public OBS until the upstream release and announcement is out.
Public on http://seclists.org/oss-sec/2017/q1/233
Updated up to version 3.5.1 on OBS in server:irc/bitlbee.
Thanks, but please submit maintenance update
bugbot adjusting priority
Hi Done see : https://build.opensuse.org/package/show/openSUSE:Maintenance:6444/patchinfo Martin