Bugzilla – Bug 1022498
VUL-0: CVE-2016-10189,CVE-2017-5668: bitlbee: Null pointer dereference with file transfer request from unknown contacts.
Last modified: 2017-05-17 22:51:31 UTC
EMBARGOED via distros
CRD: 2017-01-30 18:00 UTC
> I'm planning to release BitlBee 3.5.1 tomorrow 2017-01-30 at 18:00
> GMT, fixing the following issues:
b) Null pointer dereference with file transfer request from unknown contacts.
c) Incomplete fix for issue (b), which left bitlbee-libpurple affected.
> The first two are public (fixed in 3.5, released 2017-01-08) but were
> not considered security issues before.
# Null pointer dereference with file transfer request from unknown contacts
Receiving a file transfer request from a contact not in the contact
list results in a null pointer dereference, leading to remote DoS by
malicious remote clients.
Additionally, due to an incomplete fix of the issue above in BitlBee
3.5, the bitlbee-libpurple variant is still affected in 3.5.
This results in denial of service (remote crash of the BitlBee
instance). Remote code execution does not seem to be possible (fixed
For BitlBee servers configured in ForkDaemon mode (default) or inetd
mode, the crash is limited to one user connection, who may just
CVSS for bitlbee 3.4.2 and lower:
* Access Vector: Network
* Access Complexity: Low
* Authentication: None
* Confidentiality Impact: None
* Integrity Impact: None
* Availability Impact: Partial
* Exploitability: Functional Exploit Exists
* Remediation Level: Official Fix
* Report Confidence: Confirmed
* Target Distribution: High
* CVSS v2 score: 4.1
CVSS for bitlbee-libpurple 3.5:
* Target Distribution: Medium
* CVSS v2 score: 3.1
## Affected versions
bitlbee-libpurple 3.5 or older
bitlbee (non-libpurple builds) 3.4.2 or older
## Unaffected versions
bitlbee-libpurple 3.5.1 or newer
bitlbee (non-libpurple builds) 3.5 or newer
* Upgrade to 3.5.1 (released 2017-01-30)
* For 3.5 see the attached
included in this email]
* For 3.4.2, 3.4.1 and 3.4 see the attached
included in this email]
* For 3.2.x and 3.2.x see the attached
[not included in this email]
The issue from 3.4.2 and older only affects the jabber protocol, which
is the only non-purple protocol which implements file transfers.
The issue that is still present in 3.5 affects any libpurple protocol
that implements file transfers when used through BitlBee. It does not
affect other libpurple-based clients such as pidgin.
There's no visible effect of the issue other than the crash.
Incomplete fix commit included in 3.5:
Libpurple specific bugfix commit included in 3.5.1:
This package is in openSUSE only. Please do not work on this in public OBS until the upstream release and announcement is out.
Public on http://seclists.org/oss-sec/2017/q1/233
 Incomplete fix commit included in 3.5:
Use CVE-2016-10189 for the issue with Jabber file transfers that was
fixed by this commit.
 Libpurple specific bugfix commit included in 3.5.1:
CVE-2017-5668 exists because of an incomplete fix for CVE-2016-10189.
Updated up to version 3.5.1 on OBS in server:irc/bitlbee.
Thanks, but please submit maintenance update
bugbot adjusting priority
Done see :
openSUSE-SU-2017:0669-1: An update that fixes one vulnerability is now available.
Category: security (moderate)
Bug References: 1022498
CVE References: CVE-2016-10189
openSUSE Leap 42.2 (src): bitlbee-3.4.2-3.1
openSUSE Leap 42.1 (src): bitlbee-3.4.1-5.1