First Last Prev Next    This bug is not in your last search results.
Bug 1022498 - (CVE-2016-10189) VUL-0: CVE-2016-10189,CVE-2017-5668: bitlbee: Null pointer dereference with file transfer request from unknown contacts.
(CVE-2016-10189)
VUL-0: CVE-2016-10189,CVE-2017-5668: bitlbee: Null pointer dereference with f...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.2
: P3 - Medium : Normal
: ---
Assigned To: Martin Caj
Security Team bot
https://smash.suse.de/issue/179573/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-30 08:24 UTC by Andreas Stieger
Modified: 2017-05-17 22:51 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-01-30 08:24:23 UTC 
EMBARGOED via distros
CRD: 2017-01-30 18:00 UTC

> I'm planning to release BitlBee 3.5.1 tomorrow 2017-01-30 at 18:00
> GMT, fixing the following issues:
> [...]

b) Null pointer dereference with file transfer request from unknown contacts.
c) Incomplete fix for issue (b), which left bitlbee-libpurple affected.

> [...]
> The first two are public (fixed in 3.5, released 2017-01-08) but were
> not considered security issues before.

https://bugs.bitlbee.org/ticket/1282

# Null pointer dereference with file transfer request from unknown contacts

## Description

Receiving a file transfer request from a contact not in the contact
list results in a null pointer dereference, leading to remote DoS by
malicious remote clients.

Additionally, due to an incomplete fix of the issue above in BitlBee
3.5, the bitlbee-libpurple variant is still affected in 3.5.

## Impact

This results in denial of service (remote crash of the BitlBee
instance). Remote code execution does not seem to be possible (fixed
offset)

For BitlBee servers configured in ForkDaemon mode (default) or inetd
mode, the crash is limited to one user connection, who may just
reconnect.

CVSS for bitlbee 3.4.2 and lower:

* Access Vector: Network
* Access Complexity: Low
* Authentication: None
* Confidentiality Impact: None
* Integrity Impact: None
* Availability Impact: Partial
* Exploitability: Functional Exploit Exists
* Remediation Level: Official Fix
* Report Confidence: Confirmed
* Target Distribution: High
* CVSS v2 score: 4.1

CVSS for bitlbee-libpurple 3.5:

* Target Distribution: Medium
* CVSS v2 score: 3.1

## Affected versions

bitlbee-libpurple 3.5 or older

bitlbee (non-libpurple builds) 3.4.2 or older

## Unaffected versions

bitlbee-libpurple 3.5.1 or newer

bitlbee (non-libpurple builds) 3.5 or newer

## Resolution

* Upgrade to 3.5.1 (released 2017-01-30)

* For 3.5 see the attached
0001-purple-Fix-crash-on-ft-requests-from-unknown-contact.patch [not
included in this email]

* For 3.4.2, 3.4.1 and 3.4 see the attached
0001-Fix-null-pointer-dereference-on-ft-attempts-3.4.x.patch [not
included in this email]

* For 3.2.x and 3.2.x see the attached
0001-Fix-null-pointer-dereference-on-ft-attempts-3.0.x-3.2.x.patch
[not included in this email]

## Discussion

The issue from 3.4.2 and older only affects the jabber protocol, which
is the only non-purple protocol which implements file transfers.

The issue that is still present in 3.5 affects any libpurple protocol
that implements file transfers when used through BitlBee. It does not
affect other libpurple-based clients such as pidgin.

There's no visible effect of the issue other than the crash.

## References

Incomplete fix commit included in 3.5:

https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f

Libpurple specific bugfix commit included in 3.5.1:

https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441
Comment 1 Andreas Stieger 2017-01-30 08:29:03 UTC 
This package is in openSUSE only. Please do not work on this in public OBS until the upstream release and announcement is out.
Comment 2 Andreas Stieger 2017-01-30 18:53:37 UTC 
Public on http://seclists.org/oss-sec/2017/q1/233
Comment 3 Andreas Stieger 2017-01-31 17:44:03 UTC 
    [] Incomplete fix commit included in 3.5:

    https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f


Use CVE-2016-10189 for the issue with Jabber file transfers that was
fixed by this commit.


    [] Libpurple specific bugfix commit included in 3.5.1:

    https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441


Use CVE-2017-5668.

CVE-2017-5668 exists because of an incomplete fix for CVE-2016-10189.
Comment 4 Martin Caj 2017-02-27 08:43:37 UTC 
Updated up to version 3.5.1 on OBS in server:irc/bitlbee.
Comment 5 Andreas Stieger 2017-02-27 08:58:08 UTC 
Thanks, but please submit maintenance update
Comment 6 Swamp Workflow Management 2017-02-27 23:00:27 UTC 
bugbot adjusting priority
Comment 7 Martin Caj 2017-02-28 09:06:51 UTC 
Hi

Done see :
https://build.opensuse.org/package/show/openSUSE:Maintenance:6444/patchinfo

Martin
Comment 8 Swamp Workflow Management 2017-03-11 14:10:39 UTC 
openSUSE-SU-2017:0669-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1022498
CVE References: CVE-2016-10189
Sources used:
openSUSE Leap 42.2 (src):    bitlbee-3.4.2-3.1
openSUSE Leap 42.1 (src):    bitlbee-3.4.1-5.1
First Last Prev Next    This bug is not in your last search results.