On Wed, Oct 29, 2008 at 10:43:07AM +0000, Marcin Owsiany wrote:
> to security team (attached) for more details.
*sigh*
--
Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
--- Begin Message ---
Hi,
There is a medium-to-low severity vulnerability in libgadu.
Please allocate a CVE ID. Description below. I will start preparing
packages.
Upstream announcement (Polish only):
http://toxygen.net/libgadu/releases/1.8.2.html
http://toxygen.net/websvn/listing.php?repname=libgadu&path=%2F&rev=638&sc=1
Rough translation: a crafted packet sent by a rouge Gadu-Gadu server (or
MiTM attacker) may cause a segmentation violation in the libgadu library
due to an error in the function for parsing contact description packets.
Most likely this can only cause reading of uninitialized memory (DoS),
although authors do not rule out overwriting of memory (potentially
leading to arbitrary code execution). This vulnerability was found by
Jakub Zawadzki.
Upstream has released libgadu version 1.8.2. The (2 line) fix for this
is the only difference from 1.8.1.
The vulnerable code dates back at least to September 2003, possibly even
earlier, which means all Debian-distributed libgadu versions are
vulnerable, back to oldstable. (ekg source package until and including
etch, and libgadu source package since lenny).
Since there is a minimal patch, I will probably create a minimal minor
version updates. The versions will be:
sarge ekg 1:1.5+20050411-9
sarge-volatile ekg 1:1.5+20050411-10
etch ekg 1:1.7~rc2-1etch2
sid+lenny libgadu 1:1.8~rc1-2
I will submit final interdiffs when I get the CVE ID.
(I hope I can upload to sid and ask for an exception to have it
propagate to lenny? Or is it better to prepare a special version for
lenny?)
--
Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
signature.asc
Description: Digital signature
--- End Message ---
