Bug 12709

Summary: libgadu new security issue CVE-2013-6487
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: gerdroscher, lewyssmith, stormi-mageia, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/584148/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory mga4-32-ok mga4-64-ok
Source RPM: libgadu-1.11.2-6.mga4.src.rpm CVE:
Status comment:
Attachments: pic of grep libgadu strace.out

Description David Walser 2014-02-10 21:59:12 CET 
Debian has issued an advisory on February 6:
http://www.debian.org/security/2014/dsa-2852

We recently fixed this same CVE in Pidgin, but libgadu needs to be updated to also fix this vulnerability for other IM clients like ekg2, kadu, and kopete.

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated libgadu packages fix security vulnerability:

A malicious server or man-in-the-middle could send a large value for
Content-Length and cause an integer overflow which could lead to a buffer
overflow in Gadu-Gadu HTTP parsing (CVE-2013-6487).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6487
http://libgadu.net/releases/1.11.3.html
http://www.debian.org/security/2014/dsa-2852
========================

Updated packages in core/updates_testing:
========================
libgadu3-1.11.3-1.mga3
libgadu-devel-1.11.3-1.mga3
libgadu3-1.11.3-1.mga4
libgadu-devel-1.11.3-1.mga4

from SRPMS:
libgadu-1.11.3-1.mga3.src.rpm
libgadu-1.11.3-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-02-10 21:59:19 CET

Whiteboard: (none) => MGA3TOO

Comment 1 claire robinson 2014-02-11 20:04:50 CET 
Testing using kadu IM client. Bug 12735 created for kadu suggesting locales-pl & hunspell-pl on en_GB.

I'm unable to create a gadu-gadu account for some reason so checking the lib is loaded without error using strace. The last two lines show it being used.

$ strace -o strace.out kadu
$ grep libgadu strace.out 
lstat("/usr/lib64/kadu/plugins/libgadu_protocol.so", {st_mode=S_IFREG|0755, st_size=661960, ...}) = 0
stat("/usr/lib64/kadu/plugins/libgadu_protocol.so", {st_mode=S_IFREG|0755, st_size=661960, ...}) = 0
open("/usr/lib64/kadu/plugins/libgadu_protocol.so", O_RDONLY|O_CLOEXEC) = 12
open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 12
read(14, "/lib64/libgadu.so.3.13.0\n7fa1bd0"..., 1024) = 1024

Testing complete mga3 64

Whiteboard: MGA3TOO => MGA3TOO has_prodecure mga3-64-ok

Comment 2 claire robinson 2014-02-11 20:08:57 CET 
Testing complete mga3 32

Whiteboard: MGA3TOO has_prodecure mga3-64-ok => MGA3TOO has_prodecure mga3-32-ok mga3-64-ok

claire robinson 2014-02-11 20:24:31 CET

Whiteboard: MGA3TOO has_prodecure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok

Comment 3 Samuel Verschelde 2014-02-12 11:20:15 CET 
Advisory uploaded.

CC: (none) => stormi
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory

Comment 4 Samuel Verschelde 2014-02-12 11:55:02 CET 
There's no kadu in Mageia 4 but you can test with kopete of ekg2-gadu-gadu, or better yet if you know how, perl-Net-Gadu
Comment 5 Gerd Roscher 2014-02-14 11:30:00 CET 
Created attachment 4985 [details]
pic of grep libgadu strace.out

i've tried this with ekg2 and i dunno if it is OK or not.....

CC: (none) => gerdroscher

Gerd Roscher 2014-02-14 14:21:41 CET

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory mga4-32-ok

Comment 6 Lewis Smith 2014-02-15 15:42:48 CET 
Trying Mag4 64-bit

Re comment 1
I also could not create a gadu-gadu account, via Kopete: bounced repeatedly without explanation. I suspect the constant the graphic registration control string.

Comment 5
> i've tried this with ekg2 and i dunno if it is OK or not.....
Your Polish is better than mine! I got nowhere with ekg2, probably just blind ignorance, but I could find no better info than the help command whose output, while correct, tells me nothing. It contains a lot of Polish.

Comment 4
> you can test with kopete
Blocked by failure to register with Gadu-gadu.

If someone could advise me what to do with ekg2, I will have another go. Instant Messaging is new to me.

CC: (none) => lewyssmith

Comment 7 Samuel Verschelde 2014-02-15 20:38:22 CET 
[samuel@localhost QA]$ strace -o strace.out ekg2 
[samuel@localhost QA]$ grep libgadu strace.out 
open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 5

Testing mga4 64 complete.

Update validated, please push to 3 and 4 core/updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory mga4-32-ok mga4-64-ok

Comment 8 Thomas Backlund 2014-02-16 14:47:31 CET 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0074.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED