Bug 12709 - libgadu new security issue CVE-2013-6487
: libgadu new security issue CVE-2013-6487
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/584148/
: MGA3TOO has_procedure mga3-32-ok mga3...
: validated_update
  Show dependency treegraph
Reported: 2014-02-10 21:59 CET by David Walser
Modified: 2014-02-16 14:47 CET (History)
5 users (show)

See Also:
Source RPM: libgadu-1.11.2-6.mga4.src.rpm
Status comment:

pic of grep libgadu strace.out (29.04 KB, image/png)
2014-02-14 11:30 CET, Gerd Roscher

Description David Walser 2014-02-10 21:59:12 CET
Debian has issued an advisory on February 6:

We recently fixed this same CVE in Pidgin, but libgadu needs to be updated to also fix this vulnerability for other IM clients like ekg2, kadu, and kopete.

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.


Updated libgadu packages fix security vulnerability:

A malicious server or man-in-the-middle could send a large value for
Content-Length and cause an integer overflow which could lead to a buffer
overflow in Gadu-Gadu HTTP parsing (CVE-2013-6487).


Updated packages in core/updates_testing:

from SRPMS:


Steps to Reproduce:
Comment 1 claire robinson 2014-02-11 20:04:50 CET
Testing using kadu IM client. Bug 12735 created for kadu suggesting locales-pl & hunspell-pl on en_GB.

I'm unable to create a gadu-gadu account for some reason so checking the lib is loaded without error using strace. The last two lines show it being used.

$ strace -o strace.out kadu
$ grep libgadu strace.out 
lstat("/usr/lib64/kadu/plugins/libgadu_protocol.so", {st_mode=S_IFREG|0755, st_size=661960, ...}) = 0
stat("/usr/lib64/kadu/plugins/libgadu_protocol.so", {st_mode=S_IFREG|0755, st_size=661960, ...}) = 0
open("/usr/lib64/kadu/plugins/libgadu_protocol.so", O_RDONLY|O_CLOEXEC) = 12
open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 12
read(14, "/lib64/libgadu.so.3.13.0\n7fa1bd0"..., 1024) = 1024

Testing complete mga3 64
Comment 2 claire robinson 2014-02-11 20:08:57 CET
Testing complete mga3 32
Comment 3 Samuel Verschelde 2014-02-12 11:20:15 CET
Advisory uploaded.
Comment 4 Samuel Verschelde 2014-02-12 11:55:02 CET
There's no kadu in Mageia 4 but you can test with kopete of ekg2-gadu-gadu, or better yet if you know how, perl-Net-Gadu
Comment 5 Gerd Roscher 2014-02-14 11:30:00 CET
Created attachment 4985 [details]
pic of grep libgadu strace.out

i've tried this with ekg2 and i dunno if it is OK or not.....
Comment 6 Lewis Smith 2014-02-15 15:42:48 CET
Trying Mag4 64-bit

Re comment 1
I also could not create a gadu-gadu account, via Kopete: bounced repeatedly without explanation. I suspect the constant the graphic registration control string.

Comment 5
> i've tried this with ekg2 and i dunno if it is OK or not.....
Your Polish is better than mine! I got nowhere with ekg2, probably just blind ignorance, but I could find no better info than the help command whose output, while correct, tells me nothing. It contains a lot of Polish.

Comment 4
> you can test with kopete
Blocked by failure to register with Gadu-gadu.

If someone could advise me what to do with ekg2, I will have another go. Instant Messaging is new to me.
Comment 7 Samuel Verschelde 2014-02-15 20:38:22 CET
[samuel@localhost QA]$ strace -o strace.out ekg2 
[samuel@localhost QA]$ grep libgadu strace.out 
open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 5

Testing mga4 64 complete.

Update validated, please push to 3 and 4 core/updates.
Comment 8 Thomas Backlund 2014-02-16 14:47:31 CET
Update pushed:

Note You need to log in before you can comment on or make changes to this bug.