Debian has issued an advisory on February 6: http://www.debian.org/security/2014/dsa-2852 We recently fixed this same CVE in Pidgin, but libgadu needs to be updated to also fix this vulnerability for other IM clients like ekg2, kadu, and kopete. Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated libgadu packages fix security vulnerability: A malicious server or man-in-the-middle could send a large value for Content-Length and cause an integer overflow which could lead to a buffer overflow in Gadu-Gadu HTTP parsing (CVE-2013-6487). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6487 http://libgadu.net/releases/1.11.3.html http://www.debian.org/security/2014/dsa-2852 ======================== Updated packages in core/updates_testing: ======================== libgadu3-1.11.3-1.mga3 libgadu-devel-1.11.3-1.mga3 libgadu3-1.11.3-1.mga4 libgadu-devel-1.11.3-1.mga4 from SRPMS: libgadu-1.11.3-1.mga3.src.rpm libgadu-1.11.3-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Testing using kadu IM client. Bug 12735 created for kadu suggesting locales-pl & hunspell-pl on en_GB. I'm unable to create a gadu-gadu account for some reason so checking the lib is loaded without error using strace. The last two lines show it being used. $ strace -o strace.out kadu $ grep libgadu strace.out lstat("/usr/lib64/kadu/plugins/libgadu_protocol.so", {st_mode=S_IFREG|0755, st_size=661960, ...}) = 0 stat("/usr/lib64/kadu/plugins/libgadu_protocol.so", {st_mode=S_IFREG|0755, st_size=661960, ...}) = 0 open("/usr/lib64/kadu/plugins/libgadu_protocol.so", O_RDONLY|O_CLOEXEC) = 12 open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 12 read(14, "/lib64/libgadu.so.3.13.0\n7fa1bd0"..., 1024) = 1024 Testing complete mga3 64
Whiteboard: MGA3TOO => MGA3TOO has_prodecure mga3-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_prodecure mga3-64-ok => MGA3TOO has_prodecure mga3-32-ok mga3-64-ok
Whiteboard: MGA3TOO has_prodecure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Advisory uploaded.
CC: (none) => stormiWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory
There's no kadu in Mageia 4 but you can test with kopete of ekg2-gadu-gadu, or better yet if you know how, perl-Net-Gadu
Created attachment 4985 [details] pic of grep libgadu strace.out i've tried this with ekg2 and i dunno if it is OK or not.....
CC: (none) => gerdroscher
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory mga4-32-ok
Trying Mag4 64-bit Re comment 1 I also could not create a gadu-gadu account, via Kopete: bounced repeatedly without explanation. I suspect the constant the graphic registration control string. Comment 5 > i've tried this with ekg2 and i dunno if it is OK or not..... Your Polish is better than mine! I got nowhere with ekg2, probably just blind ignorance, but I could find no better info than the help command whose output, while correct, tells me nothing. It contains a lot of Polish. Comment 4 > you can test with kopete Blocked by failure to register with Gadu-gadu. If someone could advise me what to do with ekg2, I will have another go. Instant Messaging is new to me.
CC: (none) => lewyssmith
[samuel@localhost QA]$ strace -o strace.out ekg2 [samuel@localhost QA]$ grep libgadu strace.out open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 5 Testing mga4 64 complete. Update validated, please push to 3 and 4 core/updates.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok advisory mga4-32-ok mga4-64-ok
Update pushed: http://advisories.mageia.org/MGASA-2014-0074.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED