A CVE has been issued for a possible security issue in libgadu: http://openwall.com/lists/oss-security/2014/05/19/3 The issue was fixed upstream in 1.11.4. Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated libgadu packages fix security vulnerability: In libgadu before 1.11.4, a crafted message from the file relay server may cause memory to be overwritten. The memory is not overwritten with data sent directly by the server, but security implications cannot be ruled out (CVE-2014-3775). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3775 http://libgadu.net/releases/1.11.4.html http://openwall.com/lists/oss-security/2014/05/19/3 ======================== Updated packages in core/updates_testing: ======================== libgadu3-1.11.4-1.mga3 libgadu-devel-1.11.4-1.mga3 libgadu3-1.11.4-1.mga4 libgadu-devel-1.11.4-1.mga4 from SRPMS: libgadu-1.11.4-1.mga3.src.rpm libgadu-1.11.4-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Ubuntu has issued an advisory for this today (May 21): http://www.ubuntu.com/usn/usn-2215-1/ I'll use their advisory text since it provides a better description. Advisory: ======================== Updated libgadu packages fix security vulnerability: It was discovered that libgadu incorrectly handled certain messages from file relay servers. A malicious remote server or a man in the middle could use this issue to cause applications using libgadu to crash, resulting in a denial of service, or possibly execute arbitrary code (CVE-2014-3775). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3775 http://libgadu.net/releases/1.11.4.html http://www.ubuntu.com/usn/usn-2215-1/
URL: (none) => http://lwn.net/Vulnerabilities/599798/Severity: normal => major
Wanting to install this (pre-update) on my 64-bit box, I notice that it is only offered as i586, 32-bit. This is a new situation for me. Is it sensible? TIA
CC: (none) => lewyssmith
lib64gadu3 on 64bit Lewis
Procedure: https://bugs.mageia.org/show_bug.cgi?id=12709
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete mga4 64 # urpmi lib64gadu3 ekg2-gadu-gadu $ strace -o strace.out ekg2 $ grep libgadu strace.out open("/lib64/libgadu.so.3", O_RDONLY|O_CLOEXEC) = 5 Showing the lib being loaded.
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Testing complete mga4 32 and mga3 32 & 64
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0246.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED