Bug 9316 - telepathy-gabble new security issue CVE-2013-1769
Summary: telepathy-gabble new security issue CVE-2013-1769
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/542913/
Whiteboard: has_procedure mga2-32-ok mga2-64-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-03-10 02:42 CET by David Walser
Modified: 2013-03-16 23:03 CET (History)
3 users (show)

See Also:
Source RPM: telepathy-gabble-0.16.0-2.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-03-10 02:42:47 CET 
Upstream has released 0.16.5 and 0.17.3 to fix a remotely triggerable crash (denial of service) issue in telepathy-gabble.

Freeze push requested for 0.17.3 in Cauldron.

Updated package uploaded for Mageia 2.

Note to QA: You can test telepathy-gabble with a Jabber account in empathy.

Advisory:
========================

Updated telepathy-gabble packages fix security vulnerability:

NULL pointer dereference in telepathy-gabble before 0.16.5 which causes a
crash when processing weirdly-shaped data forms in caps query replies. This
bug can be triggered by any XMPP user who knows the bare JID of a user of a
vulnerable client, without needing to be authorized to see that user's
presence (CVE-2013-1769).

The telepathy-gabble package has been updated to version to 0.16.5 to fix
this issue as well as several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1769
http://lists.freedesktop.org/archives/telepathy/2013-March/006379.html
https://bugs.freedesktop.org/show_bug.cgi?id=61433
http://lists.freedesktop.org/archives/telepathy/2013-March/006377.html
http://lists.freedesktop.org/archives/telepathy/2012-November/006299.html
http://lists.freedesktop.org/archives/telepathy/2012-September/006234.html
http://lists.freedesktop.org/archives/telepathy/2012-August/006224.html
http://lists.freedesktop.org/archives/telepathy/2012-June/006145.html
========================

Updated packages in core/updates_testing:
========================
telepathy-gabble-0.16.5-1.mga2

from telepathy-gabble-0.16.5-1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-03-10 18:06:00 CET 
telepathy-gabble-0.17.3-1.mga3 is uploaded in Cauldron.
Comment 2 claire robinson 2013-03-12 15:46:46 CET 
Testing complete mga2 32

Connected to jabber in empathy with gmail credentials. 
Thanks for the procedure David.
Comment 3 David Walser 2013-03-14 18:38:41 CET 
Fedora has issued an advisory for this on March 5:
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100083.html
Comment 4 tristan campbell 2013-03-15 16:26:53 CET 
Testing complete mga2 64

Connected to jabber and gchat in empathy, replicating Claire's test.
Comment 5 tristan campbell 2013-03-15 18:27:47 CET 
Update Validated

See bug 9406 for new issues found

See comment 1 for Advisory and SRPM

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
Comment 6 D Morgan 2013-03-16 23:03:21 CET 
Update pushed : 
       https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0096
Note You need to log in before you can comment on or make changes to this bug.