First Last Prev Next    This bug is not in your last search results.
Bug 9316 - telepathy-gabble new security issue CVE-2013-1769
: telepathy-gabble new security issue CVE-2013-1769
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/542913/
: has_procedure mga2-32-ok mga2-64-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-03-10 02:42 CET by David Walser
Modified: 2013-03-16 23:03 CET (History)
3 users (show)

See Also:
Source RPM: telepathy-gabble-0.16.0-2.mga2.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2013-03-10 02:42:47 CET 
Upstream has released 0.16.5 and 0.17.3 to fix a remotely triggerable crash (denial of service) issue in telepathy-gabble.

Freeze push requested for 0.17.3 in Cauldron.

Updated package uploaded for Mageia 2.

Note to QA: You can test telepathy-gabble with a Jabber account in empathy.

Advisory:
========================

Updated telepathy-gabble packages fix security vulnerability:

NULL pointer dereference in telepathy-gabble before 0.16.5 which causes a
crash when processing weirdly-shaped data forms in caps query replies. This
bug can be triggered by any XMPP user who knows the bare JID of a user of a
vulnerable client, without needing to be authorized to see that user's
presence (CVE-2013-1769).

The telepathy-gabble package has been updated to version to 0.16.5 to fix
this issue as well as several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1769
http://lists.freedesktop.org/archives/telepathy/2013-March/006379.html
https://bugs.freedesktop.org/show_bug.cgi?id=61433
http://lists.freedesktop.org/archives/telepathy/2013-March/006377.html
http://lists.freedesktop.org/archives/telepathy/2012-November/006299.html
http://lists.freedesktop.org/archives/telepathy/2012-September/006234.html
http://lists.freedesktop.org/archives/telepathy/2012-August/006224.html
http://lists.freedesktop.org/archives/telepathy/2012-June/006145.html
========================

Updated packages in core/updates_testing:
========================
telepathy-gabble-0.16.5-1.mga2

from telepathy-gabble-0.16.5-1.mga2.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-03-10 18:06:00 CET 
telepathy-gabble-0.17.3-1.mga3 is uploaded in Cauldron.
Comment 2 claire robinson 2013-03-12 15:46:46 CET 
Testing complete mga2 32

Connected to jabber in empathy with gmail credentials. 
Thanks for the procedure David.
Comment 3 David Walser 2013-03-14 18:38:41 CET 
Fedora has issued an advisory for this on March 5:
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100083.html
Comment 4 tristan campbell 2013-03-15 16:26:53 CET 
Testing complete mga2 64

Connected to jabber and gchat in empathy, replicating Claire's test.
Comment 5 tristan campbell 2013-03-15 18:27:47 CET 
Update Validated

See bug 9406 for new issues found

See comment 1 for Advisory and SRPM

Could sysadmin please push from core/updates_testing to core/updates.

Thank you!
Comment 6 D Morgan 2013-03-16 23:03:21 CET 
Update pushed : 
       https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0096
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.