Bug 227791

Summary: CVE-2007-160: centericq buffer overflow
Product: [Fedora] Fedora Reporter: Kevin Fenzi <kevin>
Component: centericqAssignee: Andreas Bierfert <andreas.bierfert>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: rawhideCC: fedora-security-list
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-10 07:20:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kevin Fenzi 2007-02-08 05:19:15 UTC 
Description of problem:

centericq is vulnerable to a buffer overflow in it's livejournal support. 

See: 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0160

All fedora extras versions seem to be vulnerable. 

More info, and a patch that debian is using is at: 
http://mailman.linuxpl.org/pipermail/cicq/2007-January/004866.html
Comment 1 Andy Shevchenko 2007-02-08 06:33:10 UTC 
The patches are not allowed. Received error like following: "Can not connect 
to host www2.speedblue.org".

I think the patches would be attached here directly.

P.S. Just my 2 cents.
Comment 2 Andreas Bierfert 2007-02-08 09:40:05 UTC 
Will look into the issue and try the debian patches asap.
Comment 3 Kevin Fenzi 2007-02-08 16:13:39 UTC 
In reply to comment #1: 

yeah, those links look dead. ;( 
Hopefully the patches can be fetched via the debian package?
Comment 4 Andreas Bierfert 2007-02-08 16:21:41 UTC 
Thats not a problem... I am just waiting to get home to grep them and make a
test build +)
Comment 5 Andreas Bierfert 2007-02-10 07:20:24 UTC 
Builds for fc{5,6} and devel have been queued. Thanks for reporting.