Bug 461424 (CVE-2008-3969)

Summary: Bitlbee 1.2.3 was released, update required
Product: [Fedora] Fedora Reporter: Robert Scheck <redhat-bugzilla>
Component: bitlbeeAssignee: Robert Scheck <redhat-bugzilla>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: mcepl, mcepl, security-response-team
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://bugs.bitlbee.org/bitlbee/timeline?daysback=90&changeset=on
Whiteboard:
Fixed In Version: 1.2.3-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-07 20:16:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Robert Scheck 2008-09-07 19:54:40 UTC
Description of problem:
Bitlbee 1.2.3 was released, see the following changelog:

Version 1.2.3:
- Fixed one more flaw similar to the previous hijacking bug, caused by incon-
  sistent handling of the USTATUS_IDENTIFIED state. All code touching these
  variables was reviewed and should be correct now.

Finished 7 Sep 2008

Version-Release number of selected component (if applicable):
bitlbee-1.2.2-1

Actual results:
bitlbee-1.2.2-1

Expected results:
bitlbee-1.2.3-1 ;-)

Comment 1 Robert Scheck 2008-09-07 20:00:20 UTC
Upstream writes on the main page in the news section:

Unfortunately 1.2.2 did not fix all possible account hijacking loopholes. 
Another very similar flaw was found by Tero Marttila. In the migration to
the user configuration storage abstraction layer, a few safeguards that
prevent overwriting existing accounts disappeared. Over the week I went
over all the related code to make sure that everything's done in a sane,
safe and consistent way.

Comment 2 Robert Scheck 2008-09-07 20:16:44 UTC
Package: bitlbee-1.2.3-1.fc10 Tag: dist-f10 Status: complete
Package: bitlbee-1.2.3-1.fc9 Tag: dist-f9-updates-candidate Status: complete
Package: bitlbee-1.2.3-1.fc8 Tag: dist-f8-updates-candidate Status: complete

127 (bitlbee): Build on target fedora-5-epel succeeded.
128 (bitlbee): Build on target fedora-4-epel succeeded.

Comment 3 Fedora Update System 2008-09-07 20:17:45 UTC
bitlbee-1.2.3-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/bitlbee-1.2.3-1.fc8

Comment 4 Fedora Update System 2008-09-07 20:17:49 UTC
bitlbee-1.2.3-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/bitlbee-1.2.3-1.fc9

Comment 5 Tomas Hoger 2008-09-08 07:40:03 UTC
Few references:

Upstream news page with announcement already quoted in comment #1:
  http://www.bitlbee.org/main.php/news.r.html

Upstream changelog:
  http://www.bitlbee.org/main.php/changelog.html

Upstream fix:
  http://bugs.bitlbee.org/bitlbee/changeset/devel%2C443

Comment 6 Robert Scheck 2008-09-08 11:07:28 UTC
To make Matej Cepl happy: The changeset mentioned in comment #5 is part of 
Bitlbee 1.2.3, so currently no open task/jobs etc.

Comment 7 Tomas Hoger 2008-09-09 18:33:05 UTC
CVE id CVE-2008-3969 was assigned to this additional fix in bitlbee 1.2.3.

Comment 8 Tomas Hoger 2008-09-11 06:27:43 UTC
CVE-2008-3969:

Multiple unspecified vulnerabilities in BitlBee before 1.2.3 allow
remote attackers to "overwrite" and "hijack" existing accounts via
unknown vectors.  NOTE: this issue exists because of an incomplete fix
for CVE-2008-3920.

Comment 9 Fedora Update System 2008-09-11 16:54:24 UTC
bitlbee-1.2.3-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2008-09-11 16:59:22 UTC
bitlbee-1.2.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.