Bug 468830 (CVE-2008-4776)

Summary: CVE-2008-4776 libgadu: contact description buffer over-read vulnerability
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dominik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4776
Whiteboard:
Fixed In Version: 1.8.2-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-03 11:28:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Diff between upstream version 1.8.1 and 1.8.2 none

Description Tomas Hoger 2008-10-28 10:14:28 UTC 
New libgadu upstream version 1.8.2 fixes a buffer overrun issue, quoting the Fedora update request (https://admin.fedoraproject.org/updates/libgadu):

  Security fix for contact description buffer overrun vulnerability. A
  specifically crafted packet sent by the server could overwrite memory.
  Successful exploitation would require a man-in-the-middle attack or
  hacking the Gadu-Gadu servers. No known exploits.

References:
http://toxygen.net/libgadu/releases/1.8.2.html
Comment 1 Tomas Hoger 2008-10-28 10:19:58 UTC 
Created attachment 321690 [details]
Diff between upstream version 1.8.1 and 1.8.2

rathann, your update description says it's buffer over-write flaw, though I do not seem this to be mentioned in the upstream announcement (however, both my and google's knowledge of polish language is not too good, so I may as well be wrong ;).

Looking at the code, I do not see any obvious overwrite.  Malicious packet can cause length to integer underflow, causing over-read of the buffer that stores raw packet.
Comment 2 Dominik 'Rathann' Mierzejewski 2008-10-28 13:32:49 UTC 
Here's the original announcement on the developers' mailing list:

http://lists.ziew.org/pipermail/libgadu-devel/2008-October/000331.html

I admit I haven't checked the terminology and may have used the wrong term. I'll try to translate the relevant part:

"[...] Wystarczy, że deklarowana długość opisu będzie większa niż długość struktury gg_notify_reply, a opisu zabraknie. Możliwe, że za pomocą odpowiednio spreparowanego pakietu da się nadpisać pamięć, ale wygląda na to, że to jedynie próba odczytu poza granicami dostępnej pamięci. [...]"

If the declared description length is larger than the gg_notify_reply structure length, there won't be enough room to store it. It may be possible to overwrite memory by using a crafted packet, but it appears that it's only an attempt to read outside available memory.

I think this describes a typical buffer overrun scenario, but please correct me if I'm wrong.
Comment 3 Tomas Hoger 2008-10-28 17:44:26 UTC 
Thanks Dominik!  Your wording seems to match what upstream said, even though I fail to map that to the actual code.  And I won't have much extra time to dig deeper into this.  Updates should go to stable on the next push.
Comment 4 Tomas Hoger 2008-10-29 09:21:47 UTC 
CVE id CVE-2008-4776 was assigned to this issue:

libgadu before 1.8.2 allows remote servers to cause a denial of
service (crash) via a contact description with a large length, which
triggers a buffer over-read.
Comment 5 Fedora Update System 2008-10-30 12:53:35 UTC 
libgadu-1.8.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-10-30 12:56:10 UTC 
libgadu-1.8.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.