Red Hat Bugzilla – Bug 468830
CVE-2008-4776 libgadu: contact description buffer over-read vulnerability
Last modified: 2008-11-03 06:28:33 EST
New libgadu upstream version 1.8.2 fixes a buffer overrun issue, quoting the Fedora update request (https://admin.fedoraproject.org/updates/libgadu):
Security fix for contact description buffer overrun vulnerability. A
specifically crafted packet sent by the server could overwrite memory.
Successful exploitation would require a man-in-the-middle attack or
hacking the Gadu-Gadu servers. No known exploits.
Created attachment 321690 [details]
Diff between upstream version 1.8.1 and 1.8.2
rathann, your update description says it's buffer over-write flaw, though I do not seem this to be mentioned in the upstream announcement (however, both my and google's knowledge of polish language is not too good, so I may as well be wrong ;).
Looking at the code, I do not see any obvious overwrite. Malicious packet can cause length to integer underflow, causing over-read of the buffer that stores raw packet.
Here's the original announcement on the developers' mailing list:
I admit I haven't checked the terminology and may have used the wrong term. I'll try to translate the relevant part:
"[...] Wystarczy, że deklarowana długość opisu będzie większa niż długość struktury gg_notify_reply, a opisu zabraknie. Możliwe, że za pomocą odpowiednio spreparowanego pakietu da się nadpisać pamięć, ale wygląda na to, że to jedynie próba odczytu poza granicami dostępnej pamięci. [...]"
If the declared description length is larger than the gg_notify_reply structure length, there won't be enough room to store it. It may be possible to overwrite memory by using a crafted packet, but it appears that it's only an attempt to read outside available memory.
I think this describes a typical buffer overrun scenario, but please correct me if I'm wrong.
Thanks Dominik! Your wording seems to match what upstream said, even though I fail to map that to the actual code. And I won't have much extra time to dig deeper into this. Updates should go to stable on the next push.
CVE id CVE-2008-4776 was assigned to this issue:
libgadu before 1.8.2 allows remote servers to cause a denial of
service (crash) via a contact description with a large length, which
triggers a buffer over-read.
libgadu-1.8.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
libgadu-1.8.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.