New libgadu upstream version 1.8.2 fixes a buffer overrun issue, quoting the Fedora update request (https://admin.fedoraproject.org/updates/libgadu): Security fix for contact description buffer overrun vulnerability. A specifically crafted packet sent by the server could overwrite memory. Successful exploitation would require a man-in-the-middle attack or hacking the Gadu-Gadu servers. No known exploits. References: http://toxygen.net/libgadu/releases/1.8.2.html
Created attachment 321690 [details] Diff between upstream version 1.8.1 and 1.8.2 rathann, your update description says it's buffer over-write flaw, though I do not seem this to be mentioned in the upstream announcement (however, both my and google's knowledge of polish language is not too good, so I may as well be wrong ;). Looking at the code, I do not see any obvious overwrite. Malicious packet can cause length to integer underflow, causing over-read of the buffer that stores raw packet.
Here's the original announcement on the developers' mailing list: http://lists.ziew.org/pipermail/libgadu-devel/2008-October/000331.html I admit I haven't checked the terminology and may have used the wrong term. I'll try to translate the relevant part: "[...] Wystarczy, że deklarowana długość opisu będzie większa niż długość struktury gg_notify_reply, a opisu zabraknie. Możliwe, że za pomocą odpowiednio spreparowanego pakietu da się nadpisać pamięć, ale wygląda na to, że to jedynie próba odczytu poza granicami dostępnej pamięci. [...]" If the declared description length is larger than the gg_notify_reply structure length, there won't be enough room to store it. It may be possible to overwrite memory by using a crafted packet, but it appears that it's only an attempt to read outside available memory. I think this describes a typical buffer overrun scenario, but please correct me if I'm wrong.
Thanks Dominik! Your wording seems to match what upstream said, even though I fail to map that to the actual code. And I won't have much extra time to dig deeper into this. Updates should go to stable on the next push.
CVE id CVE-2008-4776 was assigned to this issue: libgadu before 1.8.2 allows remote servers to cause a denial of service (crash) via a contact description with a large length, which triggers a buffer over-read.
libgadu-1.8.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
libgadu-1.8.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.