Bug 468830 - (CVE-2008-4776) CVE-2008-4776 libgadu: contact description buffer over-read vulnerability
CVE-2008-4776 libgadu: contact description buffer over-read vulnerability
Status: CLOSED CURRENTRELEASE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://nvd.nist.gov/nvd.cfm?cvename=C...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-28 06:14 EDT by Tomas Hoger
Modified: 2008-11-03 06:28 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.8.2-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-03 06:28:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Diff between upstream version 1.8.1 and 1.8.2 (1.32 KB, patch)
2008-10-28 06:19 EDT, Tomas Hoger
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2008-10-28 06:14:28 EDT
New libgadu upstream version 1.8.2 fixes a buffer overrun issue, quoting the Fedora update request (https://admin.fedoraproject.org/updates/libgadu):

  Security fix for contact description buffer overrun vulnerability. A
  specifically crafted packet sent by the server could overwrite memory.
  Successful exploitation would require a man-in-the-middle attack or
  hacking the Gadu-Gadu servers. No known exploits.

References:
http://toxygen.net/libgadu/releases/1.8.2.html
Comment 1 Tomas Hoger 2008-10-28 06:19:58 EDT
Created attachment 321690 [details]
Diff between upstream version 1.8.1 and 1.8.2

rathann, your update description says it's buffer over-write flaw, though I do not seem this to be mentioned in the upstream announcement (however, both my and google's knowledge of polish language is not too good, so I may as well be wrong ;).

Looking at the code, I do not see any obvious overwrite.  Malicious packet can cause length to integer underflow, causing over-read of the buffer that stores raw packet.
Comment 2 Dominik 'Rathann' Mierzejewski 2008-10-28 09:32:49 EDT
Here's the original announcement on the developers' mailing list:

http://lists.ziew.org/pipermail/libgadu-devel/2008-October/000331.html

I admit I haven't checked the terminology and may have used the wrong term. I'll try to translate the relevant part:

"[...] Wystarczy, że deklarowana długość opisu będzie większa niż długość struktury gg_notify_reply, a opisu zabraknie. Możliwe, że za pomocą odpowiednio spreparowanego pakietu da się nadpisać pamięć, ale wygląda na to, że to jedynie próba odczytu poza granicami dostępnej pamięci. [...]"

If the declared description length is larger than the gg_notify_reply structure length, there won't be enough room to store it. It may be possible to overwrite memory by using a crafted packet, but it appears that it's only an attempt to read outside available memory.

I think this describes a typical buffer overrun scenario, but please correct me if I'm wrong.
Comment 3 Tomas Hoger 2008-10-28 13:44:26 EDT
Thanks Dominik!  Your wording seems to match what upstream said, even though I fail to map that to the actual code.  And I won't have much extra time to dig deeper into this.  Updates should go to stable on the next push.
Comment 4 Tomas Hoger 2008-10-29 05:21:47 EDT
CVE id CVE-2008-4776 was assigned to this issue:

libgadu before 1.8.2 allows remote servers to cause a denial of
service (crash) via a contact description with a large length, which
triggers a buffer over-read.
Comment 5 Fedora Update System 2008-10-30 08:53:35 EDT
libgadu-1.8.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-10-30 08:56:10 EDT
libgadu-1.8.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.