461424 – (CVE-2008-3969) Bitlbee 1.2.3 was released, update required

Bug 461424 (CVE-2008-3969) - Bitlbee 1.2.3 was released, update required

Summary: Bitlbee 1.2.3 was released, update required

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	CVE-2008-3969
Product:	Fedora
Classification:	Fedora
Component:	bitlbee
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Robert Scheck
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	http://bugs.bitlbee.org/bitlbee/timel...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-09-07 19:54 UTC by Robert Scheck
Modified:	2018-04-11 09:34 UTC (History)
CC List:	3 users (show)
Fixed In Version:	1.2.3-1
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-09-07 20:16:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robert Scheck 2008-09-07 19:54:40 UTC

Description of problem:
Bitlbee 1.2.3 was released, see the following changelog:

Version 1.2.3:
- Fixed one more flaw similar to the previous hijacking bug, caused by incon-
  sistent handling of the USTATUS_IDENTIFIED state. All code touching these
  variables was reviewed and should be correct now.

Finished 7 Sep 2008

Version-Release number of selected component (if applicable):
bitlbee-1.2.2-1

Actual results:
bitlbee-1.2.2-1

Expected results:
bitlbee-1.2.3-1 ;-)

Comment 1 Robert Scheck 2008-09-07 20:00:20 UTC

Upstream writes on the main page in the news section:

Unfortunately 1.2.2 did not fix all possible account hijacking loopholes. 
Another very similar flaw was found by Tero Marttila. In the migration to
the user configuration storage abstraction layer, a few safeguards that
prevent overwriting existing accounts disappeared. Over the week I went
over all the related code to make sure that everything's done in a sane,
safe and consistent way.

Comment 2 Robert Scheck 2008-09-07 20:16:44 UTC

Package: bitlbee-1.2.3-1.fc10 Tag: dist-f10 Status: complete
Package: bitlbee-1.2.3-1.fc9 Tag: dist-f9-updates-candidate Status: complete
Package: bitlbee-1.2.3-1.fc8 Tag: dist-f8-updates-candidate Status: complete

127 (bitlbee): Build on target fedora-5-epel succeeded.
128 (bitlbee): Build on target fedora-4-epel succeeded.

Comment 3 Fedora Update System 2008-09-07 20:17:45 UTC

bitlbee-1.2.3-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/bitlbee-1.2.3-1.fc8

Comment 4 Fedora Update System 2008-09-07 20:17:49 UTC

bitlbee-1.2.3-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/bitlbee-1.2.3-1.fc9

Comment 5 Tomas Hoger 2008-09-08 07:40:03 UTC

Few references:

Upstream news page with announcement already quoted in comment #1:
  http://www.bitlbee.org/main.php/news.r.html

Upstream changelog:
  http://www.bitlbee.org/main.php/changelog.html

Upstream fix:
  http://bugs.bitlbee.org/bitlbee/changeset/devel%2C443

Comment 6 Robert Scheck 2008-09-08 11:07:28 UTC

To make Matej Cepl happy: The changeset mentioned in comment #5 is part of 
Bitlbee 1.2.3, so currently no open task/jobs etc.

Comment 7 Tomas Hoger 2008-09-09 18:33:05 UTC

CVE id CVE-2008-3969 was assigned to this additional fix in bitlbee 1.2.3.

Comment 8 Tomas Hoger 2008-09-11 06:27:43 UTC

CVE-2008-3969:

Multiple unspecified vulnerabilities in BitlBee before 1.2.3 allow
remote attackers to "overwrite" and "hijack" existing accounts via
unknown vectors.  NOTE: this issue exists because of an incomplete fix
for CVE-2008-3920.

Comment 9 Fedora Update System 2008-09-11 16:54:24 UTC

bitlbee-1.2.3-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2008-09-11 16:59:22 UTC

bitlbee-1.2.3-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.