Bug 468830 (CVE-2008-4776) - CVE-2008-4776 libgadu: contact description buffer over-read vulnerability
Summary: CVE-2008-4776 libgadu: contact description buffer over-read vulnerability
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2008-4776
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-28 10:14 UTC by Tomas Hoger
Modified: 2008-11-03 11:28 UTC (History)
1 user (show)

Fixed In Version: 1.8.2-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-03 11:28:33 UTC
Embargoed:

Attachments (Terms of Use)
Diff between upstream version 1.8.1 and 1.8.2 (1.32 KB, patch)
2008-10-28 10:19 UTC, Tomas Hoger 		no flags Details | Diff
View All

Description Tomas Hoger 2008-10-28 10:14:28 UTC 
New libgadu upstream version 1.8.2 fixes a buffer overrun issue, quoting the Fedora update request (https://admin.fedoraproject.org/updates/libgadu):

  Security fix for contact description buffer overrun vulnerability. A
  specifically crafted packet sent by the server could overwrite memory.
  Successful exploitation would require a man-in-the-middle attack or
  hacking the Gadu-Gadu servers. No known exploits.

References:
http://toxygen.net/libgadu/releases/1.8.2.html
Comment 1 Tomas Hoger 2008-10-28 10:19:58 UTC 
Created attachment 321690 [details]
Diff between upstream version 1.8.1 and 1.8.2

rathann, your update description says it's buffer over-write flaw, though I do not seem this to be mentioned in the upstream announcement (however, both my and google's knowledge of polish language is not too good, so I may as well be wrong ;).

Looking at the code, I do not see any obvious overwrite.  Malicious packet can cause length to integer underflow, causing over-read of the buffer that stores raw packet.
Comment 2 Dominik 'Rathann' Mierzejewski 2008-10-28 13:32:49 UTC 
Here's the original announcement on the developers' mailing list:

http://lists.ziew.org/pipermail/libgadu-devel/2008-October/000331.html

I admit I haven't checked the terminology and may have used the wrong term. I'll try to translate the relevant part:

"[...] Wystarczy, że deklarowana długość opisu będzie większa niż długość struktury gg_notify_reply, a opisu zabraknie. Możliwe, że za pomocą odpowiednio spreparowanego pakietu da się nadpisać pamięć, ale wygląda na to, że to jedynie próba odczytu poza granicami dostępnej pamięci. [...]"

If the declared description length is larger than the gg_notify_reply structure length, there won't be enough room to store it. It may be possible to overwrite memory by using a crafted packet, but it appears that it's only an attempt to read outside available memory.

I think this describes a typical buffer overrun scenario, but please correct me if I'm wrong.
Comment 3 Tomas Hoger 2008-10-28 17:44:26 UTC 
Thanks Dominik!  Your wording seems to match what upstream said, even though I fail to map that to the actual code.  And I won't have much extra time to dig deeper into this.  Updates should go to stable on the next push.
Comment 4 Tomas Hoger 2008-10-29 09:21:47 UTC 
CVE id CVE-2008-4776 was assigned to this issue:

libgadu before 1.8.2 allows remote servers to cause a denial of
service (crash) via a contact description with a large length, which
triggers a buffer over-read.
Comment 5 Fedora Update System 2008-10-30 12:53:35 UTC 
libgadu-1.8.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2008-10-30 12:56:10 UTC 
libgadu-1.8.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.