[gentoo-announce] [ GLSA 200507-26 ] GNU Gadu, CenterICQ, Kadu, EKG, libgadu: Remote code execution in Gadu library - gentoo-announce

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200507-26 ] GNU Gadu, CenterICQ, Kadu, EKG, libgadu: Remote code execution in Gadu library
Date:	Wed, 27 Jul 2005 07:20:23
Message-Id:	`200507270858.44528.jaervosz@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200507-26

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: High

8

     Title: GNU Gadu, CenterICQ, Kadu, EKG, libgadu: Remote code

9

            execution in Gadu library

10

      Date: July 27, 2005

11

      Bugs: #99816, #99890, #99583

12

        ID: 200507-26

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

GNU Gadu, CenterICQ, Kadu, EKG and libgadu are vulnerable to an integer

20

overflow which could potentially lead to the execution of arbitrary

21

code or a Denial of Service.

22

23

Background

24

==========

25

26

GNU Gadu, CenterICQ, Kadu and EKG are instant messaging applications

27

created to support Gadu Gadu instant messaging protocol. libgadu is a

28

library that implements the client side of the Gadu-Gadu protocol.

29

30

Affected packages

31

=================

32

33

    -------------------------------------------------------------------

34

     Package           /   Vulnerable   /                   Unaffected

35

    -------------------------------------------------------------------

36

  1  net-im/gnugadu        < 2.2.6-r1                      >= 2.2.6-r1

37

  2  net-im/centericq      < 4.20.0-r3                    >= 4.20.0-r3

38

  3  net-im/kadu             < 0.4.1                          >= 0.4.1

39

  4  net-im/ekg             < 1.6_rc3                       >= 1.6_rc3

40

  5  net-libs/libgadu      < 20050719                      >= 20050719

41

    -------------------------------------------------------------------

42

     5 affected packages on all of their supported architectures.

43

    -------------------------------------------------------------------

44

45

Description

46

===========

47

48

GNU Gadu, CenterICQ, Kadu, EKG and libgadu are vulnerable to an integer

49

overflow.

50

51

Impact

52

======

53

54

A remote attacker could exploit the integer overflow to execute

55

arbitrary code or cause a Denial of Service.

56

57

Workaround

58

==========

59

60

There is no known workaround at this time.

61

62

Resolution

63

==========

64

65

All GNU Gadu users should upgrade to the latest version:

66

67

    # emerge --sync

68

    # emerge --ask --oneshot --verbose ">=net-im/gnugadu-2.2.6-r1"

69

70

All Kadu users should upgrade to the latest version:

71

72

    # emerge --sync

73

    # emerge --ask --oneshot --verbose ">=net-im/kadu-0.4.1"

74

75

All EKG users should upgrade to the latest version:

76

77

    # emerge --sync

78

    # emerge --ask --oneshot --verbose ">=net-im/ekg-1.6_rc3"

79

80

All libgadu users should upgrade to the latest version:

81

82

    # emerge --sync

83

    # emerge --ask --oneshot --verbose ">=net-libs/libgadu-20050719"

84

85

All CenterICQ users should upgrade to the latest version:

86

87

    # emerge --sync

88

    # emerge --ask --oneshot --verbose ">=net-im/centericq-4.20.0-r3"

89

90

CenterICQ is no longer distributed with Gadu Gadu support, affected

91

users are encouraged to migrate to an alternative package.

92

93

References

94

==========

95

96

  [ 1 ] CAN-2005-1852

97

        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1852

98

  [ 2 ] BugTraq Announcement

99

        http://www.securityfocus.com/archive/1/406026/30/

100

101

Availability

102

============

103

104

This GLSA and any updates to it are available for viewing at

105

the Gentoo Security Website:

106

107

  http://security.gentoo.org/glsa/glsa-200507-26.xml

108

109

Concerns?

110

=========

111

112

Security is a primary focus of Gentoo Linux and ensuring the

113

confidentiality and security of our users machines is of utmost

114

importance to us. Any security concerns should be addressed to

115

security@g.o or alternatively, you may file a bug at

116

http://bugs.gentoo.org.

117

118

License

119

=======

120

121

Copyright 2005 Gentoo Foundation, Inc; referenced text

122

belongs to its owner(s).

123

124

The contents of this document are licensed under the

125

Creative Commons - Attribution / Share Alike license.

126

127

http://creativecommons.org/licenses/by-sa/2.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200507-26
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: GNU Gadu, CenterICQ, Kadu, EKG, libgadu: Remote code
9	execution in Gadu library
10	Date: July 27, 2005
11	Bugs: #99816, #99890, #99583
12	ID: 200507-26
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	GNU Gadu, CenterICQ, Kadu, EKG and libgadu are vulnerable to an integer
20	overflow which could potentially lead to the execution of arbitrary
21	code or a Denial of Service.
22
23	Background
24	==========
25
26	GNU Gadu, CenterICQ, Kadu and EKG are instant messaging applications
27	created to support Gadu Gadu instant messaging protocol. libgadu is a
28	library that implements the client side of the Gadu-Gadu protocol.
29
30	Affected packages
31	=================
32
33	-------------------------------------------------------------------
34	Package / Vulnerable / Unaffected
35	-------------------------------------------------------------------
36	1 net-im/gnugadu < 2.2.6-r1 >= 2.2.6-r1
37	2 net-im/centericq < 4.20.0-r3 >= 4.20.0-r3
38	3 net-im/kadu < 0.4.1 >= 0.4.1
39	4 net-im/ekg < 1.6_rc3 >= 1.6_rc3
40	5 net-libs/libgadu < 20050719 >= 20050719
41	-------------------------------------------------------------------
42	5 affected packages on all of their supported architectures.
43	-------------------------------------------------------------------
44
45	Description
46	===========
47
48	GNU Gadu, CenterICQ, Kadu, EKG and libgadu are vulnerable to an integer
49	overflow.
50
51	Impact
52	======
53
54	A remote attacker could exploit the integer overflow to execute
55	arbitrary code or cause a Denial of Service.
56
57	Workaround
58	==========
59
60	There is no known workaround at this time.
61
62	Resolution
63	==========
64
65	All GNU Gadu users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot --verbose ">=net-im/gnugadu-2.2.6-r1"
69
70	All Kadu users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=net-im/kadu-0.4.1"
74
75	All EKG users should upgrade to the latest version:
76
77	# emerge --sync
78	# emerge --ask --oneshot --verbose ">=net-im/ekg-1.6_rc3"
79
80	All libgadu users should upgrade to the latest version:
81
82	# emerge --sync
83	# emerge --ask --oneshot --verbose ">=net-libs/libgadu-20050719"
84
85	All CenterICQ users should upgrade to the latest version:
86
87	# emerge --sync
88	# emerge --ask --oneshot --verbose ">=net-im/centericq-4.20.0-r3"
89
90	CenterICQ is no longer distributed with Gadu Gadu support, affected
91	users are encouraged to migrate to an alternative package.
92
93	References
94	==========
95
96	[ 1 ] CAN-2005-1852
97	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1852
98	[ 2 ] BugTraq Announcement
99	http://www.securityfocus.com/archive/1/406026/30/
100
101	Availability
102	============
103
104	This GLSA and any updates to it are available for viewing at
105	the Gentoo Security Website:
106
107	http://security.gentoo.org/glsa/glsa-200507-26.xml
108
109	Concerns?
110	=========
111
112	Security is a primary focus of Gentoo Linux and ensuring the
113	confidentiality and security of our users machines is of utmost
114	importance to us. Any security concerns should be addressed to
115	security@g.o or alternatively, you may file a bug at
116	http://bugs.gentoo.org.
117
118	License
119	=======
120
121	Copyright 2005 Gentoo Foundation, Inc; referenced text
122	belongs to its owner(s).
123
124	The contents of this document are licensed under the
125	Creative Commons - Attribution / Share Alike license.
126
127	http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce