Re: centerim stable update for CVE-2008-4776

["Dmitry E. Oboukhov" <unera@debian.org>]

Hi, there!

I am not subscribed this list (@debian-security), so please CC me.

I prepared package with patch which resolves CVE-2008-4776 and want to
upload it. It is the first package which i want to upload into stable
and I want somebody to check (and help to upload) it. debdiff can be
found in attache. It contains one additional patch which was
backported from 4.22.8 (from git) and it is built fine with pbuilder.

PS: debdiff between centerim 4.22.5-1 (lenny) and 4.22.5-1+lenny1

On 22:49 Sat 30 Jan     , Giuseppe Iuculano wrote:
GI> Hi,
GI> the following CVE (Common Vulnerabilities & Exposures) id was
GI> published for centerim some time ago.

GI> CVE-2008-4776[0]:
GI> | libgadu before 1.8.2 allows remote servers to cause a denial of
GI> | service (crash) via a contact description with a large length, which
GI> | triggers a buffer over-read.

GI> Unfortunately the vulnerability described above is not important enough
GI> to get it fixed via regular security update in Debian stable. It does not
GI> warrant a DSA.

GI> However it would be nice if this could get fixed via a regular point update[1].
GI> Please contact the release team for this.

GI> This is an automatically generated mail, in case you are already working on an
GI> upgrade this is of course pointless.

GI> For further information see:

GI> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
GI> http://security-tracker.debian.org/tracker/CVE-2008-4776
GI> [1] http://www.debian.org/doc/developers-reference/pkgs.html#upload-stable

GI> Kind regards
GI> Giuseppe.
-- 
... mpd is off

. ''`.                               Dmitry E. Oboukhov
: :’  :   email: unera@debian.org jabber://UNera@uvw.ru
`. `~’              GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537

diff -u centerim-4.22.5/debian/changelog centerim-4.22.5/debian/changelog
--- centerim-4.22.5/debian/changelog
+++ centerim-4.22.5/debian/changelog
@@ -1,3 +1,10 @@
+centerim (4.22.5-1+lenny1) stable-security; urgency=low
+
+  * Fixed CVE-2008-4776, closes: #559782 for stable release.
+    (The patch CVE-2008-4776 has been backported from 4.22.8).
+
+ -- Dmitry E. Oboukhov <unera@debian.org>  Sun, 31 Jan 2010 14:06:00 +0300
+
 centerim (4.22.5-1) unstable; urgency=low
 
   * New upstream version release:
diff -u centerim-4.22.5/debian/patches/00list centerim-4.22.5/debian/patches/00list
--- centerim-4.22.5/debian/patches/00list
+++ centerim-4.22.5/debian/patches/00list
@@ -1,0 +2 @@
+CVE-2008-4776.dpatch
only in patch2:
unchanged:
--- centerim-4.22.5.orig/debian/patches/CVE-2008-4776.dpatch
+++ centerim-4.22.5/debian/patches/CVE-2008-4776.dpatch
@@ -0,0 +1,32 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10_CVE-2008-4776.dpatch by  <unera@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Patch fixes CVE-2008-4776
+
+@DPATCH@
+
+From: Sven Wegener <swegener@gentoo.org>
+Date: Sat, 8 Aug 2009 16:58:32 +0000 (+0200)
+Subject: This fixes CVE-2008-4776
+X-Git-Tag: 4.22.8~2
+X-Git-Url: http://repo.or.cz/w/centerim.git/commitdiff_plain/4f60564129a7fd4fd7efe55eff779776ec6df11e
+
+This fixes CVE-2008-4776
+
+Patch from gentoo by Sven Wegener
+---
+
+diff --git a/libgadu/events.c b/libgadu/events.c
+index 6ebc261..91f88ed 100644
+--- a/libgadu/events.c
++++ b/libgadu/events.c
+@@ -580,7 +580,7 @@ static int gg_watch_fd_connected(struct gg_session *sess, struct gg_event *e)
+ 				if (GG_S_D(n->status)) {
+ 					unsigned char descr_len = *((char*) n + sizeof(struct gg_notify_reply60));
+ 
+-					if (descr_len < length) {
++					if (sizeof(struct gg_notify_reply60) + descr_len < length) {
+ 						if (!(e->event.notify60[i].descr = malloc(descr_len + 1))) {
+ 							gg_debug(GG_DEBUG_MISC, "// gg_watch_fd_connected() not enough memory for notify data\n");
+ 							goto fail;

Attachment: signature.asc
Description: Digital signature