Bugzilla – Bug 691364
VUL-0: CVE-2011-1753: jabberd: multiple jabber servers vulnerable to denial of service
Last modified: 2021-08-11 09:33:15 UTC
Hi. There is a security bug in package 'jabberd'. This bug is NOT PUBLIC. There is no coordinated release date (CRD) set. CVE number: CVE-2011-1753 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1753 CVE number: CVE-2011-1754 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1754 Original posting: ---------- Weitergeleitete Nachricht ---------- Betreff: [security@suse.de] [engineering.redhat.com #108718] Embargoed: multiple jabber servers vulnerable to denial of service Datum: Donnerstag, 28. April 2011, 16:27:54 Von: Red Hat Security Response Team <secalert@redhat.com> Kopie: ajc@uncensored.citadel.org, brad@danga.com, security@mandriva.com, team@security.debian.org, security@suse.de, cascardo@minaslivre.org, reatmon@jabber.org, alexey@sevcom.net, security@ubuntu.com, temas@jabber.org, rob@cataclysm.cx, wouter@coekaerts.be, m@tthias.eu, security@gentoo.org, jeremie@jabber.org Hello Nico, thank you for your reply. On Thu Apr 28 10:08:18 2011, nion@debian.org wrote: > Hi, > * Red Hat Security Response Team <secalert@redhat.com> [2011-04-28 15:29]: > > On Wed Apr 27 11:40:36 2011, nion@debian.org wrote: > [...] > > > Please let us know if and how you plan to address these issues so we can > > > fix this in a coordinated manner. > > > > There was a similar neon package related issue in > > the past -- CVE-YYYY-NNN > > [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-YYYY-NNN > > (cve.mitre.org entry) > > [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-YYYY-NNN > > (RH BZ entry) > > [3] https://bugzilla.redhat.com/show_bug.cgi?id=518215#c2 > > (RH BZ copy of patch applied by neon upstream). > > > > As noted in [3], the fix / workaround how to address this deficiency > > in the neon package was to add explicit call to: > > > > + XML_StopParser(parser->parser, XML_FALSE); > > > > routine for the case when the parser has hit an entity declaration. > > Yes exactly. I've seen similar patches also in libapr. > I haven't looked into how much work this is for the individual > jabber daemons. I don't think it's too much of a hazzle even though I'm not > completely sure if this would be a functionality problem for the jabber > protocol itself. > > > So since expat upstream did not show the willingness to address > > this problem in upstream expat code, assuming the applied solution > > by majority of ejabberd, jabberd4, jabberd2, citadel and djabberd > > upstream will be to apply a similar patch that neon upstream did. > > Yes. (I'm a little confused, I think I wrote that as well) > [...] Ah, OK, thought based on: > > > Please let us know if and how you plan to address these issues so we can > > > fix this in a coordinated manner. > > that you are asking us for a opinion on how to fix this issue (that's why mentioned the neon case). > > > The particular CVE identifiers were assigned as follows: > > > > > > > > These are affected: > > > * ejabberd 2.1.5. > > > > Please use CVE-2011-1753 for this one. > > > > > * jabberd4 1.6.1. > > > > Please use CVE-2011-1754 for this one > > Just in case you have to write a little abstract for these issues... it's > jabberd14 not jabberd4 Thank you for pointing this out. By any chance do you happen to know if jabberd14 and jabberd2 are the same source code base (i.e. jabberd14 just being older version of jabberd2)? > > Thanks for the ids! > Did you on purpose not include the CC list in your reply? Did include all of the original ones, but replied via RT3 ticketing system, so AFAIK they are not displayed. But as far as I can tell, all of the original people were Cc-ed. Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team > > Cheers > Nico -------------------------------------------------------------
[security@suse.de] Re: [engineering.redhat.com #108718] Embargoed: multiple jabber servers vulnerable to denial of service Von: Nico Golde <nion@debian.org> An: Red Hat Security Response Team <secalert@redhat.com> Kopie: ajc@uncensored.citadel.org, brad@danga.com, security@mandriva.com, team@security.debian.org, security@suse.de, cascardo@minaslivre.org, reatmon@jabber.org, alexey@sevcom.net, security@ubuntu.com, temas@jabber.org, rob@cataclysm.cx, wouter@coekaerts.be, m@tthias.eu, security@gentoo.org, jeremie@jabber.org Es sind nicht genügend Informationen zur Überprüfung der Signatur vorhanden. Details anzeigen Hi, * Red Hat Security Response Team <secalert@redhat.com> [2011-04-28 16:34]: > On Thu Apr 28 10:08:18 2011, nion@debian.org wrote: > > * Red Hat Security Response Team <secalert@redhat.com> [2011-04-28 15:29]: > > > On Wed Apr 27 11:40:36 2011, nion@debian.org wrote: [...] > > > The particular CVE identifiers were assigned as follows: > > > > > > > > > > > These are affected: > > > > * ejabberd 2.1.5. > > > > > > Please use CVE-2011-1753 for this one. > > > > > > > * jabberd4 1.6.1. > > > > > > Please use CVE-2011-1754 for this one > > > > Just in case you have to write a little abstract for these issues... it's > > jabberd14 not jabberd4 > > Thank you for pointing this out. > > By any chance do you happen to know if jabberd14 and jabberd2 > are the same source code base (i.e. jabberd14 just being older > version of jabberd2)? No sorry. I just found a wikipedia entry though which says "jabberd2 was intended to be jabberd 1.4's successor but in 2006 the jabberd 1.4 project was still being developed." Just by a quick glance on the code I also don't see too much similarities so I assume it's a rewrite. Would be interesting to see what the Cced jabber.org people can tell us about that. > > Thanks for the ids! > > Did you on purpose not include the CC list in your reply? > > Did include all of the original ones, but replied via RT3 > ticketing system, so AFAIK they are not displayed. But as > far as I can tell, all of the original people were Cc-ed. Yep sorry for the confusion. Saw that after I checked my debian security team inbox. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
[security@suse.de] Re: [engineering.redhat.com #108718] Embargoed: multiple jabber servers vulnerable to denial of service Von: Matthias Wimmer <m@tthias.eu> An: Red Hat Security Response Team <secalert@redhat.com>, rob@cataclysm.cx, team@security.debian.org, security@gentoo.org, reatmon@jabber.org, cascardo@minaslivre.org, security@mandriva.com, temas@jabber.org, security@ubuntu.com, security@suse.de, alexey@sevcom.net, jeremie@jabber.org, brad@danga.com, ajc@uncensored.citadel.org, wouter@coekaerts.be Es sind nicht genügend Informationen zur Überprüfung der Signatur vorhanden. Details anzeigen Hi together, jabberd14 is different from jabberd2, and is still developped. I will write a fix for this vulnerability. Regards, Matthias Nico Golde schrieb am 2011-04-28 16:40:50: > Date: Thu, 28 Apr 2011 16:40:50 +0200 > From: Nico Golde <nion@debian.org> > Subject: Re: [engineering.redhat.com #108718] Embargoed: multiple jabber > servers vulnerable to denial of service > To: Red Hat Security Response Team <secalert@redhat.com> > Cc: rob@cataclysm.cx, team@security.debian.org, security@gentoo.org, > reatmon@jabber.org, m@tthias.eu, cascardo@minaslivre.org, > security@mandriva.com, temas@jabber.org, security@ubuntu.com, > security@suse.de, alexey@sevcom.net, jeremie@jabber.org, > brad@danga.com, ajc@uncensored.citadel.org, wouter@coekaerts.be > X-Mailer: netcat 1.10 > X-Bogosity: Unsure, tests=bogofilter, spamicity=0.500372, version=1.2.2 > > Hi, > * Red Hat Security Response Team <secalert@redhat.com> [2011-04-28 16:34]: > > On Thu Apr 28 10:08:18 2011, nion@debian.org wrote: > > > * Red Hat Security Response Team <secalert@redhat.com> [2011-04-28 15:29]: > > > > On Wed Apr 27 11:40:36 2011, nion@debian.org wrote: > [...] > > > > The particular CVE identifiers were assigned as follows: > > > > > > > > > > > > > > These are affected: > > > > > * ejabberd 2.1.5. > > > > > > > > Please use CVE-2011-1753 for this one. > > > > > > > > > * jabberd4 1.6.1. > > > > > > > > Please use CVE-2011-1754 for this one > > > > > > Just in case you have to write a little abstract for these issues... it's > > > jabberd14 not jabberd4 > > > > Thank you for pointing this out. > > > > By any chance do you happen to know if jabberd14 and jabberd2 > > are the same source code base (i.e. jabberd14 just being older > > version of jabberd2)? > > No sorry. I just found a wikipedia entry though which says > "jabberd2 was intended to be jabberd 1.4's successor but in 2006 the jabberd > 1.4 project was still being developed." > > Just by a quick glance on the code I also don't see too much similarities so I > assume it's a rewrite. Would be interesting to see what the Cced jabber.org > people can tell us about that. > > > > Thanks for the ids! > > > Did you on purpose not include the CC list in your reply? > > > > Did include all of the original ones, but replied via RT3 > > ticketing system, so AFAIK they are not displayed. But as > > far as I can tell, all of the original people were Cc-ed. > > Yep sorry for the confusion. Saw that after I checked my debian security team > inbox. > > Cheers > Nico > -- > Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA > For security reasons, all text in this mail is double-rot13 encrypted.
[security@suse.de] Re: [engineering.redhat.com #108718] Embargoed: multiple jabber servers vulnerable to denial of service Von: Robert Norris <rob@eatenbyagrue.org> An: Red Hat Security Response Team <secalert@redhat.com>, rob@cataclysm.cx, team@security.debian.org, security@gentoo.org, reatmon@jabber.org, m@tthias.eu, cascardo@minaslivre.org, security@mandriva.com, temas@jabber.org, security@ubuntu.com, security@suse.de, alexey@sevcom.net, jeremie@jabber.org, brad@danga.com, ajc@uncensored.citadel.org, wouter@coekaerts.be > > > By any chance do you happen to know if jabberd14 and jabberd2 > > are the same source code base (i.e. jabberd14 just being older > > version of jabberd2)? > They are seperate projects with only the most minimal of common code. I was the original author of jabberd2, a long time ago. I have not worked with the code for years. It appears that its still being maintained at the following URL. I do not know the authors and have not contacted them about this issue. http://codex.xiaoka.com/wiki/jabberd2:start Cheers, Rob.
Created attachment 427678 [details] jabberd2_entity-parsing.diff [security@suse.de] Re: [engineering.redhat.com #108718] Embargoed: multiple jabber servers vulnerable to denial of service Von: Nico Golde <nion@debian.org> An: Matthias Wimmer <m@tthias.eu> Kopie: ajc@uncensored.citadel.org, brad@danga.com, security@mandriva.com, team@security.debian.org, security@suse.de, Red Hat Security Response Team <secalert@redhat.com>, cascardo@minaslivre.org, reatmon@jabber.org, alexey@sevcom.net, security@ubuntu.com, temas@jabber.org, rob@cataclysm.cx, wouter@coekaerts.be, tomek@xiaoka.com, security@gentoo.org, jeremie@jabber.org Es sind nicht genügend Informationen zur Überprüfung der Signatur vorhanden. Details anzeigen Hi, * Matthias Wimmer <m@tthias.eu> [2011-04-28 17:53]: > jabberd14 is different from jabberd2, and is still developped. I will > write a fix for this vulnerability. Great to hear that! In the meantime I reached Tomasz Sterna who provided a patch for jabberd2 (attached). Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
We plan a security update for 2011-06-16 e should include the fix for jabberd there too.
Sorry, I'm not maintaining this anymore (for about 2 years). According to OBS, Reinhard seems to be the right person now.
p5->p3 mass change
Created attachment 427884 [details] jabberd-2.0s11.patch [security@suse.de] Re: [engineering.redhat.com #108718] Embargoed: multiple jabber servers vulnerable to denial of service Von: Jamie Strandboge <jamie@canonical.com> An: Nico Golde <nion@debian.org> Kopie: ajc@uncensored.citadel.org, brad@danga.com, security@mandriva.com, team@security.debian.org, security@suse.de, Red Hat Security Response Team <secalert@redhat.com>, cascardo@minaslivre.org, reatmon@jabber.org, security@ubuntu.com, alexey@sevcom.net, temas@jabber.org, tomek@xiaoka.com, rob@cataclysm.cx, wouter@coekaerts.be, Matthias Wimmer <m@tthias.eu>, security@gentoo.org, jeremie@jabber.org Es sind nicht genügend Informationen zur Überprüfung der Signatur vorhanden. Details anzeigen On Mon, 2011-05-02 at 21:05 +0200, Nico Golde wrote: > Hi, > * Matthias Wimmer <m@tthias.eu> [2011-04-28 17:53]: > > jabberd14 is different from jabberd2, and is still developped. I will > > write a fix for this vulnerability. > > Great to hear that! > In the meantime I reached Tomasz Sterna who provided a patch for jabberd2 > (attached). There is a typo in the jabberd2 patch I discovered while backporting it to 2.0s11. The patch has this: +#if XML_MAJOR_VERSION > 0 +/* XML_StopParser is present in expat 2.x */ +#define HAVE_XML_STOPPARSER +#endif + So the check and the comment don't go together, and indeed, according to the changelog, 2.0s11 has expat 1.95.7. This should obviously be changed to '#if XML_MAJOR_VERSION > 1'. Attached is a lightly tested patch with this change along with massaging for 2.0s11. Using the reproducer, I see the patch is working via the c2s log: Tue May 3 21:53:51 2011 [notice] [13] [127.0.0.1, port=52834] connect Tue May 3 21:53:51 2011 [notice] [13] [127.0.0.1, port=52834] error: Stream error (Expected stream start) Tue May 3 21:53:51 2011 [notice] [13] [127.0.0.1, port=52834] disconnect Prior to the update, c2s would not disconnect and be DoSd. -- Jamie Strandboge | http://www.canonical.com
CRD = 2011-05-31
I am ready to submit the patch from comment #4 including the typo fix from comment #8 to SUSE Manager (which is our only product that contains the jabberd package) but a few questions remain: 1. How do I describe the vulnerability in the change log? The pasted emails are a bit confusing and don't seem to have all the details. 2. Shall I use the jabberd14 CVE number for jabberd2 as well or will there be a separate one?
(In reply to comment #10) > I am ready to submit the patch from comment #4 including the typo fix from > comment #8 to SUSE Manager (which is our only product that contains the jabberd > package) but a few questions remain: > > 1. How do I describe the vulnerability in the change log? The pasted emails are > a bit confusing and don't seem to have all the details. Fix a remote XML denial of service attack (aka "billion laughs attack") > 2. Shall I use the jabberd14 CVE number for jabberd2 as well or will there be a > separate one? ejabberd 2.1.5: CVE-2011-1753 jabberd4 1.6.1: CVE-2011-1754 Does it answer your questions?
(In reply to comment #11) > ejabberd 2.1.5: CVE-2011-1753 > jabberd4 1.6.1: CVE-2011-1754 s/jabberd4/jabberd14/ as per the pasted mails. We ship neither of these, but jabberd2, which was originally intended to be the successor of jabberd14, but development on the 1.4 code base continued as well, so today they are completely independent projects. Hence the question whether CVE-2011-1754 will be used for both, jabberd14 and jabberd2 or a new CVE number is needed for the jabberd2 project.
Ah, please use CVE-2011-1755.
Package submitted to SUSE:SLE-11-SP1:Update:Manager:1.2.
As this is an SP1 update, please submit to SUSE:SLE-11-SP1:Update:Test.
The jabberd package does not exist on SP1, so why is this going to be a SP1 update?
SUSE Manager is being maintained via the common code base, and thats SLE11 SP1, it does exist there already.
I submitted to SUSE:SLE-11-SP1:Update:Test now, but osc told me the package didn't exist there before.
thats correct, you're the first one who submitted it there. Thanks!
I guess you meant osc rq 12113, which you submitted against SUSE:SLE-11:Update:Test. I requested to submit it to SUSE:SLE-11-SP1:Update:Test
(In reply to comment #20) > thats correct, you're the first one who submitted it there. Thanks! But above you said "it does exist there already", so now I am completely confused. (In reply to comment #21) > I guess you meant osc rq 12113, which you submitted against > SUSE:SLE-11:Update:Test. I requested to submit it to > SUSE:SLE-11-SP1:Update:Test Whoops, sorry. Corrected it: $ osc sr SUSE:SLE-11-SP1:Update:Test -m "Fix bnc#691364, CVE-2011-1755" Warning: failed to fetch meta data for 'SUSE:SLE-11-SP1:Update:Test' package 'jabberd' (new package?)
public now
The SWAMPID for this issue is 41662. This issue was rated as moderate. Please submit fixed packages until 2011-07-04. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: jabberd Products: SUSE-MANAGER 1.2 (x86_64)
Update released for: jabberd Products: SUSE-MANAGER-PROXY 1.2 (x86_64)
done