Bugzilla – Bug 878540
VUL-0: CVE-2014-3775: libgadu vulnerability: possible memory corruption
Last modified: 2014-06-13 07:21:55 UTC
Via OSS-sec: > A crafted message from the file relay server may cause memory to > beoverwritten. The memory is not overwritten with data sent directly by the > server, but security implications cannot be ruled out. > > The bug is public: > http://lists.ziew.org/pipermail/libgadu-devel/2014-May/001171.html > http://lists.ziew.org/pipermail/libgadu-devel/2014-May/001180.html Use CVE-2014-3775 for the issue as described in the 001180.html message. It is possible that the 001171.html and 001180.html messages are referring to exactly the same issue: in that case, there will be only one CVE ID in total. (The messages are somewhat different -- for example, 001180.html doesn't directly mention that exploitability is unproven -- but this may be a wording difference and not anything inherent about the code in 1.11.x versus 1.12 prereleases.)
Is it the same problem known as CVE-2013-6487 in pidgin? (We don't use gg bundled with pidgin but libgadu in all SUSE versions.) Looking at openSUSE:Factory, it is already updated there and this CVE id is used: Sun May 11 20:55:42 UTC 2014 - fisiu@opensuse.org - Update to version 1.11.4, bugfix release: + Fix buffer overflow with remote code execution potential. Only triggerable by a Gadu-Gadu server or a man-in-the-middle. CVE-2013-6487
Answering to myself: No, it is a different issue. I did a complete diff between versions, and I got only few lines of changes. CVE-2013-6487 was already included in version 1.11.3. And comparing versions 1.11.2, 1.11.3 and 1.11.4, it should be safe to fix it by a version update. The changes diff contains only apparent fixes.
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (878540) was mentioned in https://build.opensuse.org/request/show/234889 Factory / libgadu
However CVE-2013-6487 was reported against libpurple, it affects libgadu copy inside pidgin source tree, which means that it affects libgadu as well. The fix for CVE-2013-6487 appeared in libgadu-1.11.3 in January 2014. But we not yet updated to libgadu-1.11.3, so the version update covers both issues. Related SUSE bug for CVE-2013-6487 in pidgin: bnc#861019
Fixed: openSUSE 12.3 and 13.1: Did a version update and created OBS maintenance request id 234911. openSUSE:Factory: Created OBS request id 234910 that just fixes changes file. SLE11: Only affected by CVE-2013-6487, does not support proxy transfer affected by CVE-2014-3775. Created IBS request id 38262 using backported excerpt from pidgin-2.10.7-to-2.10.8.patch. SLE12: Did a version update and created IBS request id 38263.
SWAMP id is missing: 57495
openSUSE-SU-2014:0722-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 878540 CVE References: CVE-2013-6487,CVE-2014-3775 Sources used: openSUSE 13.1 (src): libgadu-1.11.4-4.4.1 openSUSE 12.3 (src): libgadu-1.11.4-2.4.1
openSUSE-SU-2014:0742-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 861019,878540 CVE References: CVE-2013-6487,CVE-2014-3775 Sources used: openSUSE 11.4 (src): libgadu-1.11.4-5.1
Update released for: libgadu, libgadu-debuginfo, libgadu-debugsource, libgadu-devel Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SUSE-SU-2014:0790-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 878540 CVE References: CVE-2013-6487 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): libgadu-1.8.2-1.24.1 SUSE Linux Enterprise Desktop 11 SP3 (src): libgadu-1.8.2-1.24.1
All relevant packages updated