Ubuntu
silc-toolkit package

[CVE-2008-1227] Stack-based buffer overflow causes DoS

Bug #202752 reported by William Grant
256
Affects Status Importance Assigned to Milestone
silc-toolkit (Fedora)
Fix Released
Low
silc-toolkit (Ubuntu)
Fix Released
High
William Grant

Bug Description

CVE-2008-1227:
Stack-based buffer overflow in the silc_fingerprint function in lib/silcutil/silcutil.c in Secure Internet Live Conferencing (SILC) Toolkit 1.1.5, and unspecified earlier versions, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via long input data. NOTE: some of these details are obtained from third party information.

CVE References

Revision history for this message
In , Nathan (nathan-redhat-bugs) wrote :

Description of problem:
pidgin crashes on login to a silc account. I tried setting it up fresh, and from
old setup. Both caused the crash.

Version-Release number of selected component (if applicable):
pidgin-2.2.2-1.fc8.x86_64

How reproducible:
Everytime

Steps to Reproduce:
1. Install pidgin
2. Run pidgin
3. Setup silc account

Actual results:
Crash

Expected results:
Runs normally

Additional info:
If run from a terminal window it mentions a buffer overflow.

Revision history for this message
In , luca (luca-redhat-bugs-1) wrote :

I can confirm this odd behavior that happens just with silc accounts.
A workaround for this problem is to downgrade to libsilc-1.0.2-2.fc6, the one
installed by default under fedora 7.
This suggest to me that the problem could be in libsilc itself but I didn't
investigate deeper.

Revision history for this message
In , Stu (stu-redhat-bugs) wrote :

I think we'll need a backtrace with both pidgin-debuginfo and libsilc-debuginfo
installed to be able to get anywhere with this.

Revision history for this message
In , luca (luca-redhat-bugs-1) wrote :

Created attachment 290915
Backtrace with debuginfo

Revision history for this message
In , Stu (stu-redhat-bugs) wrote :

This appears to be a libsilc problem, could you please try this libsilc package
to see if the crash is fixed, and if you are now able to log in to silc?
http://koji.fedoraproject.org/scratch/nosnilmot/task_328484/

Revision history for this message
In , luca (luca-redhat-bugs-1) wrote :

This seems to solve the problem for me. Now I can log in to silc without
crashing pidgin anymore.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

libsilc-1.0.2-5.fc7 has been submitted as an update for Fedora 7

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

libsilc-1.0.2-5.fc8 has been submitted as an update for Fedora 8

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

libsilc-1.0.2-5.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with
 su -c 'yum --enablerepo=updates-testing update libsilc'. You can provide feedback for this update here: http://admin.fedoraproject.org/F8/FEDORA-2008-1041

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

libsilc-1.0.2-5.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Fedora (fedora-redhat-bugs) wrote :

libsilc-1.0.2-5.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.

Revision history for this message
In , Lubomir (lubomir-redhat-bugs) wrote :

I'm not convinced the contents of the buffer are in attacker's control; did
anyone conduct some investigation?

Revision history for this message
William Grant (wgrant) wrote :
Changed in silc-toolkit:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
William Grant (wgrant) wrote :

I've uploaded a Hardy fix, and the same patch is easily applied to all previous releases. However, a comment in the Fedora bug indicates that downgrading fixed the crash, which probably means the vulnerability is mitigated by something else in previous releases (except perhaps Gutsy). There's also no known exploit, so we can't test it. I'm not confident to push it out to stable releases.

Changed in silc-toolkit:
assignee: nobody → fujitsu
status: Confirmed → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in silc-toolkit:
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package silc-toolkit - 1.1.5-1ubuntu1

---------------
silc-toolkit (1.1.5-1ubuntu1) hardy; urgency=low

  * SECURITY UPDATE: arbitrary code execution and denial of service via buffer
    overflow.
    - lib/silcutil/silcutil.c: Check the length of the fingerprint. Patch from
      upstream. (LP: #202752)
    - References:
      + CVE-2008-1227
  * Modify Maintainer value to match the DebianMaintainerField
    specification.

 -- William Grant <email address hidden> Sun, 16 Mar 2008 17:11:05 +1100

Changed in silc-toolkit:
status: Fix Committed → Fix Released
Revision history for this message
In , Stu (stu-redhat-bugs) wrote :

(In reply to comment #11)
> I'm not convinced the contents of the buffer are in attacker's control; did
> anyone conduct some investigation?

I asked this of upstream and the reply was:
> I'm not sure but I think this wasn't so serious. I never got it crash myself.

Bug Watch Updater (bug-watch-updater)
Changed in silc-toolkit (Fedora):
importance: Unknown → Low
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.