Ubuntu
kadu package

kadu: CVE-2008-4776 remote DoS

Bug #297933 reported by Fabrice Coutadeur on 2008-11-14

258

	Status	Importance	Assigned to
ekg (Ubuntu)	Fix Released	Undecided	Kees Cook
Hardy	Fix Released	Undecided	Unassigned
kadu (Ubuntu)	Fix Released	Undecided	Unassigned
Hardy	Fix Released	Undecided	Artur Rona
libgadu (Ubuntu)	Fix Released	Undecided	Kees Cook
Hardy	Invalid	Undecided	Unassigned

Bug Description

Binary package hint: kadu

Debian fixed CVE-2008-4776 in kadu by releasing 0.6.0.2-3.
It's Debian bug #504429
Please update ubuntu's version

It also affect libgadu3: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503916

See original description

Related branches

lp:ubuntu/intrepid-security/libgadu

lp:~ari-tczew/ubuntu/hardy/kadu/fix-CVE-2008-4776

Ready for review for merging into lp:ubuntu/hardy/kadu

Marc Deslauriers: Approve on 2010-05-18

lp:ubuntu/hardy-security/kadu

CVE References

2008-4776

Fabrice Coutadeur (fabricesp) on 2008-11-14

Changed in kadu:
assignee:	nobody → fabricesp
status:	New → In Progress

Fabrice Coutadeur (fabricesp) on 2008-11-14

description:

updated

Revision history for this message

Fabrice Coutadeur (fabricesp) wrote on 2008-11-18:

debdiff for libgadu Edit (3.3 KiB, text/plain)

Changed in libgadu:
status:	New → In Progress

Revision history for this message

Fabrice Coutadeur (fabricesp) wrote on 2008-11-18:

debdiff for kadu Edit (2.3 KiB, text/plain)

Changed in kadu:
assignee:	fabricesp → nobody

Revision history for this message

Fabrice Coutadeur (fabricesp) wrote on 2008-11-18:

I've tested that the resulting packages build in pbuilder and that the debdiff apply cleanly to existing version.
About tests, I've checked that the application runs.

Also, those fixes are the same as debian ones (in libgadu 1.8.0+r592-3 and kadu 0.6.0.2-3), and I have checked the debdiff between debian and new Ubuntu version.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-11-26:

Thanks for you patches! Unfortunately, these changes are not appropriate for a security update. Specifically, we do not introduce patch systems and should not change to using a library rather than the embedded code. Both of these fixes are definitely worthwhile, so I recommend filling separate bugs to get these fixed in the development release.

I am going to mark the bug as 'Triaged'. Can you update your patches accordingly and then remark the bug as 'In Progress'? Thanks again!

Changed in kadu:
status:	In Progress → Triaged
Changed in libgadu:
status:	In Progress → Triaged

Revision history for this message

Fabrice Coutadeur (fabricesp) wrote on 2008-11-27:

New minimal debdiff for libgadu Edit (2.0 KiB, text/plain)

The versions in Jaunty are the last debian's version, so this security patch is not needed.

Here is the new minimal debdiff for libgadu (without patch system)

Changed in libgadu:
status:	Triaged → In Progress

Revision history for this message

Fabrice Coutadeur (fabricesp) wrote on 2008-11-28:

New minimal debdiff for kadu Edit (2.4 KiB, text/plain)

Minimal debdiff for Kadu (build in pbuilder and installed in Intrepid)

Changed in kadu:
status:	Triaged → In Progress

Revision history for this message

Kees Cook (kees) wrote on 2008-12-07:

This also affects ekg, which contains an embedded copy of libgadu prior to intrepid.

Changed in ekg:
assignee:	nobody → kees
status:	New → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-12-17:

This bug was fixed in the package libgadu - 1:1.8.0+r592-1ubuntu0.1

---------------
libgadu (1:1.8.0+r592-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: remote DoS (LP: #297933)
    - Changes in src/events.c to check correct length of reply
    - CVE-2008-4776

-- Fabrice Coutadeur <email address hidden> Tue, 18 Nov 2008 05:04:49 +0100

Changed in libgadu:
status:	In Progress → Fix Released

Revision history for this message

Kees Cook (kees) wrote on 2008-12-18:

Published as: http://www.ubuntu.com/usn/usn-692-1

Changed in kadu:
status:	In Progress → Fix Released
Changed in libgadu:
assignee:	nobody → kees
Changed in ekg:
status:	In Progress → Fix Released

Revision history for this message

Artur Rona (ari-tczew) wrote on 2010-05-13:

#10

ekg (1:1.7~rc2-2ubuntu0.8.04.1) hardy-security; urgency=low

  * SECURITY UPDATE: remote denial of service.
    - lib/events.c: upstream fixes.
    - CVE-2008-4776

-- Kees Cook <email address hidden> Sat, 06 Dec 2008 19:40:42 -0800

Changed in ekg (Ubuntu Hardy):
status:	New → Fix Released
Changed in libgadu (Ubuntu Hardy):
status:	New → Invalid
Changed in kadu (Ubuntu Hardy):
assignee:	nobody → Artur Rona (ari-tczew)

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2010-05-17:

#11

ACK to the hardy patch. Updated packages have been uploaded.

Thanks!

Changed in kadu (Ubuntu Hardy):
status:	New → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-05-17:

#12

This bug was fixed in the package kadu - 0.6.0-1ubuntu0.1

---------------
kadu (0.6.0-1ubuntu0.1) hardy-security; urgency=low

  * SECURITY UPDATE: remote DoS via a contact description with a large length
    - debian/patch: Added 06-fix_CVE-2008-4776_events.c to fix events.c
    - CVE-2008-4776
  * Fix taken from intrepid (LP: #297933)
-- Artur Rona <email address hidden> Wed, 12 May 2010 23:38:26 +0200

Changed in kadu (Ubuntu Hardy):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntukadu package

kadu: CVE-2008-4776 remote DoS

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
kadu package