Ubuntu

CVE-2009-0363: multiple remote buffer overflows

Reported by Anders Kaseorg on 2009-02-13
258
Affects Status Importance Assigned to Milestone
barnowl (Ubuntu)
Medium
Unassigned
Jaunty
Undecided
Unassigned
owl (Debian)
Fix Released
Unknown
owl (Ubuntu)
Medium
Unassigned
Jaunty
Medium
Unassigned

Bug Description

Binary package hint: owl

owl and BarnOwl are affected by multiple buffer overflows that are remotely exploitable. These vulnerabilities are fixed in BarnOwl 1.0.5:

http://barnowl.mit.edu/wiki/barnowl-1.0.5-announce

(BarnOwl is a fork of the unmaintained owl project that fixes many important bugs and adds new features. It is usable as a drop-in replacement for owl.)

CVE References

Michael Bienia (geser) wrote :

Please sync barnowl (1.0.5-1) from Debian unstable (main).

 barnowl (1.0.5-1) unstable; urgency=high

   * New upstream release
   * Fix use of sprintf in zwrite.c and zcrypt.c that is likely to be
     exploitable
   * Enable fortify_source and stack protector to reduce impact of similar
     problems in the future.
   * Together, fixes: CVE-2009-0363t3; Closes: #495056

 -- Sam Hartman <email address hidden> Wed, 11 Feb 2009 11:08:36 -0500

Changed in barnowl:
importance: Undecided → Medium
status: New → Confirmed
Steve Langasek (vorlon) wrote :

[Updating] barnowl (1.0.3-1 [Ubuntu] < 1.0.5-1 [Debian])
 * Trying to add barnowl...
  - <barnowl_1.0.5-1.diff.gz: downloading from http://ftp.debian.org/debian/>
  - <barnowl_1.0.5.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
  - <barnowl_1.0.5-1.dsc: downloading from http://ftp.debian.org/debian/>
I: barnowl [universe] -> barnowl_1.0.3-1 [universe].
I: barnowl [universe] -> barnowl-irc_1.0.3-1 [universe].
[Updating] barnowl (1.0.3-1 [Ubuntu] < 1.0.5-1 [Debian])
 * Trying to add barnowl...
  - <barnowl_1.0.5-1.diff.gz: cached>
  - <barnowl_1.0.5.orig.tar.gz: cached>
  - <barnowl_1.0.5-1.dsc: cached>
I: barnowl [universe] -> barnowl_1.0.3-1 [universe].
I: barnowl [universe] -> barnowl-irc_1.0.3-1 [universe].

Changed in barnowl:
status: Confirmed → Fix Released
Steve Langasek (vorlon) wrote :

[Updating] barnowl (1.0.3-1 [Ubuntu] < 1.0.5-1 [Debian])
 * Trying to add barnowl...
  - <barnowl_1.0.5-1.diff.gz: cached>
  - <barnowl_1.0.5.orig.tar.gz: cached>
  - <barnowl_1.0.5-1.dsc: cached>
I: barnowl [universe] -> barnowl_1.0.3-1 [universe].
I: barnowl [universe] -> barnowl-irc_1.0.3-1 [universe].

Changed in owl:
status: New → Fix Released
Anders Kaseorg (anders-kaseorg) wrote :

Thanks for the barnowl upload. Reopening the owl component.

Changed in owl:
status: Fix Released → New
Steve Langasek (vorlon) wrote :

This is not a complete sync request for owl. Please provide the information required by https://wiki.ubuntu.com/SyncRequestProcess for this package.

Changed in owl:
status: New → Incomplete
Anders Kaseorg (anders-kaseorg) wrote :

There is currently no fix in Debian that can be synced. Debian is considering several possible resolutions, including potentially removing owl in favor of BarnOwl. I will update this bug when a decision is reached in Debian.

Changed in owl:
status: Incomplete → New
Steve Langasek (vorlon) wrote :

unsubscribing ubuntu-archive in the meantime since there's nothing actionable here; feel free to resubscribe us if a sync is needed.

Changed in owl:
status: Unknown → New
Kees Cook (kees) on 2009-03-25
Changed in owl (Ubuntu):
status: New → Confirmed
Anders Kaseorg (anders-kaseorg) wrote :

This was fixed in Debian in owl 2.2.2-1, and synced into Karmic. I’m not sure about the best way to handle this for Jaunty and before.

owl (2.2.2-1) unstable; urgency=low

  * New upstream release. The upstream author has become active again and
    has worked with the barnowl developers on security issues. (Closes: #515118)
  * configure.in, debian.control: barnowl updates via Sam Hartman
    eliminate retro libkrb4 and des425 dependencies. (Closes: #517019)
      * Do not link against libkrb4 or libkrb5; we use none of their symbols
      * Support openssl DES for zcrypt so that we continue to have zcrypt
        after libdes425 goes away
      Note: ditched the KerberosIV test entirely to force this version,
      allowing build/test on lenny.
  * zcrypt.c: use des.h again, so we get the openssl one above.
  * from unreleased 2.1.11-3:
      * debian/control: version debhelper depends (lintian
        package-lacks-versioned-build-depends-on-debhelper.)
      * debian/watch: New file.
  * debian/control: add libglib2.0-dev, per configure.in

 -- Mark W. Eichin <email address hidden> Mon, 13 Apr 2009 00:53:12 -0400

Changed in owl (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Fix Released
Changed in owl (Ubuntu Jaunty):
importance: Undecided → Medium
status: New → Confirmed
Changed in barnowl (Ubuntu Jaunty):
status: New → Fix Released
Changed in owl (Debian):
status: New → Fix Released
Alex Valavanis (valavanisalex) wrote :

Jaunty reached end-of-life on 23 October 2010. The bug is fixed in later versions of Ubuntu

Changed in owl (Ubuntu Jaunty):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.