Bug#504429: kadu: CVE-2008-4776 remote DoS

Mon, 03 Nov 2008 13:21:58 -0800 

Package: kadu
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for kadu.

CVE-2008-4776[0]:
| libgadu before 1.8.2 allows remote servers to cause a denial of
| service (crash) via a contact description with a large length, which
| triggers a buffer over-read.

You seem to embeed libgadu and thus suffer from the same 
problem. The patch for gadu which applies to the sources is 
attached.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4776
    http://security-tracker.debian.net/tracker/CVE-2008-4776

-- 
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -pruN libgadu-1.8.1/src/events.c libgadu-1.8.2/src/events.c
--- libgadu-1.8.1/src/events.c	2008-06-17 22:29:54.000000000 +0200
+++ libgadu-1.8.2/src/events.c	2008-10-24 00:24:04.000000000 +0200
@@ -1,4 +1,4 @@
-/* $Id: events.c 610 2008-05-31 22:18:03Z wojtekka $ */
+/* $Id: events.c 639 2008-10-23 22:24:01Z wojtekka $ */
 
 /*
  *  (C) Copyright 2001-2006 Wojtek Kaniewski <[EMAIL PROTECTED]>
@@ -621,7 +621,7 @@ static int gg_watch_fd_connected(struct 
 				if (GG_S_D(n->status)) {
 					unsigned char descr_len = *((char*) n + sizeof(struct gg_notify_reply77));
 
-					if (descr_len < length) {
+					if (sizeof(struct gg_notify_reply77) + descr_len <= length) {
 						if (!(e->event.notify60[i].descr = malloc(descr_len + 1))) {
 							gg_debug_session(sess, GG_DEBUG_MISC, "// gg_watch_fd_connected() not enough memory for notify data\n");
 							goto fail;
@@ -744,7 +744,7 @@ static int gg_watch_fd_connected(struct 
 				if (GG_S_D(n->status)) {
 					unsigned char descr_len = *((char*) n + sizeof(struct gg_notify_reply60));
 
-					if (descr_len < length) {
+					if (sizeof(struct gg_notify_reply60) + descr_len <= length) {
 						if (!(e->event.notify60[i].descr = malloc(descr_len + 1))) {
 							gg_debug_session(sess, GG_DEBUG_MISC, "// gg_watch_fd_connected() not enough memory for notify data\n");
 							goto fail;

Attachment: pgpltivmen0Kp.pgp
Description: PGP signature

Reply via email to