Bug#855588: marked as done (memory leak could lead to Denial Of Service)

[Debian Bug Tracking System]

Your message dated Tue, 28 Feb 2017 17:18:46 +0000
with message-id <e1cilqe-0007k3...@fasolo.debian.org>
and subject line Bug#855588: fixed in atheme-services 7.2.9-1
has caused the Debian Bug report #855588,
regarding memory leak could lead to Denial Of Service
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
855588: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855588
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: atheme-services
Version: 7.2.7
Severity: grave
Tags: security

Upstream changelog says:

    This is a security release closing a memory leak that could be
    exploited by attackers to potentially cause a denial of
    service. Release 7.2.7 is affected; older releases are
    unaffected. See #539 for technical information.

The upstream issue is https://github.com/atheme/atheme/pull/539 and
doesn't have much more details.

The patch is:

https://github.com/atheme/atheme/pull/539/commits/a80355d2971f6453ef9c6c9507e8f0d16e55dd0f

But then the fun part is that the fix introduced yet another DOS,
which led to the release of 7.2.9:

    This is a security release fixing use after free that could
    potentially be abused by an attacker already having the privilege
    to use SASL impersonation to cause a denial of service. Users of
    7.2.8 should update to version 7.2.9; older releases are not
    affected.

Not sure if those issues should be treated separately, but since 7.2.8
wasn't packaged yet, maybe it's fine to have a single issue about
this.

A CVE was requested, but it is unclear where or if there was a
response:

https://github.com/atheme/atheme/pull/539#issuecomment-278204870

A.

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Source: atheme-services
Source-Version: 7.2.9-1

We believe that the bug you reported is fixed in the latest version of
atheme-services, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 855...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Antoine Beaupré <anar...@debian.org> (supplier of updated atheme-services 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 07 Feb 2017 21:01:27 -0500
Source: atheme-services
Binary: atheme-services
Architecture: source amd64
Version: 7.2.9-1
Distribution: unstable
Urgency: medium
Maintainer: Antoine Beaupré <anar...@debian.org>
Changed-By: Antoine Beaupré <anar...@debian.org>
Description:
 atheme-services - modular IRC services daemon
Closes: 855588
Changes:
 atheme-services (7.2.9-1) unstable; urgency=medium
 .
   * new upstream release (7.2.8) fixing security issue "saslserv/main: free
     sasl_sourceinfo_t after use" see:
     https://github.com/atheme/atheme/pull/539
   * new upstream release (7.2.9) fixing security issue introduced in
     7.2.8: "Fix use after free during impersonation" (Closes: #855588)
   * remove two OpenSSL 1.1 patches merged upstream
 .
   [ Jos Ahrens ]
   * email templates: Fix leading whitespace
 .
   [ Aaron Jones ]
   * atheme.conf.example: better highlight the pbkdf2v2 crypto module
   * pbkdf2v2: make digest and rounds configurable at runtime
   * memoserv: let user know (on identify and /away) when their inbox is full
   * memoserv: unregister hooks when unloading
Checksums-Sha1:
 527ad5b523044770a2144e0adabd10ff6d754260 2085 atheme-services_7.2.9-1.dsc
 629ee6241324722792124a1abddc2e03f28eee30 1179582 
atheme-services_7.2.9.orig.tar.bz2
 0e8b6bdbccdcb3228c42ba5884afd8dd43c4494a 10592 
atheme-services_7.2.9-1.debian.tar.xz
 9d77bfd2b077873ccd37ad7288f6bbd31bfe8c6f 6189692 
atheme-services-dbgsym_7.2.9-1_amd64.deb
 e5efb94e97f2beb85b64ded3fdd1bf6a94df428b 4885 
atheme-services_7.2.9-1_amd64.buildinfo
 a8bfe5d6a1498584fc1cbf4b699d77f3e9a3e70d 984812 
atheme-services_7.2.9-1_amd64.deb
Checksums-Sha256:
 0989bee6f43ee5719e6b99d6b4206a36c240a335c96ce6fc4aa9aebd0b9c7c0c 2085 
atheme-services_7.2.9-1.dsc
 a87a046aa73fc4a97a11d41cc08c60b835135ba20bb173ca888b40e0d6b54b27 1179582 
atheme-services_7.2.9.orig.tar.bz2
 76a6c51e62997f41ea3898b4ffd422bbbb92d65db178e815643d849efbc276de 10592 
atheme-services_7.2.9-1.debian.tar.xz
 ca5e133fda6b43f75ec541c373a55807fedf112220cc56a369e7ce3cf51b06e3 6189692 
atheme-services-dbgsym_7.2.9-1_amd64.deb
 cc04eb8e37c6c8ead77afccb3d06dbaf0ac80fc7638d311afa7c47b9a4dae393 4885 
atheme-services_7.2.9-1_amd64.buildinfo
 52112d9b65b11b85208b15786d935535bdc329f470a82aaed1f44ccfc36f8c30 984812 
atheme-services_7.2.9-1_amd64.deb
Files:
 69fa609be5e32c044754aab449272fd0 2085 net optional atheme-services_7.2.9-1.dsc
 7fa80e046e90bf9376cfc5c5207f2b27 1179582 net optional 
atheme-services_7.2.9.orig.tar.bz2
 cbf01f2575d09a60f55c7f25260abc21 10592 net optional 
atheme-services_7.2.9-1.debian.tar.xz
 e5d7b52d25ad9e12ad99a97bdeb428d6 6189692 debug extra 
atheme-services-dbgsym_7.2.9-1_amd64.deb
 eed7b99c62b8ea84ac45a40dc5b513ea 4885 net optional 
atheme-services_7.2.9-1_amd64.buildinfo
 42f6141c48155f8ba2441f3d1a2b80fb 984812 net optional 
atheme-services_7.2.9-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEjckBzmQUbASK1Q+7eSFSUnt1kh4FAli1q5QACgkQeSFSUnt1
kh720g/+O4MsM51H+BtlghewCJebQ7fxQOiCPjcwQ72jUS7wBry8SSyz3FjMYPnR
Yirwzg+wV4Qn9Dk/4bK0RhXDGBZxOi/RDtVrhVGiU4vf82FMHopVyQKN8hlT28rs
cOhx+XiWJ/XNhyL6u+uxJiP14mzwH5iusQyzLIJXAwmbwscRqaM3k6jfBmIWST1+
QJ5FOU4XUhsnJjmu4ND4nF8OWAhfvPSBKIFrRiMZwO5JAPbg9ceidwSHaRpMQKPA
0vE8B+GnF6bNI0CZSNhvtIvW4Ouj5eYjb7iTP+sp0DzP9dnTzpiBX2+dkTrGZF+h
447Cw8z09mHldtyHLX5JgxukwmroRKHSz8Ox98ceI++FfkF12YKPw7rVaFARopxL
hnWfYknMG8gsof4TBu5sO5ySgxhILHn4TDNwJfUmfW78Q0bRP3CKZRxnY6Vyerln
rUxQMVp5UsE//3sLMUE/0XVmdv7to/s/m4ORVGFeVConkDJgJLjLScflGtaFTogb
BvhC00oxBGIl2UaIcJfoJvUEyx2nVziTiuX6ippUXYyw+Q0SFgnsK3GJRbfO1peq
zT7xZ+GxurIo7hbtRjg9IYEpG5EDoSSyVjf4FK3zVeHk7R80BnG1eeoPL3yMmJTA
4d4u4R3aey0BxM+iShFNnLBaytZhRGqZNlDcnS3vqsi9CxwbwCU=
=j8As
-----END PGP SIGNATURE-----

--- End Message ---