Changes between Initial Version and Version 1 of Ticket #1281

2017-01-30T18:05:21Z (6 years ago)

Made public.


  • Ticket #1281

    • Property Status changed from new to closed
    • Property Resolution changed from to fixed
    • Property Summary changed from [reserved] to bitlbee-libpurple: Use after free when expiring file transfer requests
  • Ticket #1281 – Description

    initial v1  
    1 [reserved]
     1== Description ==
     3Pending file transfer requests expire after 120 seconds, which may
     4result in use after free if the corresponding account is disconnected.
     5A malicious remote server could force this disconnection.
     7== Impact ==
     9This results in denial of service (remote crash of the BitlBee
     10instance), or remote code execution (theoretically).
     12For BitlBee servers configured in ForkDaemon mode (default) or inetd
     13mode, the crash is limited to one user connection, who may just
     16* Access Vector: Network
     17* Access Complexity: High
     18* Authentication: None
     19* Confidentiality Impact: None
     20* Integrity Impact: None
     21* Availability Impact: Partial
     22* Exploitability: Functional Exploit Exists
     23* Remediation Level: Official Fix
     24* Report Confidence: Confirmed
     25* Target Distribution: Medium
     26* CVSS v2 score: 1.6
     28== Affected versions ==
     30bitlbee-libpurple 3.4.2 or older
     32== Unaffected versions ==
     34bitlbee (non-libpurple builds), any version
     36bitlbee-libpurple 3.5
     38== Resolution ==
     40* Upgrade to 3.5 (released 2017-01-08)
     42* For 3.4.2 see the attached
     430001-purple-fix-file-transfer-memory-management-3.4.2.patch [not
     44included in this email]
     46* For 3.4.1 and 3.4 see the attached
     470001-purple-fix-file-transfer-memory-management-3.4-3.4.1.patch [not
     48included in this email]
     50* For earlier versions upgrading is strongly recommended because of
     51the amount of accumulated bugfixes, but the following line may be
     52removed from `protocols/purple/purple.c` to prevent any processing of
     53incoming file transfers:
     55    purple_xfers_set_ui_ops(&bee_xfer_uiops);
     57== Discussion ==
     59This affects any libpurple protocol when used through BitlBee. It does
     60not affect other libpurple-based clients such as pidgin.
     62This is a very visible issue - all file transfer request attempts and
     63all disconnections will be logged in the control channel and visible
     64by the targeted user. File transfer requests look like this:
     66    <@root> [account] - File transfer request from [username] for
     67[filename] (0 kb).
     68    <@root> Accept the file transfer if you'd like the file. If you
     69don't, issue the 'transfer reject' command.
     71Cancelling the file transfer request using the "transfer reject"
     72command before the disconnection happens can prevent this. However,
     73using that command after the account is disconnected will result in an
     74immediate crash.
     76== References ==
     78Original bugfix commit: