#1282 closed defect (fixed)
Null pointer dereference with file transfer request from unknown contacts
Reported by: | dx | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | Unspecified / other | Version: | Unspecified |
Keywords: | Cc: | ||
IRC client+version: | Client-independent | Operating System: | Other |
OS version/distro: |
Description (last modified by )
Description
Receiving a file transfer request from a contact not in the contact list results in a null pointer dereference, leading to remote DoS by malicious remote clients.
CVE-2016-10189 has been assigned for this first issue.
Additionally, due to an incomplete fix of the issue above in BitlBee 3.5, the bitlbee-libpurple variant is still affected in 3.5.
CVE-2017-5668 has been assigned for this second issue.
Impact
This results in denial of service (remote crash of the BitlBee instance). Remote code execution does not seem to be possible (fixed offset)
For BitlBee servers configured in ForkDaemon mode (default) or inetd mode, the crash is limited to one user connection, who may just reconnect.
CVSS for bitlbee 3.4.2 and lower:
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Partial
- Exploitability: Functional Exploit Exists
- Remediation Level: Official Fix
- Report Confidence: Confirmed
- Target Distribution: High
- CVSS v2 score: 4.1
CVSS for bitlbee-libpurple 3.5:
- Target Distribution: Medium
- CVSS v2 score: 3.1
Affected versions
bitlbee-libpurple 3.5 or older
bitlbee (non-libpurple builds) 3.4.2 or older
Unaffected versions
bitlbee-libpurple 3.5.1 or newer
bitlbee (non-libpurple builds) 3.5 or newer
Resolution
- Upgrade to 3.5.1 (released 2017-01-30)
- For 3.5 see the attached
0001-Fix-null-pointer-dereference-on-ft-attempts-3.5.patch
- For 3.4.2, 3.4.1 and 3.4 see the attached
0001-Fix-null-pointer-dereference-on-ft-attempts-3.4.x.patch
- For 3.2.x and 3.2.x see the attached
0001-Fix-null-pointer-dereference-on-ft-attempts-3.0.x-3.2.x.patch
Discussion
The issue from 3.4.2 and older only affects the jabber protocol, which is the only non-purple protocol which implements file transfers.
The issue that is still present in 3.5 affects any libpurple protocol that implements file transfers when used through BitlBee. It does not affect other libpurple-based clients such as pidgin.
There's no visible effect of the issue other than the crash.
References
CVE-2016-10189: Incomplete fix commit included in 3.5:
https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f
CVE-2017-5668: Libpurple specific bugfix commit included in 3.5.1:
https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441
Attachments (3)
Change History (6)
comment:1 Changed at 2017-01-30T18:08:02Z by
Description: | modified (diff) |
---|---|
Resolution: | → fixed |
Status: | new → closed |
Summary: | [reserved] → Null pointer dereference with file transfer request from unknown contacts |
Changed at 2017-01-30T18:15:34Z by
Attachment: | 0001-Fix-null-pointer-dereference-on-ft-attempts-3.4.x.patch added |
---|
Changed at 2017-01-30T18:15:47Z by
Attachment: | 0001-Fix-null-pointer-dereference-on-ft-attempts-3.0.x-3.2.x.patch added |
---|
Changed at 2017-01-30T18:20:44Z by
Attachment: | 0001-Fix-null-pointer-dereference-on-ft-attempts-3.5.patch added |
---|
comment:3 Changed at 2017-01-31T15:48:16Z by
Description: | modified (diff) |
---|
CVE-2016-10189 and CVE-2017-5668 have been assigned for the first issue and its incomplete fix respectively.
Made public