Changes between Initial Version and Version 1 of Ticket #1282


Ignore:
Timestamp:
2017-01-30T18:08:02Z (8 weeks ago)
Author:
dx
Comment:

Made public

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #1282

    • Property Status changed from new to closed
    • Property Resolution changed from to fixed
    • Property Summary changed from [reserved] to Null pointer dereference with file transfer request from unknown contacts
  • Ticket #1282 – Description

    initial v1  
    1 [reserved]
     1== Description ==
     2
     3Receiving a file transfer request from a contact not in the contact
     4list results in a null pointer dereference, leading to remote DoS by
     5malicious remote clients.
     6
     7Additionally, due to an incomplete fix of the issue above in BitlBee
     83.5, the bitlbee-libpurple variant is still affected in 3.5.
     9
     10== Impact ==
     11
     12This results in denial of service (remote crash of the BitlBee
     13instance). Remote code execution does not seem to be possible (fixed
     14offset)
     15
     16For BitlBee servers configured in ForkDaemon mode (default) or inetd
     17mode, the crash is limited to one user connection, who may just
     18reconnect.
     19
     20CVSS for bitlbee 3.4.2 and lower:
     21
     22* Access Vector: Network
     23* Access Complexity: Low
     24* Authentication: None
     25* Confidentiality Impact: None
     26* Integrity Impact: None
     27* Availability Impact: Partial
     28* Exploitability: Functional Exploit Exists
     29* Remediation Level: Official Fix
     30* Report Confidence: Confirmed
     31* Target Distribution: High
     32* CVSS v2 score: 4.1
     33
     34CVSS for bitlbee-libpurple 3.5:
     35
     36* Target Distribution: Medium
     37* CVSS v2 score: 3.1
     38
     39== Affected versions ==
     40
     41bitlbee-libpurple 3.5 or older
     42
     43bitlbee (non-libpurple builds) 3.4.2 or older
     44
     45== Unaffected versions ==
     46
     47bitlbee-libpurple 3.5.1 or newer
     48
     49bitlbee (non-libpurple builds) 3.5 or newer
     50
     51== Resolution ==
     52
     53* Upgrade to 3.5.1 (released 2017-01-30)
     54
     55* For 3.5 see the attached
     560001-purple-Fix-crash-on-ft-requests-from-unknown-contact.patch [not
     57included in this email]
     58
     59* For 3.4.2, 3.4.1 and 3.4 see the attached
     600001-Fix-null-pointer-dereference-on-ft-attempts-3.4.x.patch [not
     61included in this email]
     62
     63* For 3.2.x and 3.2.x see the attached
     640001-Fix-null-pointer-dereference-on-ft-attempts-3.0.x-3.2.x.patch
     65[not included in this email]
     66
     67== Discussion ==
     68
     69The issue from 3.4.2 and older only affects the jabber protocol, which
     70is the only non-purple protocol which implements file transfers.
     71
     72The issue that is still present in 3.5 affects any libpurple protocol
     73that implements file transfers when used through BitlBee. It does not
     74affect other libpurple-based clients such as pidgin.
     75
     76There's no visible effect of the issue other than the crash.
     77
     78== References ==
     79
     80Incomplete fix commit included in 3.5:
     81
     82https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f
     83
     84Libpurple specific bugfix commit included in 3.5.1:
     85
     86https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441