1 | | [reserved] |
| 1 | == Description == |
| 2 | |
| 3 | Receiving a file transfer request from a contact not in the contact |
| 4 | list results in a null pointer dereference, leading to remote DoS by |
| 5 | malicious remote clients. |
| 6 | |
| 7 | Additionally, due to an incomplete fix of the issue above in BitlBee |
| 8 | 3.5, the bitlbee-libpurple variant is still affected in 3.5. |
| 9 | |
| 10 | == Impact == |
| 11 | |
| 12 | This results in denial of service (remote crash of the BitlBee |
| 13 | instance). Remote code execution does not seem to be possible (fixed |
| 14 | offset) |
| 15 | |
| 16 | For BitlBee servers configured in ForkDaemon mode (default) or inetd |
| 17 | mode, the crash is limited to one user connection, who may just |
| 18 | reconnect. |
| 19 | |
| 20 | CVSS for bitlbee 3.4.2 and lower: |
| 21 | |
| 22 | * Access Vector: Network |
| 23 | * Access Complexity: Low |
| 24 | * Authentication: None |
| 25 | * Confidentiality Impact: None |
| 26 | * Integrity Impact: None |
| 27 | * Availability Impact: Partial |
| 28 | * Exploitability: Functional Exploit Exists |
| 29 | * Remediation Level: Official Fix |
| 30 | * Report Confidence: Confirmed |
| 31 | * Target Distribution: High |
| 32 | * CVSS v2 score: 4.1 |
| 33 | |
| 34 | CVSS for bitlbee-libpurple 3.5: |
| 35 | |
| 36 | * Target Distribution: Medium |
| 37 | * CVSS v2 score: 3.1 |
| 38 | |
| 39 | == Affected versions == |
| 40 | |
| 41 | bitlbee-libpurple 3.5 or older |
| 42 | |
| 43 | bitlbee (non-libpurple builds) 3.4.2 or older |
| 44 | |
| 45 | == Unaffected versions == |
| 46 | |
| 47 | bitlbee-libpurple 3.5.1 or newer |
| 48 | |
| 49 | bitlbee (non-libpurple builds) 3.5 or newer |
| 50 | |
| 51 | == Resolution == |
| 52 | |
| 53 | * Upgrade to 3.5.1 (released 2017-01-30) |
| 54 | |
| 55 | * For 3.5 see the attached |
| 56 | 0001-purple-Fix-crash-on-ft-requests-from-unknown-contact.patch [not |
| 57 | included in this email] |
| 58 | |
| 59 | * For 3.4.2, 3.4.1 and 3.4 see the attached |
| 60 | 0001-Fix-null-pointer-dereference-on-ft-attempts-3.4.x.patch [not |
| 61 | included in this email] |
| 62 | |
| 63 | * For 3.2.x and 3.2.x see the attached |
| 64 | 0001-Fix-null-pointer-dereference-on-ft-attempts-3.0.x-3.2.x.patch |
| 65 | [not included in this email] |
| 66 | |
| 67 | == Discussion == |
| 68 | |
| 69 | The issue from 3.4.2 and older only affects the jabber protocol, which |
| 70 | is the only non-purple protocol which implements file transfers. |
| 71 | |
| 72 | The issue that is still present in 3.5 affects any libpurple protocol |
| 73 | that implements file transfers when used through BitlBee. It does not |
| 74 | affect other libpurple-based clients such as pidgin. |
| 75 | |
| 76 | There's no visible effect of the issue other than the crash. |
| 77 | |
| 78 | == References == |
| 79 | |
| 80 | Incomplete fix commit included in 3.5: |
| 81 | |
| 82 | https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f |
| 83 | |
| 84 | Libpurple specific bugfix commit included in 3.5.1: |
| 85 | |
| 86 | https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441 |