| 1 | | [reserved] |
| | 1 | == Description == |
| | 2 | |
| | 3 | Receiving a file transfer request from a contact not in the contact |
| | 4 | list results in a null pointer dereference, leading to remote DoS by |
| | 5 | malicious remote clients. |
| | 6 | |
| | 7 | Additionally, due to an incomplete fix of the issue above in BitlBee |
| | 8 | 3.5, the bitlbee-libpurple variant is still affected in 3.5. |
| | 9 | |
| | 10 | == Impact == |
| | 11 | |
| | 12 | This results in denial of service (remote crash of the BitlBee |
| | 13 | instance). Remote code execution does not seem to be possible (fixed |
| | 14 | offset) |
| | 15 | |
| | 16 | For BitlBee servers configured in ForkDaemon mode (default) or inetd |
| | 17 | mode, the crash is limited to one user connection, who may just |
| | 18 | reconnect. |
| | 19 | |
| | 20 | CVSS for bitlbee 3.4.2 and lower: |
| | 21 | |
| | 22 | * Access Vector: Network |
| | 23 | * Access Complexity: Low |
| | 24 | * Authentication: None |
| | 25 | * Confidentiality Impact: None |
| | 26 | * Integrity Impact: None |
| | 27 | * Availability Impact: Partial |
| | 28 | * Exploitability: Functional Exploit Exists |
| | 29 | * Remediation Level: Official Fix |
| | 30 | * Report Confidence: Confirmed |
| | 31 | * Target Distribution: High |
| | 32 | * CVSS v2 score: 4.1 |
| | 33 | |
| | 34 | CVSS for bitlbee-libpurple 3.5: |
| | 35 | |
| | 36 | * Target Distribution: Medium |
| | 37 | * CVSS v2 score: 3.1 |
| | 38 | |
| | 39 | == Affected versions == |
| | 40 | |
| | 41 | bitlbee-libpurple 3.5 or older |
| | 42 | |
| | 43 | bitlbee (non-libpurple builds) 3.4.2 or older |
| | 44 | |
| | 45 | == Unaffected versions == |
| | 46 | |
| | 47 | bitlbee-libpurple 3.5.1 or newer |
| | 48 | |
| | 49 | bitlbee (non-libpurple builds) 3.5 or newer |
| | 50 | |
| | 51 | == Resolution == |
| | 52 | |
| | 53 | * Upgrade to 3.5.1 (released 2017-01-30) |
| | 54 | |
| | 55 | * For 3.5 see the attached |
| | 56 | 0001-purple-Fix-crash-on-ft-requests-from-unknown-contact.patch [not |
| | 57 | included in this email] |
| | 58 | |
| | 59 | * For 3.4.2, 3.4.1 and 3.4 see the attached |
| | 60 | 0001-Fix-null-pointer-dereference-on-ft-attempts-3.4.x.patch [not |
| | 61 | included in this email] |
| | 62 | |
| | 63 | * For 3.2.x and 3.2.x see the attached |
| | 64 | 0001-Fix-null-pointer-dereference-on-ft-attempts-3.0.x-3.2.x.patch |
| | 65 | [not included in this email] |
| | 66 | |
| | 67 | == Discussion == |
| | 68 | |
| | 69 | The issue from 3.4.2 and older only affects the jabber protocol, which |
| | 70 | is the only non-purple protocol which implements file transfers. |
| | 71 | |
| | 72 | The issue that is still present in 3.5 affects any libpurple protocol |
| | 73 | that implements file transfers when used through BitlBee. It does not |
| | 74 | affect other libpurple-based clients such as pidgin. |
| | 75 | |
| | 76 | There's no visible effect of the issue other than the crash. |
| | 77 | |
| | 78 | == References == |
| | 79 | |
| | 80 | Incomplete fix commit included in 3.5: |
| | 81 | |
| | 82 | https://github.com/bitlbee/bitlbee/commit/701ab8129ba9ea64f569daedca9a8603abad740f |
| | 83 | |
| | 84 | Libpurple specific bugfix commit included in 3.5.1: |
| | 85 | |
| | 86 | https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441 |
