[USN-692-1] Gadu vulnerability
Date: Wed, 17 Dec 2008 16:12:13 -0800
From: Kees Cook <kees@ubuntu.com.>
To: [email protected]
Subject: [USN-692-1] Gadu vulnerability
Message-ID: <20081218001213.GU9250@outflux.net.>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.63 on 10.2.0.1
X-Virus-Scanned: antivirus-gw at tyumen.ru
--cWoXeonUoKmBZSoM
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Ubuntu Security Notice USN-692-1 December 17, 2008
ekg, libgadu vulnerability
CVE-2008-4776
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libgadu3 1:1.6+20051103-1ubuntu1.1
Ubuntu 7.10:
libgadu3 1:1.7~rc2-2ubuntu0.7.10.1
Ubuntu 8.04 LTS:
libgadu3 1:1.7~rc2-2ubuntu0.8.04.1
Ubuntu 8.10:
libgadu3 1:1.8.0+r592-1ubuntu0.1
After a standard system upgrade you need to restart your session to effect
the necessary changes.
Details follow:
It was discovered that the Gadu library, used by some Instant Messaging
clients, did not correctly verify certain packet sizes from the server.
If a user connected to a malicious server, clients using Gadu could be
made to crash, leading to a denial of service.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.6+20051103-1ubuntu1.1.diff.gz
Size/MD5: 35354 ecdf6037647d24e67e420299f8bf3c2f
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.6+20051103-1ubuntu1.1.dsc
Size/MD5: 819 b6e90f714e487383e6d0bf67e98c8957
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.6+20051103.orig.tar.gz
Size/MD5: 503834 5bea3583499a8b9989016af9221b3a07
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.6+20051103-1ubuntu1.1_amd64.deb
Size/MD5: 133146 85cfd1168568f5fd6edf848fc4f91d63
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.6+20051103-1ubuntu1.1_amd64.deb
Size/MD5: 67886 874ac814a70dfae5a61bdad164b78c76
http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.6+20051103-1ubuntu1.1_amd64.deb
Size/MD5: 293566 06f87355ed9349e215af731b968501ce
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.6+20051103-1ubuntu1.1_i386.deb
Size/MD5: 127014 5fd41a5c0bce4258e6f4bb82f51eaf1c
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.6+20051103-1ubuntu1.1_i386.deb
Size/MD5: 64248 168adb89a8a875ccf6eb4302cab920a4
http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.6+20051103-1ubuntu1.1_i386.deb
Size/MD5: 273378 71859a4928ec1ce2ab8117fdda02aeeb
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.6+20051103-1ubuntu1.1_powerpc.deb
Size/MD5: 134160 7b90cbde1411221e822c1952641f1379
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.6+20051103-1ubuntu1.1_powerpc.deb
Size/MD5: 68306 a5485f32dc2d84340286d02a3161c713
http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.6+20051103-1ubuntu1.1_powerpc.deb
Size/MD5: 292000 f36a1f2c5ec9d0325532e86d0cc2150e
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.6+20051103-1ubuntu1.1_sparc.deb
Size/MD5: 130728 58ffd885d139feb7b99fdffc5c59fb7b
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.6+20051103-1ubuntu1.1_sparc.deb
Size/MD5: 66288 487246f4be79c8f597ebf7bc641e3a64
http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.6+20051103-1ubuntu1.1_sparc.deb
Size/MD5: 279900 0769cb58f813ac14c05ef99073b4e940
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.7~rc2-2ubuntu0.7.10.1.diff.gz
Size/MD5: 37621 2630b60a3377c5041390339f0193e38e
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.7~rc2-2ubuntu0.7.10.1.dsc
Size/MD5: 898 164b0b16597df5d35869ac22e725d371
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.7~rc2.orig.tar.gz
Size/MD5: 514073 b4ea482130e163af1456699e2e6983d9
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.7.10.1_amd64.deb
Size/MD5: 135710 0f0852a49e3b5d61ad106b50b66254b4
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.7.10.1_amd64.deb
Size/MD5: 70258 8e6f4f8c9311f66513c2b44c076080d6
http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.7.10.1_amd64.deb
Size/MD5: 303716 c0f68dbd421b0d8d1b6412258f0910ee
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.7.10.1_i386.deb
Size/MD5: 131008 8ea62b04f2f1e792c73cfa3c970d4335
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.7.10.1_i386.deb
Size/MD5: 68534 01c43060568238fa64560e8034b230c9
http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.7.10.1_i386.deb
Size/MD5: 288280 f888d53d0be1b5c289af31ef0aac4c1d
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.7.10.1_lpia.deb
Size/MD5: 131152 7585ad03f5102cf0d8a2474f7fe847f4
http://ports.ubuntu.com/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.7.10.1_lpia.deb
Size/MD5: 68268 3e70f68fdc63e4a5b74b507f27d85899
http://ports.ubuntu.com/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.7.10.1_lpia.deb
Size/MD5: 289262 240454e1e2bd680f19d51fec789eaa7e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.7.10.1_powerpc.deb
Size/MD5: 136414 80d3b74dfc7830281299a0008ee698ef
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.7.10.1_powerpc.deb
Size/MD5: 72814 8f2becd8d8bcf7b4121b2032f9e6b8b2
http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.7.10.1_powerpc.deb
Size/MD5: 309510 c4292bed634562a167f6ca6815b104a9
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.7.10.1_sparc.deb
Size/MD5: 133568 6e1eda0c8cfafdf1c313d76dd55179a8
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.7.10.1_sparc.deb
Size/MD5: 69130 e9b5b481457a31a0088faf6f9e4fd5b8
http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.7.10.1_sparc.deb
Size/MD5: 293516 269e5f570f8e73ed05283e741fd5a7eb
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.7~rc2-2ubuntu0.8.04.1.diff.gz
Size/MD5: 37621 4f8153beb288bbb17dd12b4899d52cc2
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.7~rc2-2ubuntu0.8.04.1.dsc
Size/MD5: 898 c823300aa9787825452741e7eaac4c06
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/ekg_1.7~rc2.orig.tar.gz
Size/MD5: 514073 b4ea482130e163af1456699e2e6983d9
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.8.04.1_amd64.deb
Size/MD5: 135846 a53426800c4b2fcd884ebaf4f644be42
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.8.04.1_amd64.deb
Size/MD5: 70412 72f947f4f475819467d1887a71e6e36f
http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.8.04.1_amd64.deb
Size/MD5: 304942 4fc22bc0fc1b0cf290925c2ae05dea05
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.8.04.1_i386.deb
Size/MD5: 131050 07d5a303a5453a2b0c939c7dddfbd5fa
http://security.ubuntu.com/ubuntu/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.8.04.1_i386.deb
Size/MD5: 68542 63a28252c3ed0be329f51e999777fc4b
http://security.ubuntu.com/ubuntu/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.8.04.1_i386.deb
Size/MD5: 288754 ad4d3d5df8790d02362ea01dc0d08175
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.8.04.1_lpia.deb
Size/MD5: 131106 faeeebb5cdf8ef53e028a8f40ff518bb
http://ports.ubuntu.com/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.8.04.1_lpia.deb
Size/MD5: 68244 a772f8587f19bf6bf40633e228a1d893
http://ports.ubuntu.com/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.8.04.1_lpia.deb
Size/MD5: 289866 86d46900275e4a594e79a8dfc3ee58fc
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.8.04.1_powerpc.deb
Size/MD5: 136430 861f396868e2bcdaeb751b9fe99da39f
http://ports.ubuntu.com/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.8.04.1_powerpc.deb
Size/MD5: 72790 2d4fb39156f56470948bdebad126e06f
http://ports.ubuntu.com/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.8.04.1_powerpc.deb
Size/MD5: 312890 9202b3fc1c7c609d43d020cd63da15a1
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/e/ekg/libgadu-dev_1.7~rc2-2ubuntu0.8.04.1_sparc.deb
Size/MD5: 133302 d94ce7c558f7284ed112acad5598aca0
http://ports.ubuntu.com/pool/main/e/ekg/libgadu3_1.7~rc2-2ubuntu0.8.04.1_sparc.deb
Size/MD5: 68874 b7f7d8f419c5d8d42d5d4d608af5386f
http://ports.ubuntu.com/pool/universe/e/ekg/ekg_1.7~rc2-2ubuntu0.8.04.1_sparc.deb
Size/MD5: 294728 69270b1e3e9ccdb4c01b5bf7414a5505
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/libg/libgadu/libgadu_1.8.0+r592-1ubuntu0.1.diff.gz
Size/MD5: 316123 78702148bc8d2265163cad5ebf6c6947
http://security.ubuntu.com/ubuntu/pool/main/libg/libgadu/libgadu_1.8.0+r592-1ubuntu0.1.dsc
Size/MD5: 1177 3f33173b78724e7b42fe2d97c1ca9016
http://security.ubuntu.com/ubuntu/pool/main/libg/libgadu/libgadu_1.8.0+r592.orig.tar.gz
Size/MD5: 135539 81ea4c95105f58844d69ba986a019f2a
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgadu/libgadu-dev_1.8.0+r592-1ubuntu0.1_amd64.deb
Size/MD5: 300328 92d2738cbb32befaaa209f863ea76333
http://security.ubuntu.com/ubuntu/pool/main/libg/libgadu/libgadu3-dbg_1.8.0+r592-1ubuntu0.1_amd64.deb
Size/MD5: 75114 187ccb00d87c68d12b9766dae9c76549
http://security.ubuntu.com/ubuntu/pool/main/libg/libgadu/libgadu3_1.8.0+r592-1ubuntu0.1_amd64.deb
Size/MD5: 53210 1ec98de46df579cedf51b5d10456d7d6
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/libg/libgadu/libgadu-dev_1.8.0+r592-1ubuntu0.1_i386.deb
Size/MD5: 296434 d769d7330e1f55ca7a818825c6eef405
http://security.ubuntu.com/ubuntu/pool/main/libg/libgadu/libgadu3-dbg_1.8.0+r592-1ubuntu0.1_i386.deb
Size/MD5: 71528 3e996e51e3b54612bc2ec05b5555fa7e
http://security.ubuntu.com/ubuntu/pool/main/libg/libgadu/libgadu3_1.8.0+r592-1ubuntu0.1_i386.deb
Size/MD5: 52816 8b0027e18dde9b5314cf02571fdb3dcb
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/libg/libgadu/libgadu-dev_1.8.0+r592-1ubuntu0.1_lpia.deb
Size/MD5: 294800 3f396841910d09f1675eb6c4c6b3449a
http://ports.ubuntu.com/pool/main/libg/libgadu/libgadu3-dbg_1.8.0+r592-1ubuntu0.1_lpia.deb
Size/MD5: 73250 64d69daaecc16873b2cac921ca858034
http://ports.ubuntu.com/pool/main/libg/libgadu/libgadu3_1.8.0+r592-1ubuntu0.1_lpia.deb
Size/MD5: 50864 c0b9544fd49c0754c0c84fe1c40f31e0
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/libg/libgadu/libgadu-dev_1.8.0+r592-1ubuntu0.1_powerpc.deb
Size/MD5: 302722 790b4db9965f837022f3b4a6d0958d7a
http://ports.ubuntu.com/pool/main/libg/libgadu/libgadu3-dbg_1.8.0+r592-1ubuntu0.1_powerpc.deb
Size/MD5: 74812 b269ca7d6f2c53b84a991f7b05e2ca43
http://ports.ubuntu.com/pool/main/libg/libgadu/libgadu3_1.8.0+r592-1ubuntu0.1_powerpc.deb
Size/MD5: 56448 e09cfe6e5f2d9c5db301cd5254c9f411
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/libg/libgadu/libgadu-dev_1.8.0+r592-1ubuntu0.1_sparc.deb
Size/MD5: 298756 9a04817c427765ed2ae24a184dff95b4
http://ports.ubuntu.com/pool/main/libg/libgadu/libgadu3-dbg_1.8.0+r592-1ubuntu0.1_sparc.deb
Size/MD5: 66332 f70f08fc07a3dc62b860073c4055035a
http://ports.ubuntu.com/pool/main/libg/libgadu/libgadu3_1.8.0+r592-1ubuntu0.1_sparc.deb
Size/MD5: 52114 b65ab637169c92b060858d28f3bc96f7
--cWoXeonUoKmBZSoM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Kees Cook <kees@outflux.net.>
iEYEARECAAYFAklJlV0ACgkQH/9LqRcGPm2ysQCeMTbviOe6CQzVJOLFFd6V+czo
kV4AoJARcZYCFVLhixrpCsTPuFbtsYVL
=kCZ4
-----END PGP SIGNATURE-----
--cWoXeonUoKmBZSoM--