Bug#559784: qutecom: CVE-2008-4776 denial-of-service
Michael Gilbert
michael.s.gilbert at gmail.com
Sun Dec 13 01:16:07 UTC 2009
On Sat, 12 Dec 2009 17:02:47 -0800 Ludovico Cavedon wrote:
> Michael Gilbert wrote:
> > On Sat, 12 Dec 2009 16:05:55 -0800 Ludovico Cavedon wrote:
> >> Michael Gilbert wrote:
> >>> the following CVE (Common Vulnerabilities & Exposures) id was published
> >>> for libgadu. Centerim embeds libpurple, which embeds libgadu, so it is
> >>> affected.
> >> I am sure what stated above is correct. According to my investigation:
> >> -libpurble does not embded libgadu directly, but has its own
> >> implementation of the gadugadu protocol
> >> -centerim embeds libgadu directly
> >>
> >> Therefore this CVE does not apply to qutecom.
> >
> > based on [0], qutecom embeds the exact same code as libpurple,
> > so it is indeed affected.
> >
> > [0] http://source.debian.net/source/search?q=&defs=&refs=&path=libgadu.c&hist=
>
> Yes, you are right, I missed the "lib" directory in "gg".
>
> However I realized that the version of libpurple internally compiled by
> qutecom is not including gadugadu support, but only jabber, msn, yahoo
> and oscar [1].
if that is the case, then your package may not be affected, but you
should be 100% sure before closing. the fact that the gadu code is
included in the package indicates that it is very likely used. can you
remove the gadu source and still build/run the package?
as for the fact that libpurple is embedded, that should be fixed
regardless of the outcome of this bug since there are so many security
vulnerabilities being disclosed for pidgin.
mike
More information about the Pkg-voip-maintainers
mailing list