libgadu: Multiple vulnerabilities — GLSA 201508-02

Multiple vulnerabilities have been found in libgadu, the worst of which may result in execution of arbitrary code.

Affected packages

Background

libgadu is a library that implements the client side of the Gadu-Gadu protocol.

Description

libgadu contains multiple vulnerabilities:

• X.509 certificates are not properly validated (CVE-2013-4488)
• A integer overflow error could lead to a buffer overflow (CVE-2013-6487)
• Malformed responses from a Gadu-Gadu file relay server are not properly handled (CVE-2014-3775)

Impact

A remote attacker may be able to execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or spoof servers.

Workaround

There is no known workaround at this time.

Resolution

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/libgadu-1.12.0"
 

References

• CVE-2013-4488
• CVE-2013-6487
• CVE-2014-3775

Release date
August 15, 2015

Latest revision
August 15, 2015: 1

Severity
normal

Exploitable
remote

Bugzilla entries

• 490238
• 505558
• 510714