libgadu: Multiple vulnerabilities — GLSA 201508-02

Multiple vulnerabilities have been found in libgadu, the worst of which may result in execution of arbitrary code.

Affected Packages

net-libs/libgadu on all architectures
Affected versions < 1.12.0
Unaffected versions >= 1.12.0

Background

libgadu is a library that implements the client side of the Gadu-Gadu protocol.

Description

libgadu contains multiple vulnerabilities:

  • X.509 certificates are not properly validated (CVE-2013-4488)
  • A integer overflow error could lead to a buffer overflow (CVE-2013-6487)
  • Malformed responses from a Gadu-Gadu file relay server are not properly handled (CVE-2014-3775)

Impact

A remote attacker may be able to execute arbitrary code with the privileges of the process, cause a Denial of Service condition, or spoof servers.

Workaround

There is no known workaround at this time.

Resolution

All libgadu users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-libs/libgadu-1.12.0"
 

References

Release Date
August 15, 2015

Latest Revision
August 15, 2015: 1

Severity
normal

Exploitable
remote

Bugzilla entries