public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] Security Problems: xmule, lmule
@ 2003-08-19 22:47 Patrick Lauer
  2003-08-19 23:08 ` Rainer Groesslinger
  2003-08-27 13:43 ` Rainer Groesslinger
  0 siblings, 2 replies; 8+ messages in thread
From: Patrick Lauer @ 2003-08-19 22:47 UTC (permalink / raw
  To: gentoo-dev

Hi,

yesterday I found this:
http://www.heise.de/newsticker/data/dab-18.08.03-000/ (in german)

http://lists.netsys.com/pipermail/full-disclosure/2003-August/008449.html
(english)

short summary:
all emule, lmule and xmule versions are vulnerable to buffer overflows
including execution of malicious code.

xmule 1.4.3 (portage current) is very vulnerable.
xmule 1.5.6 (latest from xmule website) does not fix all known
vulnerabilities.

Please discourage the use of lmule and xmule until fixed versions are
available.

With best regards,
Patrick "bonsaikitten" Lauer


--
gentoo-dev@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] Security Problems: xmule, lmule
  2003-08-19 22:47 [gentoo-dev] Security Problems: xmule, lmule Patrick Lauer
@ 2003-08-19 23:08 ` Rainer Groesslinger
  2003-08-19 23:19   ` Rainer Groesslinger
  2003-08-19 23:25   ` Patrick Lauer
  2003-08-27 13:43 ` Rainer Groesslinger
  1 sibling, 2 replies; 8+ messages in thread
From: Rainer Groesslinger @ 2003-08-19 23:08 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 1169 bytes --]

On Wednesday 20 August 2003 00:47, Patrick Lauer wrote:
> Hi,
>
> yesterday I found this:
> http://www.heise.de/newsticker/data/dab-18.08.03-000/ (in german)
>
> http://lists.netsys.com/pipermail/full-disclosure/2003-August/008449.
>html (english)
>
> short summary:
> all emule, lmule and xmule versions are vulnerable to buffer
> overflows including execution of malicious code.
>
> xmule 1.4.3 (portage current) is very vulnerable.
> xmule 1.5.6 (latest from xmule website) does not fix all known
> vulnerabilities.
>
> Please discourage the use of lmule and xmule until fixed versions are
> available.

lmule was removed from the tree several weeks ago because it isn't 
developed anymore and unsupported for a few months now.

The problem - indeed - is, that even their latest unstable release 
(1.5.6a) doesn't fix the problem and I observe xmule sharply and am 
waiting for a fixed release or at least a patch.

I added an einfo about the security hole in all the xmule ebuilds and I 
hope they release 1.4.4 or something soon (which will immediatly be 
arch of course)

-- 
Rainer Groesslinger
http://dev.gentoo.org/~scandium/

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] Security Problems: xmule, lmule
  2003-08-19 23:08 ` Rainer Groesslinger
@ 2003-08-19 23:19   ` Rainer Groesslinger
  2003-08-19 23:25   ` Patrick Lauer
  1 sibling, 0 replies; 8+ messages in thread
From: Rainer Groesslinger @ 2003-08-19 23:19 UTC (permalink / raw
  To: gentoo-dev

On Wednesday 20 August 2003 01:08, Rainer Groesslinger wrote:
> The problem - indeed - is, that even their latest unstable release
> (1.5.6a) doesn't fix the problem and I observe xmule sharply and am
> waiting for a fixed release or at least a patch.

btw. I just figured out that their cvs has all problems fixed now.

There seems to be some confusion, though, because of the fact that there 
are more exploits. Some xmule guy claimed all are fixed in 1.4.3 and 
some other said one remains in 1.4.3 etc.

-- 
Rainer Groesslinger
http://dev.gentoo.org/~scandium/


--
gentoo-dev@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] Security Problems: xmule, lmule
  2003-08-19 23:08 ` Rainer Groesslinger
  2003-08-19 23:19   ` Rainer Groesslinger
@ 2003-08-19 23:25   ` Patrick Lauer
  2003-08-19 23:32     ` Rainer Groesslinger
  2003-08-20  2:28     ` Georgi Georgiev
  1 sibling, 2 replies; 8+ messages in thread
From: Patrick Lauer @ 2003-08-19 23:25 UTC (permalink / raw
  To: Rainer Groesslinger; +Cc: gentoo-dev

On Wed, 2003-08-20 at 01:08, Rainer Groesslinger wrote:
> On Wednesday 20 August 2003 00:47, Patrick Lauer wrote:
[snip]
> > Please discourage the use of lmule and xmule until fixed versions are
> > available.
> 
> lmule was removed from the tree several weeks ago because it isn't 
> developed anymore and unsupported for a few months now.
ok

> The problem - indeed - is, that even their latest unstable release 
> (1.5.6a) doesn't fix the problem and I observe xmule sharply and am 
> waiting for a fixed release or at least a patch.
I recommend masking _all_ versions at the moment and issuing a GLSA.
Maybe I'm overreacting, but I do not wish to have my computer rooted :)

> I added an einfo about the security hole in all the xmule ebuilds and I 
> hope they release 1.4.4 or something soon (which will immediatly be 
> arch of course)
That's good, but I don't think it's adequate since not everybody
reinstalls xmule every day _and_ reads all einfo lines scrolling by.

Btw, what's the official way for reporting vulnerabilities?
On the website I found almost nothing ... maybe this could be made
easier? Or did I miss something really obvious?

Thanks for the almost instantaneous response,

Patrick Lauer


--
gentoo-dev@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] Security Problems: xmule, lmule
  2003-08-19 23:25   ` Patrick Lauer
@ 2003-08-19 23:32     ` Rainer Groesslinger
  2003-08-19 23:51       ` Owen Gunden
  2003-08-20  2:28     ` Georgi Georgiev
  1 sibling, 1 reply; 8+ messages in thread
From: Rainer Groesslinger @ 2003-08-19 23:32 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 1028 bytes --]

On Wednesday 20 August 2003 01:25, Patrick Lauer wrote:

> > The problem - indeed - is, that even their latest unstable release
> > (1.5.6a) doesn't fix the problem and I observe xmule sharply and am
> > waiting for a fixed release or at least a patch.
>
> I recommend masking _all_ versions at the moment and issuing a GLSA.
> Maybe I'm overreacting, but I do not wish to have my computer rooted
> :)

I did that, just didn't mention it in my email...if you re-sync you 
should get the new ebuilds + package.mask

> > I added an einfo about the security hole in all the xmule ebuilds
> > and I hope they release 1.4.4 or something soon (which will
> > immediatly be arch of course)
>
> That's good, but I don't think it's adequate since not everybody
> reinstalls xmule every day _and_ reads all einfo lines scrolling by.

that einfo is at pkg_postinst() so everbody should see it (at least if 
nothing else is merged immediatly afterwards ;)

-- 
Rainer Groesslinger
http://dev.gentoo.org/~scandium/

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] Security Problems: xmule, lmule
  2003-08-19 23:32     ` Rainer Groesslinger
@ 2003-08-19 23:51       ` Owen Gunden
  0 siblings, 0 replies; 8+ messages in thread
From: Owen Gunden @ 2003-08-19 23:51 UTC (permalink / raw
  To: gentoo-dev

On Wed, Aug 20, 2003 at 01:32:47AM +0200, Rainer Groesslinger wrote:
> > > I added an einfo about the security hole in all the xmule ebuilds
> > > and I hope they release 1.4.4 or something soon (which will
> > > immediatly be arch of course)
> >
> > That's good, but I don't think it's adequate since not everybody
> > reinstalls xmule every day _and_ reads all einfo lines scrolling by.
> 
> that einfo is at pkg_postinst() so everbody should see it (at least if 
> nothing else is merged immediatly afterwards ;)

Further motivation for my functions.sh patch or similar :).  See the thread
entitled "patch: emergemail feature in functions.sh".  How timely.

Owen

--
gentoo-dev@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] Security Problems: xmule, lmule
  2003-08-19 23:25   ` Patrick Lauer
  2003-08-19 23:32     ` Rainer Groesslinger
@ 2003-08-20  2:28     ` Georgi Georgiev
  1 sibling, 0 replies; 8+ messages in thread
From: Georgi Georgiev @ 2003-08-20  2:28 UTC (permalink / raw
  To: gentoo-dev

On 20/08/2003 at 01:25:58(+0200), Patrick Lauer used 1.2K just to say:
> Btw, what's the official way for reporting vulnerabilities?
> On the website I found almost nothing ... maybe this could be made
> easier? Or did I miss something really obvious?

I guess http://bugs.gentoo.org. That's what's I'd do.

-- 
\    Georgi Georgiev   \  Santa's elves are just a bunch of            \
/     chutz@gg3.net    /  subordinate Clauses.                         /
\   +81(90)6266-1163   \                                               \

--
gentoo-dev@gentoo.org mailing list


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: [gentoo-dev] Security Problems: xmule, lmule
  2003-08-19 22:47 [gentoo-dev] Security Problems: xmule, lmule Patrick Lauer
  2003-08-19 23:08 ` Rainer Groesslinger
@ 2003-08-27 13:43 ` Rainer Groesslinger
  1 sibling, 0 replies; 8+ messages in thread
From: Rainer Groesslinger @ 2003-08-27 13:43 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 700 bytes --]

On Wednesday 20 August 2003 00:47, Patrick Lauer wrote:
[snip]
> short summary:
> all emule, lmule and xmule versions are vulnerable to buffer
> overflows including execution of malicious code.
>
> xmule 1.4.3 (portage current) is very vulnerable.
> xmule 1.5.6 (latest from xmule website) does not fix all known
> vulnerabilities.
>
> Please discourage the use of lmule and xmule until fixed versions are
> available.
[snap]

I added xmule-1.6.0 to the tree minutes ago, so just re-sync.
It fixes all known security issues (at least according to un-thesis) and 
I removed all older versions which had security exploits.

-- 
Rainer Groesslinger
http://dev.gentoo.org/~scandium/

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2003-08-27 13:44 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-19 22:47 [gentoo-dev] Security Problems: xmule, lmule Patrick Lauer
2003-08-19 23:08 ` Rainer Groesslinger
2003-08-19 23:19   ` Rainer Groesslinger
2003-08-19 23:25   ` Patrick Lauer
2003-08-19 23:32     ` Rainer Groesslinger
2003-08-19 23:51       ` Owen Gunden
2003-08-20  2:28     ` Georgi Georgiev
2003-08-27 13:43 ` Rainer Groesslinger

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox