From 4f2d7949f03e1c198bc888f2d05f421d35c57e21 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Mon, 9 Oct 2017 18:53:29 +0100 Subject: reinit the tree, so we can have metadata --- metadata/glsa/glsa-200804-27.xml | 101 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 metadata/glsa/glsa-200804-27.xml (limited to 'metadata/glsa/glsa-200804-27.xml') diff --git a/metadata/glsa/glsa-200804-27.xml b/metadata/glsa/glsa-200804-27.xml new file mode 100644 index 000000000000..2c841714597a --- /dev/null +++ b/metadata/glsa/glsa-200804-27.xml @@ -0,0 +1,101 @@ + + + + SILC: Multiple vulnerabilities + + Multiple vulnerabilities were found in SILC Client, Server, and Toolkit, + allowing for Denial of Service and execution of arbitrary code. + + silc-toolkit silc-client silc-server + 2008-04-24 + 2008-04-24: 01 + 212362 + 214116 + 214812 + remote + + + 1.1.7 + 1.1.7 + + + 1.1.4 + 1.1.4 + + + 1.1.2 + 1.1.2 + + + +

+ SILC (Secure Internet Live Conferencing protocol) Toolkit is a software + development kit for use in clients, SILC Server is a communication + server, and SILC Client is an IRSSI-based text client. +

+ + +
    +
  • Nathan G. Grennan reported a boundary error in SILC Toolkit + within the silc_fingerprint() function in the file + lib/silcutil/silcutil.c when passing overly long data, resulting in a + stack-based buffer overflow (CVE-2008-1227).
    • +
  • A vulnerability + has been reported in SILC Server which is caused due to an error in the + handling of "NEW_CLIENT" packets that do not contain a nickname + (CVE-2008-1429).
    • +
  • Ariel Waissbein, Pedro Varangot, Martin + Mizrahi, Oren Isacson, Carlos Garcia, and Ivan Arce of Core Security + Technologies reported that SILC Client, Server, and Toolkit contain a + vulnerability in the silc_pkcs1_decode() function in the silccrypt + library (silcpkcs1.c), resulting in an integer underflow, signedness + error, and a buffer overflow (CVE-2008-1552).
    • +
+ + +

+ A remote attacker could exploit these vulnerabilities to cause a Denial + of Service or execute arbitrary code with the privileges of the user + running the application. +

+ + +

+ There is no known workaround at this time. +

+ + +

+ All SILC Toolkit users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/silc-toolkit-1.1.7" +

+ All SILC Client users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/silc-client-1.1.4" +

+ All SILC Server users should upgrade to the latest version: +

+ + # emerge --sync + # emerge --ask --oneshot --verbose ">=net-im/silc-server-1.1.2" + + + CVE-2008-1227 + CVE-2008-1429 + CVE-2008-1552 + + + rbu + + + rbu + + + keytoaster + + -- cgit v1.2.3