Executive Summary

Summary
Title New barnowl packages fix arbitrary code execution
Informations
Name DSA-2102 First vendor Publication 2010-09-03
Vendor Debian Last vendor Modification 2010-09-03
Severity (Vendor) N/A Revision 1

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score 7.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

It has been discovered that in barnowl, a curses-based instant-messaging client, the return codes of calls to the ZPending and ZReceiveNotice functions in libzephyr were not checked, allowing attackers to cause a denial of service (crash of the application), and possibly execute arbitrary code.

For the stable distribution (lenny), this problem has been fixed in version 1.0.1-4+lenny2.

For the testing distribution (squeeze), this problem has been fixed in version 1.6.2-1.

For the unstable distribution (sid), this problem has been fixed in version 1.6.2-1.

We recommend that you upgrade your barnowl packages.

Original Source

Url : http://www.debian.org/security/2010/dsa-2102

CWE : Common Weakness Enumeration

idName
CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11759
 
Oval ID: oval:org.mitre.oval:def:11759
Title: DSA-2102-1 barnowl -- unchecked return value
Description: It has been discovered that in barnowl, a curses-based instant-messaging client, the return codes of calls to the ZPending and ZReceiveNotice functions in libzephyr were not checked, allowing attackers to cause a denial of service , and possibly execute arbitrary code. For the stable distribution, this problem has been fixed in version 1.0.1-4+lenny2. For the testing distribution, this problem has been fixed in version 1.6.2-1. For the unstable distribution, this problem has been fixed in version 1.6.2-1. We recommend that you upgrade your barnowl packages.
Family: unix Class: patch
Reference(s): DSA-2102-1
CVE-2010-2725
Version: 5
Platform(s): Debian GNU/Linux 5.0
Product(s): barnowl
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application21

Open Source Vulnerability Database (OSVDB)

idDescription
66887BarnOwl libzephyr Multiple Function Return Code Check Weakness Remote DoS

Nessus® Vulnerability Scanner

DateDescription
2010-09-04Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2102.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2014-02-17 11:29:39
  • Multiple Updates
2013-05-11 00:43:51
  • Multiple Updates