Ubuntu
silc-client package

Format string vulnerability

Bug #423565 reported by 4dro
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
silc-client (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
Karmic
Invalid
Undecided
Unassigned
silc-server (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
Karmic
Invalid
Undecided
Unassigned
silc-toolkit (Ubuntu)
Fix Released
Wishlist
Unassigned
Dapper
Won't Fix
Low
Unassigned
Hardy
Won't Fix
Wishlist
Unassigned
Intrepid
Invalid
Wishlist
Unassigned
Jaunty
Won't Fix
Wishlist
Unassigned
Karmic
Fix Released
Wishlist
Unassigned

Bug Description

Upstream silc client (1.1.8) fixes both a format string vulnerability (see http://lists.silcnet.org/pipermail/silc-devel/2009-July/002253.html)

It fixes more things, for a full changelog:

http://www.silcnet.org/docs/changelog/SILC%20Client%201.1.8

This applies to karmic, jaunty, intrepid and hardy.

CVE References

4dro (kwadronaut)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. This package is in universe and is community supported. If you are able, perhaps you could prepare debdiffs to fix this by following https://wiki.ubuntu.com/SecurityUpdateProcedures.

Changed in silc-client (Ubuntu):
status: New → Confirmed
Revision history for this message
4dro (kwadronaut) wrote :

Published updated versions on my ppa. I'm not aware of all the details involved in ubuntus workflow to fix packages, so a helping hand would be appreciated:

https://launchpad.net/~kwadronaut/+archive/ppa

Both silc-toolkit and silcclient are updated from upstream and contain some more bugfixes, no feature changes.

Revision history for this message
Kees Cook (kees) wrote :

CVE-2009-3051

Changed in silc-client (Ubuntu Dapper):
status: New → Invalid
Changed in silc-client (Ubuntu Hardy):
status: New → Confirmed
Changed in silc-client (Ubuntu Intrepid):
status: New → Confirmed
Changed in silc-client (Ubuntu Jaunty):
status: New → Confirmed
Changed in silc-client (Ubuntu Hardy):
status: Confirmed → Invalid
Changed in silc-client (Ubuntu Intrepid):
status: Confirmed → Invalid
Changed in silc-client (Ubuntu Jaunty):
status: Confirmed → Invalid
Changed in silc-client (Ubuntu Karmic):
status: Confirmed → Invalid
Kees Cook (kees)
Changed in silc-server (Ubuntu Dapper):
status: New → Confirmed
Changed in silc-server (Ubuntu Hardy):
status: New → Invalid
Changed in silc-server (Ubuntu Intrepid):
status: New → Invalid
Changed in silc-server (Ubuntu Jaunty):
status: New → Invalid
Changed in silc-server (Ubuntu Karmic):
status: New → Invalid
Changed in silc-toolkit (Ubuntu Hardy):
status: New → Confirmed
Changed in silc-toolkit (Ubuntu Jaunty):
status: New → Confirmed
Changed in silc-toolkit (Ubuntu Intrepid):
status: New → Confirmed
Changed in silc-toolkit (Ubuntu Karmic):
status: New → Confirmed
Changed in silc-toolkit (Ubuntu Dapper):
status: New → Confirmed
Revision history for this message
Kees Cook (kees) wrote :

silc-server and silc-client both use the system library from silc-toolkit, so only silc-toolkit needs to be fixed. Intrepid and later are protected by Fortify-Source[1], rendering this vulnerability a DoS only.

[1] https://wiki.ubuntu.com/CompilerFlags#-D_FORTIFY_SOURCE=2

Changed in silc-server (Ubuntu Dapper):
status: Confirmed → Invalid
Changed in silc-toolkit (Ubuntu Hardy):
importance: Undecided → Wishlist
Changed in silc-toolkit (Ubuntu Intrepid):
importance: Undecided → Wishlist
Changed in silc-toolkit (Ubuntu Jaunty):
importance: Undecided → Wishlist
Changed in silc-toolkit (Ubuntu Dapper):
importance: Undecided → Low
Changed in silc-toolkit (Ubuntu Karmic):
importance: Undecided → Wishlist
status: Confirmed → Triaged
Changed in silc-toolkit (Ubuntu Jaunty):
status: Confirmed → Triaged
Changed in silc-toolkit (Ubuntu Intrepid):
status: Confirmed → Triaged
Changed in silc-toolkit (Ubuntu Dapper):
status: Confirmed → Triaged
Changed in silc-toolkit (Ubuntu Hardy):
status: Confirmed → Triaged
Revision history for this message
Michael Terry (mterry) wrote :

silc-toolkit 1.1.10-2 was synced from Debian to Karmic 4 weeks ago.

Changed in silc-toolkit (Ubuntu Karmic):
status: Triaged → Fix Released
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in silc-toolkit (Ubuntu Intrepid):
status: Triaged → Invalid
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Jaunty reached end-of-life on 23 October 2010. The bug is marked as fixed in later versions of Ubuntu

Changed in silc-toolkit (Ubuntu Jaunty):
status: Triaged → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in silc-toolkit (Ubuntu Dapper):
status: Triaged → Won't Fix
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug and helping to make Ubuntu better. The package referred to in this bug is in universe or multiverse and reported against a release of Ubuntu (hardy) which no longer receives updates outside of the explicitly supported LTS packages. While the bug against hardy is being marked "Won't Fix" for now, if you are interested feel free to post a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures'

Please feel free to report any other bugs you may find.

Changed in silc-toolkit (Ubuntu Hardy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.