Bug #1565000 “[CVE-2013-7449] xchat and derivatives don't valida...” : Bugs : xchat-gnome package : Ubuntu

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-04-01:

#1

https://github.com/hexchat/hexchat/issues/524
https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d
https://bugzilla.redhat.com/show_bug.cgi?id=1081839

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-04-01:

#2

Probably want this fix too:
https://github.com/hexchat/hexchat/commit/50463ca8321c39f3966c278ab25ca158404d72f1

Changed in xchat (Ubuntu Xenial):
status:	New → Invalid
Changed in xchat-gnome (Ubuntu Precise):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → Confirmed
Changed in hexchat (Ubuntu Trusty):
status:	New → Confirmed
Changed in hexchat (Ubuntu Precise):
status:	New → Invalid
Changed in hexchat (Ubuntu Wily):
status:	New → Fix Released
Changed in hexchat (Ubuntu Xenial):
status:	New → Fix Released
Changed in xchat (Ubuntu Precise):
status:	New → Confirmed
Changed in xchat (Ubuntu Trusty):
status:	New → Confirmed
Changed in xchat (Ubuntu Wily):
status:	New → Confirmed
Changed in xchat-gnome (Ubuntu Trusty):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → Confirmed
Changed in xchat-gnome (Ubuntu Wily):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → Confirmed
Changed in xchat-gnome (Ubuntu Xenial):
assignee:	nobody → Marc Deslauriers (mdeslaur)
status:	New → Confirmed

Revision history for this message

TingPing (tingping) wrote on 2016-04-01:

#3

Debian removed xchat from their repos and xchat-gnome has been dead for equally long so they should both be removed IMO.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2016-04-01:

#4

I maintain xchat-gnome in Ubuntu. It's the only one that uses gtk3, and is in the main repo.

xchat has already been removed from Xenial.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-01:

#5

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20141005.816798-0ubuntu9

---------------
xchat-gnome (1:0.30.0~git20141005.816798-0ubuntu9) xenial; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

-- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 12:39:36 -0400

Changed in xchat-gnome (Ubuntu Xenial):
status:	Confirmed → Fix Released

Revision history for this message

Mattia Rizzolo (mapreri) wrote on 2016-04-01:

#6

Marc, could you also take care of patching hexchat in trusty while you're at it?

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-04:

#7

This bug was fixed in the package hexchat - 2.9.6.1-2ubuntu0.1

---------------
hexchat (2.9.6.1-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

-- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 19:53:41 -0400

Changed in hexchat (Ubuntu Trusty):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-04:

#8

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2

---------------
xchat-gnome (1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2) trusty-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

-- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 13:43:49 -0400

Changed in xchat-gnome (Ubuntu Trusty):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-04:

#9

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20141005.816798-0ubuntu6.2

---------------
xchat-gnome (1:0.30.0~git20141005.816798-0ubuntu6.2) wily-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

-- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 13:32:30 -0400

Changed in xchat-gnome (Ubuntu Wily):
status:	Confirmed → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-04:

#10

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20110821.e2a400-0.2ubuntu4.3

---------------
xchat-gnome (1:0.30.0~git20110821.e2a400-0.2ubuntu4.3) precise-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

-- Marc Deslauriers <email address hidden> Fri, 01 Apr 2016 13:44:25 -0400

Changed in xchat-gnome (Ubuntu Precise):
status:	Confirmed → Fix Released

Mathew Hodson (mhodson) on 2016-04-04

no longer affects:	hexchat (Ubuntu Precise)
no longer affects:	xchat (Ubuntu Xenial)
no longer affects:	xchat (Ubuntu)

Mathew Hodson (mhodson) on 2016-04-07

summary:

- xchat-gnome doesn't validate ssl hostnames
+ xchat and derivatives don't validate ssl hostnames

Mattia Rizzolo (mapreri) on 2016-04-07

summary:

- xchat and derivatives don't validate ssl hostnames
+ [CVE-2013-7449] xchat and derivatives don't validate ssl hostnames

Revision history for this message

Steve Langasek (vorlon) wrote on 2021-10-14:

#11

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in xchat (Ubuntu Precise):
status:	Confirmed → Won't Fix

Ubuntu
xchat-gnome package

[CVE-2013-7449] xchat and derivatives don't validate ssl hostnames

Bug Description

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
hexchat (Ubuntu)	Fix Released	Undecided	Unassigned
Trusty	Fix Released	Undecided	Unassigned
Wily	Fix Released	Undecided	Unassigned
Xenial	Fix Released	Undecided	Unassigned
xchat (Ubuntu)
Precise	Won't Fix	Undecided	Unassigned
Trusty	Confirmed	Undecided	Unassigned
Wily	Confirmed	Undecided	Unassigned
xchat-gnome (Ubuntu)	Fix Released	Undecided	Marc Deslauriers
Precise	Fix Released	Undecided	Marc Deslauriers
Trusty	Fix Released	Undecided	Marc Deslauriers
Wily	Fix Released	Undecided	Marc Deslauriers
Xenial	Fix Released	Undecided	Marc Deslauriers

Ubuntuxchat-gnome package

[CVE-2013-7449] xchat and derivatives don't validate ssl hostnames

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
xchat-gnome package