SecurityTracker.com Archives - Gaim Buffer Overflows in Groupware Messages, URLs, Hostname Lookups, and RTF Messages May Permit Remote Code Execution

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Instant Messaging/IRC/Chat) > Gaim

Vendors: Gaim.sourceforge.net

Gaim Buffer Overflows in Groupware Messages, URLs, Hostname Lookups, and RTF Messages May Permit Remote Code Execution

SecurityTracker Alert ID: 1011083

SecurityTracker URL: http://securitytracker.com/id?1011083

CVE Reference: CAN-2004-0785 , CAN-2004-0754 (Links to External Site)

OSVDB Reference: 9260 , 9261 , 9262 , 9263 , 9264 (Links to External Site)

Date: Aug 28 2004

Impact: Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): prior to 0.82

Description: Several overflow vulnerabilities were reported in Gaim. A remote user may be able to execute arbitrary code on the target system. A remote server can also cause the Gaim client to crash.

The vendor reported that a remote groupware server can send specially crafted messages to a target client to trigger a memory allocation integer overflow [CVE: CAN-2004-0754]. The resulting heap overflow may allow arbitrary code to be executed.

It is also reported that a remote user can send a specially crafted URL that, when received by the target user, will overflow a static buffer of 2048 bytes [CVE: CAN-2004-0785].

It is also reported that a hostname lookup overflow can be triggered [CVE: CAN-2004-0785]. If the DNS server returns a hostname that is greater than MAXHOSTNAMELEN bytes, a buffer overflow will occur.

It is also reported that a remote user can create an invalid rich text format (RTF) message to trigger one of several buffer overflows [CVE: CAN-2004-0785].

It is also reported that a remote web server can return a large HTTP Content-Length header value to cause the target user's Gaim to crash. This can be triggered if the supplied length value is large enough to cause Gaim to consume all available memory. This can occur when Gaim reads profile information on some protocols and when smiley themes are installed via drag and drop.

The original advisories are available at:

http://gaim.sourceforge.net/security/index.php?id=2
http://gaim.sourceforge.net/security/index.php?id=3
http://gaim.sourceforge.net/secu rity/index.php?id=4
http://gaim.sourceforge.net/security/index.php?id=5
http://gaim.sourceforge.net/security/index.php?id=6

Impact: A remote user can cause arbitrary code to be executed on the target application or cause the application to crash.

Solution: The vendor has released a fixed version (0.82), available at:

http://gaim.sourceforge.net/downloads.php

Vendor URL: gaim.sourceforge.net/security/ (Links to External Site)

Cause: Boundary error, Input validation error

Underlying OS: Linux (Any), UNIX (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Oct 17 2004	(Fedora Issues Fix for RH Linux) Gaim Buffer Overflows in Groupware Messages, URLs, Hostname Lookups, and RTF Messages May Permit Remote Code Execution (Marc Deslauriers <marcdeslauriers@videotron.ca>) Fedora has released a fix for Red Hat Linux 7.3 and 9.
Oct 21 2004	(Mandrake Issues Fix) Gaim Buffer Overflows in Groupware Messages, URLs, Hostname Lookups, and RTF Messages May Permit Remote Code Execution (Mandrake Linux Security Team <security@linux-mandrake.com>) Mandrake has released a fix.
Nov 5 2004	(Conectiva Issues Fix) Gaim Buffer Overflows in Groupware Messages, URLs, Hostname Lookups, and RTF Messages May Permit Remote Code Execution (Conectiva Updates <secure@conectiva.com.br>) Conectiva has released a fix.

Source Message Contents

Date: Aug 22, 2004
Subject: Gaim overflows

 
 
http://gaim.sourceforge.net/security/index.php?id=2
http://gaim.sourceforge.net/security/index.php?id=3
http://gaim.sourceforge.net/security/index.php?id=4
http://gaim.sourceforge.net/security/index.php?id=5
http://gaim.sourceforge.net/security/index.php?id=6
 
Several vulnerabilities were reported in Gaim.  A remote user may be able to execute
arbitrary code on the target system.
 
 
 
The vendor reported that a remote groupware server can send specially crafted messages 
to a target client to trigger an memory allocation integer overflow [CVE: 
CAN-2004-0754].  The resulting heap overflow may allow arbitrary code to be executed.
 
It is also reported that a remote user can send a specially crafted URL that, when 
received by the target user, will overflow a static buffer of 2048 bytes [CVE: 
CAN-2004-0785].
 
It is also reported that a hostname lookup overflow can be triggered [CVE: 
CAN-2004-0785].  If the DNS server returns a hostname that is greater than 
MAXHOSTNAMELEN bytes, a buffer overflow will occur.
 
It is also reported that a remote user can create an invalid rich text format (RTF) 
message to trigger one of several buffer overflows [CVE: CAN-2004-0785].
 
It is also reported that a remote web server can return a large HTTP 
Content-Length header value to cause the target user's Gaim to crash.  This can be 
triggered if the supplied length value cause Gaim to consume all available memory.  
This can occur when Gaim reads profile information on some protocols and when smiley 
themes are installed via drag and drop.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC