(Conectiva Issues Fix) Gaim Contains Multiple Overflows That Let a Remote User Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1009010
|
|
CVE Reference: CAN-2004-0005
(Links to External Site)
|
Date: Feb 10 2004
|
Impact: Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 0.75 and prior versions
|
Description: Multiple vulnerabilities were reported in Gaim. A remote user can execute arbitrary code on the target user's system.
Stefan Esser of e-matters GmbH reported 12 vulnerabilities, including stack overflows, heap overflows, and an integer overflow.
Some of the vulnerabilities require a man-in-the-middle attack to exploit.
Several of the vulnerabilities were due to buffer
overflows in the processing of Yahoo! Messenger protocol.
An integer overflow was reported in the processing of the AIM/Oscar
protocol.
A variety of other protocols and functions also contain overflows.
It is reported that two buffer overflows
reside in the decoding of octal values in the yahoo_decode() function in
'gaim/src/protocols/yahoo/yahoo.c' [CVE: CAN-2004-0005].
Only version 0.75 is affected.
A remote server can send an HTTP reply header with specially crafted cookie values to trigger
an overflow in 'gaim/src/protocols/yahoo/yahoo.c' in the yahoo_web_pending() function [CVE: CAN-2004-0006].
Two buffer overflows
in yahoo_login_page_hash() can be triggered by specially crafted values in the Yahoo! login webpage [CVE: CAN-2004-0006].
A
remote user can send a Yahoo! Messenger packet containing a specially crafted keyname value to the target server via the Yahoo!
server to execute arbitrary code on the target system [CVE: CAN-2004-0006]. The flaw reportedly resides in the yahoo_packet_read()
function in 'gaim/src/protocols/yahoo/yahoo.c'.
It is reported that a malicious AIM/Oscar directIM packet can trigger an overflow
in the handlehdr_odc() function in 'gaim/src/protocols/oscar/ft.c' [CVE: CAN-2004-0008]. Versions 0.74 and prior are affected.
Two
vulnerabilites were reported in the MIME decoding functions of quotedp_decode() in 'gaim/src/util.c' [CVE: CAN-2004-0005]. Only
version 0.75 is affected.
The gaim_url_parse() function in 'gaim/src/util.c' reportedly splits URLs into fixed sized buffers
[CVE: CAN-2004-0006].
The gaim_markup_extract_info_field() function in 'gaim/src/util.c' contains a stack overflow in several
locations [CVE: CAN-2004-0007]. Versions 0.74 and earlier are affected.
A remote user acting as an HTTP proxy server can trigger
an overflow in a connected Gaim client when the client is configured to use an HTTP proxy [CVE: CAN-2004-0006]. The flaw resides
in the http_canread() function in 'gaim/src/proxy.c'.
The vendor was initially notified regarding the first of the bugs on January
4, 2004.
The original advisory is available at:
http://security.e-matters.de/advisories/012004.html
|
Impact: A remote user can execute arbitrary code on the target system. In some of the vulnerabilities, the remote user must be operating
as a malicious server. In some cases, the remote user must invoke a man-in-the-middle attack. In one case, a remote user can simply
send a message via the Yahoo! server.
|
Solution: Conectiva has released a fix.
ftp://atualizacoes.conectiva.com.br/8/RPMS/gaim-0.59.8-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/gaim-0.59.8-1U80_1cl
.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/gaim-0.75-27683U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/gaim-0.75-27683U90_1cl.src.rpm
|
Vendor URL: gaim.sourceforge.net/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Conectiva)
|
Underlying OS Comments: 8, 9
|
Reported By: Conectiva Updates <secure@conectiva.com.br>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 10 Feb 2004 19:04:25 -0200
From: Conectiva Updates <secure@conectiva.com.br>
Subject: [conectiva-updates] [CLA-2004:813] Conectiva Security Announcement - gaim
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------
PACKAGE : gaim
SUMMARY : Several remote vulnerabilities
DATE : 2004-02-10 19:03:00
ID : CLA-2004:813
RELEVANT
RELEASES : 8, 9
- -------------------------------------------------------------------------
DESCRIPTION
Gaim is a multi-protocol, multi-platform instant messaging client.
Stefan Esser found[1] several remote vulnerabilities in Gaim. A
remote attacker can use specially crafted network packets to exploit
at least one of these vulnerabilities and execute arbitrary code in
the context of the user running the program or cause a denial of
service condition.
This update includes updated packages for Conectiva Linux 8 (Gaim
0.58.8) and Conectiva Linux 9 (Gaim 0.75). The vulnerabilities vary
accordingly to the version used, but both are susceptible to remote
attacks.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CAN-2004-0005, CAN-2004-0006, CAN-2004-0007
and CAN-2004-0008 to the issues discovered[2,3,4,5].
SOLUTION
All gaim users should upgrade.
REFERENCES
1.http://security.e-matters.de/advisories/012004.html
2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0005
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0006
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0007
5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0008
UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/8/RPMS/gaim-0.59.8-1U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/gaim-0.59.8-1U80_1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/gaim-0.75-27683U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/gaim-0.75-27683U90_1cl.src.rpm
ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:
- run: apt-get update
- after that, execute: apt-get upgrade
Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en
- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- -------------------------------------------------------------------------
Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com
- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFAKUdY42jd0JmAcZARAnIEAJ9eg454Hgf7csNapnUh2w4SxBrRUwCgzeZO
TR8BxUS2KYXfdgwffUc29dU=
=I9Hh
-----END PGP SIGNATURE-----
|
|
