(Slackware Issues Fix) Gaim Contains Multiple Overflows That Let a Remote User Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1008857 |
|
SecurityTracker URL: http://securitytracker.com/id/1008857
|
|
CVE Reference:
CAN-2004-0005, CAN-2004-0006, CAN-2004-0007, CAN-2004-0008
(Links to External Site)
|
Date: Jan 27 2004
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 0.75 and prior versions
|
Description:
Multiple vulnerabilities were reported in Gaim. A remote user can execute arbitrary code on the target user's system.
Stefan Esser of e-matters GmbH reported 12 vulnerabilities, including stack overflows, heap overflows, and an integer overflow. Some of the vulnerabilities require a man-in-the-middle attack to exploit.
Several of the vulnerabilities were due to buffer overflows in the processing of Yahoo! Messenger protocol.
An integer overflow was reported in the processing of the AIM/Oscar protocol.
A variety of other protocols and functions also contain overflows.
It is reported that two buffer overflows reside in the decoding of octal values in the yahoo_decode() function in
'gaim/src/protocols/yahoo/yahoo.c' [CVE: CAN-2004-0005]. Only version 0.75 is affected.
A remote server can send an HTTP reply header with specially crafted cookie values to trigger an overflow in 'gaim/src/protocols/yahoo/yahoo.c' in the yahoo_web_pending() function [CVE: CAN-2004-0006].
Two buffer overflows in yahoo_login_page_hash() can be triggered by specially crafted values in the Yahoo! login webpage [CVE: CAN-2004-0006].
A remote user can send a Yahoo! Messenger packet containing a specially crafted keyname value to the target server via the Yahoo! server to execute arbitrary code on the target system [CVE: CAN-2004-0006]. The flaw reportedly resides in the yahoo_packet_read() function in 'gaim/src/protocols/yahoo/yahoo.c'.
It is reported that a malicious AIM/Oscar directIM packet can trigger an overflow in the handlehdr_odc() function in 'gaim/src/protocols/oscar/ft.c' [CVE: CAN-2004-0008]. Versions 0.74 and prior are affected.
Two vulnerabilites were reported in the MIME decoding functions of quotedp_decode() in 'gaim/src/util.c' [CVE: CAN-2004-0005]. Only version 0.75 is affected.
The gaim_url_parse() function in 'gaim/src/util.c' reportedly splits URLs into fixed sized buffers [CVE: CAN-2004-0006].
The gaim_markup_extract_info_field() function in 'gaim/src/util.c' contains a stack overflow in several locations [CVE: CAN-2004-0007]. Versions 0.74 and earlier are affected.
A remote user acting as an HTTP proxy server can trigger an overflow in a connected Gaim client when the client is configured to use an HTTP proxy [CVE: CAN-2004-0006]. The flaw resides in the http_canread() function in 'gaim/src/proxy.c'.
The vendor was initially notified regarding the first of the bugs on January 4, 2004.
The original advisory is available at:
http://security.e-matters.de/advisories/012004.html
|
Impact:
A remote user can execute arbitrary code on the target system. In some of the vulnerabilities, the remote user must be operating as a malicious server. In some cases, the remote user must invoke a man-in-the-middle attack. In one case, a remote user can simply send a message via the Yahoo! server.
|
Solution:
Slackware has released a fix.
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/gaim-0.75-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/gaim-0.75-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/gaim-0.75-i486-1.tgz
The MD5 signatures are:
Slackware 9.0 package:
452ccd82a9ee640912575a8fdcea86a1 gaim-0.75-i386-1.tgz
Slackware 9.1 package:
b66997156d55a0f9561e80e604b25630 gaim-0.75-i486-1.tgz
Slackware -current package:
259f1731e2278b2c68a54d215ec55dfb gaim-0.75-i486-1.tgz
|
Vendor URL: gaim.sourceforge.net/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Slackware)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 26 Jan 2004 16:14:45 -0800 (PST)
Subject: [slackware-security] GAIM security update (SSA:2004-026-01)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[slackware-security] GAIM security update (SSA:2004-026-01)
GAIM is a GTK2-based Instant Messaging (IM) client.
New GAIM packages are available for Slackware 9.0, 9.1, and -current.
12 vulnerabilities were found in the instant messenger GAIM that
allow remote compromise. All sites using GAIM should upgrade to these
new packages. These are based on GAIM 0.75 with patches for all 12
security issues. Thanks to Stefan Esser of e-matters GmbH for
finding and reporting these bugs.
For more details, see the e-matters GmbH advisory here:
http://security.e-matters.de/advisories/012004.html
Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Mon Jan 26 15:27:17 PST 2004
patches/packages/gaim-0.75-i486-1.tgz: Upgraded to gaim-0.75 and patched
12 overflows that can allow remote compromise. All GAIM users should
upgrade.
(* Security fix *)
+--------------------------+
WHERE TO FIND THE NEW PACKAGE:
+-----------------------------+
Updated package for Slackware 9.0:
ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/gaim-0.75-i386-1.tgz
Updated package for Slackware 9.1:
ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/gaim-0.75-i486-1.tgz
Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/gaim-0.75-i486-1.tgz
MD5 SIGNATURES:
+-------------+
Slackware 9.0 package:
452ccd82a9ee640912575a8fdcea86a1 gaim-0.75-i386-1.tgz
Slackware 9.1 package:
b66997156d55a0f9561e80e604b25630 gaim-0.75-i486-1.tgz
Slackware -current package:
259f1731e2278b2c68a54d215ec55dfb gaim-0.75-i486-1.tgz
INSTALLATION INSTRUCTIONS:
+------------------------+
Upgrade the GAIM package with upgradepkg:
# upgradepkg gaim-0.75-i486-1.tgz
+-----+
Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com
+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFAFawxakRjwEAQIjMRAmu3AJ9WMy7x9BpWwp/H5R4xHpZFbUugMwCfez0y
gW8rRKkIic9x2xX10+Q6sWY=
=bixk
-----END PGP SIGNATURE-----
|
|
