Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 60034
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
rats.log Rats log for assessing the security issues. text/plain Chris White (RETIRED) 2004-08-11 00:27 0000 2.78 KB Details
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 60034 depends on: Show dependency tree
Bug 60034 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-08-11 00:13 0000 
Gaim contains several remote overflows related to the MSN-protocol parsing
functions that may allow remote code execution. No further details have been
provided.

------- Comment #1 From Sune Kloppenborg Jeppesen 2004-08-11 00:18:07 0000 ------- 
Unclear if this is fixed in gaim-0.81.

------- Comment #2 From Chris White (RETIRED) 2004-08-11 00:27:03 0000 ------- 
Created an attachment (id=37199) [details]
Rats log for assessing the security issues.

Here's a rats log which might help in addressing the security issue.  There
appears to be a lot of High ranking bugs in it.  I'll take a look and see.

------- Comment #3 From Don Seiler (RETIRED) 2004-08-11 06:43:17 0000 ------- 
I'll ask upstream and report back.

------- Comment #4 From Don Seiler (RETIRED) 2004-08-11 07:17:41 0000 ------- 
Chris did you run RATS against the 0.81 package?

------- Comment #5 From Don Seiler (RETIRED) 2004-08-11 12:32:46 0000 ------- 
Upstream identified potential exploits from SuSE, one had already been fixed,
other is patched in their CVS and now in net-im/gaim-0.81-r1, just committed to
portage.

------- Comment #6 From Don Seiler (RETIRED) 2004-08-11 12:35:33 0000 ------- 
Thinking about ARCH vs ~ARCH, right now 0.80 is stable on all.  I was going to
start pushing 0.81 later this week.  Should make that push for what I presume
will be a GLSA or do you want me to backport the fix to 0.80 as well?

I'd rather see users moved to 0.81 for the bug fixes anyway.  Let me know what
you guys think.

------- Comment #7 From Don Seiler (RETIRED) 2004-08-11 12:55:47 0000 ------- 
Stable on x86.  Other arches can you please push this through to stable for a
security fix?

------- Comment #8 From Don Seiler (RETIRED) 2004-08-11 12:58:26 0000 ------- 
By "this" I mean net-im/gaim-0.81-r1.

------- Comment #9 From Don Seiler (RETIRED) 2004-08-11 14:34:48 0000 ------- 
lv marked stable on amd64

------- Comment #10 From Sune Kloppenborg Jeppesen 2004-08-11 14:56:21 0000 ------- 
rizzo thanks for the swift reaction.

------- Comment #11 From Jochen Maes (RETIRED) 2004-08-12 00:40:25 0000 ------- 
i'm testing this on ppc

------- Comment #12 From Jochen Maes (RETIRED) 2004-08-12 04:41:25 0000 ------- 
Don't know if it's normal but i can't login: 
account: Connecting to account 0x10186408. gc = 0x1037b1f8
connection: Connecting. gc = 0x1037b1f8
connection: Calling serv_login
server: gaim 0.81 logging in dj_sejo@hotmail.com using MSN
dns: Successfully sent DNS request to child 26777
dns: Host 'messenger.hotmail.com' resolved
proxy: Connecting to messenger.hotmail.com:1863 with no proxy
proxy: Connect would have blocked.
proxy: Connected.
account: Disconnecting account 0x10186408
connection: Disconnecting connection 0x1037b1f8
blist: Destroying
connection: Destroying connection 0x1037b1f8
accounts: Writing accounts to disk.

------- Comment #13 From Jochen Maes (RETIRED) 2004-08-12 04:44:53 0000 ------- 
just got to logging in, added stable

------- Comment #14 From Guy Martin 2004-08-12 05:16:33 0000 ------- 
Stable on hppa.

------- Comment #15 From Gustavo Zacarias (RETIRED) 2004-08-12 05:42:56 0000 ------- 
Sparc stable.

------- Comment #16 From Sune Kloppenborg Jeppesen 2004-08-12 09:07:47 0000 ------- 
GLSA drafted security please review

------- Comment #17 From Sune Kloppenborg Jeppesen 2004-08-12 14:01:52 0000 ------- 
GLSA 200408-12.

alpha ia64 mips remember to mark stable to benifit from GLSA.

------- Comment #18 From Bryan Østergaard (RETIRED) 2004-08-12 15:15:28 0000 ------- 
Stable on alpha.

------- Comment #19 From Stephen Becker (RETIRED) 2004-08-14 20:49:23 0000 ------- 
stable on mips
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug