Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 61457
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Curtis Magyar <curtm4n@gmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 61457 depends on: Show dependency tree
Bug 61457 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-08-23 18:29 0000 
Three potential vulnerabilites have been discovered in Gaim 0.81. They are all
fixed for Gaim 0.82 and a patch from 0.81 is available here.
MSN Protocol Plugin

In two places in the MSN protocol plugins (object.c and slp.c), strncpy was
used incorrectly; the size of the array was not checked before copying to it.
Both bugs affect MSN's MSNSLP protocol, which is peer-to-peer, so this could
potentially be easy to exploit.
Drag-and-Drop Smiley Themes

To install a new smiley theme, a user can drag a tarball from a graphical file
manager, or a hypertext link to one from a web browser. When a tarball is
dragged, Gaim executes a shell command to untar it. However, it does not escape
the filename before sending it to the shell. Thus, a specially crafted filename
could execute arbitrary commands if the user could be convinced to drag a file
into the smiley theme selector.


Reproducible: Always
Steps to Reproduce:
1.
2.
3.

------- Comment #1 From Sune Kloppenborg Jeppesen 2004-08-23 21:02:16 0000 ------- 
gaim-bugs please bump to 0.82

------- Comment #2 From Curtis Magyar 2004-08-23 21:13:00 0000 ------- 
0.82 isn't out until Thursday, and like last time they aren't immediately
releasing a minor version to fix the vulnerability.  I wasn't sure if the patch
had been applied or not, and didn't see a notice about it so I filed this. 
Please close it if the patch is already included.

------- Comment #3 From Don Seiler (RETIRED) 2004-08-24 06:27:48 0000 ------- 
Patches for items listed on gaim webpage are already patched.  Two of them were
patched in 0.81-r1 and the third is patched in 0.81-r3.

There are other known vulnerabilities and I am working closely with gaim and
other distro managers on it.  All are already patched in CVS and I will working
to extract those diffs, but regardless I am going to recommend putting 0.82
into stable ASAP when it comes out.

------- Comment #4 From Don Seiler (RETIRED) 2004-08-24 06:53:01 0000 ------- 
Gaim has sent a nice uberpatch for all known vulnerabilities.  Just committed
in the form of gaim-0.81-r5.  I'd suggest marking stable ASAP.  I can do x86.

------- Comment #5 From Don Seiler (RETIRED) 2004-08-24 06:59:52 0000 ------- 
Stable in x86.  Other arches can you please mark gaim-0.81-r5 stable ASAP for
security purposes.  Will also involve marking gaim-encryption-2.29 stable,
which is not a problem.

------- Comment #6 From Gustavo Zacarias (RETIRED) 2004-08-24 08:13:04 0000 ------- 
Sparc stable.

------- Comment #7 From Pieter Van den Abeele 2004-08-24 10:45:52 0000 ------- 
ppc stable

------- Comment #8 From Travis Tilley (RETIRED) 2004-08-25 09:35:31 0000 ------- 
stable on amd64

------- Comment #9 From Bryan Østergaard (RETIRED) 2004-08-25 10:07:16 0000 ------- 
Stable on alpha.

------- Comment #10 From SpanKY 2004-08-25 21:49:23 0000 ------- 
hppa is stable

------- Comment #11 From Hardave Riar (RETIRED) 2004-08-26 00:54:17 0000 ------- 
Stable on mips

------- Comment #12 From Sune Kloppenborg Jeppesen 2004-08-26 08:29:53 0000 ------- 
This one is ready for GLSA. Security please draft.

------- Comment #13 From Tim Yamin (RETIRED) 2004-08-26 09:12:48 0000 ------- 
Stable on IA64.

------- Comment #14 From Don Seiler (RETIRED) 2004-08-27 07:16:24 0000 ------- 
0.81-r5 now stable on all arches.

------- Comment #15 From Sune Kloppenborg Jeppesen 2004-08-27 12:08:57 0000 ------- 
GLSA 200408-27
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug