Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 99881 - net-im/gaim: Denial of Service on misc arches (CAN-2005-2370)
Summary: net-im/gaim: Denial of Service on misc arches (CAN-2005-2370)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.cve.mitre.org/cgi-bin/cven...
Whiteboard: B3 [noglsa] DerCorny
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-22 02:18 UTC by Stefan Cornelius (RETIRED)
Modified: 2005-08-15 21:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Cornelius (RETIRED) gentoo-dev 2005-07-22 02:18:58 UTC 
Karol Pasternak found two bugs in libgadu,
They can provide attacker to execute remote code or crash gg client.
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-22 02:19:58 UTC 
net-im is working on an updated ebuild.
Comment 2 Don Seiler (RETIRED) gentoo-dev 2005-07-22 10:03:48 UTC 
http://sourceforge.net/mailarchive/forum.php?thread_id=7766860&forum_id=9587

From the post:
---
"Fortunately" gaim contains an extremely old version of 
 libgadu and is affected only by memory alignment bug, which cannot be 
 exploited on x86. No other critical vulnerabilities are known in gaim"s 
 version of libgadu.
---

I can patch the memory alignment bug, but that isn't a remote DoS issue.  This
CVE doesn't apply to gaim, IMHO.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-25 11:39:23 UTC 
any final news wether this is vulnerable or not?
Comment 4 Don Seiler (RETIRED) gentoo-dev 2005-07-25 14:08:56 UTC 
No action has been taken by gaim developers and discussion seemed to conclude
that gaim is not vulnerable to a remote exploit.
Comment 5 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-25 14:30:58 UTC 
Thx, closing bug as invalid.
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-29 04:43:02 UTC 
Ok, reopening bug. It seems like the bug of comment #2 can be exploited as
remote DoS on certain architectures and there is a new CVE reference that
applies here. Debian also released DSA 769-1 for this.

net-im, please provide a patched ebuild, thanks.
Comment 7 Don Seiler (RETIRED) gentoo-dev 2005-07-29 07:03:07 UTC 
gaim-1.4.0-r2 committed with the upstream patch, stable x86.
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-29 07:57:21 UTC 
Arches, pls test and mark gaim-1.4.0-r2 stable. Thanks for your effort.
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2005-07-29 08:37:40 UTC 
ppc stable
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-07-29 11:06:50 UTC 
sparc stable.
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2005-07-29 11:35:14 UTC 
stable on ppc64
Comment 12 Guy Martin (RETIRED) gentoo-dev 2005-07-30 05:30:27 UTC 
hppa stable
Comment 13 Fernando J. Pereda (RETIRED) gentoo-dev 2005-07-30 07:38:29 UTC 
alpha stable
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-08-01 02:19:46 UTC 
Still waiting on amd64...
Any idea of the exact list of arches affected ?
Comment 15 Simon Stelling (RETIRED) gentoo-dev 2005-08-01 03:00:37 UTC 
  30 Jul 2005; Simon Stelling <blubb@gentoo.org> gaim-1.4.0-r2.ebuild:
  stable on amd64

I already marked it stable without noticing this bug :/
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-08-02 02:03:13 UTC 
This is on misc arches with a misc transport... Rating B
Security: please vote on GLSA need... I tend to vote NO.
Comment 17 Stefan Cornelius (RETIRED) gentoo-dev 2005-08-02 06:40:46 UTC 
I tend to a no, too.
Comment 18 Bryan Østergaard (RETIRED) gentoo-dev 2005-08-04 14:27:18 UTC 
Stable on ia64.
Comment 19 Tavis Ormandy (RETIRED) gentoo-dev 2005-08-05 00:35:18 UTC 
also vote NO
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-08-05 00:37:43 UTC 
Reopen if you disagree.