Karol Pasternak found two bugs in libgadu, They can provide attacker to execute remote code or crash gg client.
net-im is working on an updated ebuild.
http://sourceforge.net/mailarchive/forum.php?thread_id=7766860&forum_id=9587 From the post: --- "Fortunately" gaim contains an extremely old version of libgadu and is affected only by memory alignment bug, which cannot be exploited on x86. No other critical vulnerabilities are known in gaim"s version of libgadu. --- I can patch the memory alignment bug, but that isn't a remote DoS issue. This CVE doesn't apply to gaim, IMHO.
any final news wether this is vulnerable or not?
No action has been taken by gaim developers and discussion seemed to conclude that gaim is not vulnerable to a remote exploit.
Thx, closing bug as invalid.
Ok, reopening bug. It seems like the bug of comment #2 can be exploited as remote DoS on certain architectures and there is a new CVE reference that applies here. Debian also released DSA 769-1 for this. net-im, please provide a patched ebuild, thanks.
gaim-1.4.0-r2 committed with the upstream patch, stable x86.
Arches, pls test and mark gaim-1.4.0-r2 stable. Thanks for your effort.
ppc stable
sparc stable.
stable on ppc64
hppa stable
alpha stable
Still waiting on amd64... Any idea of the exact list of arches affected ?
30 Jul 2005; Simon Stelling <blubb@gentoo.org> gaim-1.4.0-r2.ebuild: stable on amd64 I already marked it stable without noticing this bug :/
This is on misc arches with a misc transport... Rating B Security: please vote on GLSA need... I tend to vote NO.
I tend to a no, too.
Stable on ia64.
also vote NO
Reopen if you disagree.