Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 60034

Summary: net-im/gaim MSN Protocol Parsing Function Multiple Overflows
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: gaim-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---
Description Flags
Rats log for assessing the security issues. none

Description Sune Kloppenborg Jeppesen gentoo-dev 2004-08-11 00:13:54 UTC
Gaim contains several remote overflows related to the MSN-protocol parsing functions that may allow remote code execution. No further details have been provided.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-11 00:18:07 UTC
Unclear if this is fixed in gaim-0.81.
Comment 2 Chris White (RETIRED) gentoo-dev 2004-08-11 00:27:03 UTC
Created attachment 37199 [details]
Rats log for assessing the security issues.

Here's a rats log which might help in addressing the security issue.  There
appears to be a lot of High ranking bugs in it.  I'll take a look and see.
Comment 3 Don Seiler (RETIRED) gentoo-dev 2004-08-11 06:43:17 UTC
I'll ask upstream and report back.
Comment 4 Don Seiler (RETIRED) gentoo-dev 2004-08-11 07:17:41 UTC
Chris did you run RATS against the 0.81 package?
Comment 5 Don Seiler (RETIRED) gentoo-dev 2004-08-11 12:32:46 UTC
Upstream identified potential exploits from SuSE, one had already been fixed, other is patched in their CVS and now in net-im/gaim-0.81-r1, just committed to portage.
Comment 6 Don Seiler (RETIRED) gentoo-dev 2004-08-11 12:35:33 UTC
Thinking about ARCH vs ~ARCH, right now 0.80 is stable on all.  I was going to start pushing 0.81 later this week.  Should make that push for what I presume will be a GLSA or do you want me to backport the fix to 0.80 as well?

I'd rather see users moved to 0.81 for the bug fixes anyway.  Let me know what you guys think.
Comment 7 Don Seiler (RETIRED) gentoo-dev 2004-08-11 12:55:47 UTC
Stable on x86.  Other arches can you please push this through to stable for a security fix?
Comment 8 Don Seiler (RETIRED) gentoo-dev 2004-08-11 12:58:26 UTC
By "this" I mean net-im/gaim-0.81-r1.
Comment 9 Don Seiler (RETIRED) gentoo-dev 2004-08-11 14:34:48 UTC
lv marked stable on amd64
Comment 10 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-11 14:56:21 UTC
rizzo thanks for the swift reaction.
Comment 11 Jochen Maes (RETIRED) gentoo-dev 2004-08-12 00:40:25 UTC
i'm testing this on ppc
Comment 12 Jochen Maes (RETIRED) gentoo-dev 2004-08-12 04:41:25 UTC
Don't know if it's normal but i can't login: 
account: Connecting to account 0x10186408. gc = 0x1037b1f8
connection: Connecting. gc = 0x1037b1f8
connection: Calling serv_login
server: gaim 0.81 logging in using MSN
dns: Successfully sent DNS request to child 26777
dns: Host '' resolved
proxy: Connecting to with no proxy
proxy: Connect would have blocked.
proxy: Connected.
account: Disconnecting account 0x10186408
connection: Disconnecting connection 0x1037b1f8
blist: Destroying
connection: Destroying connection 0x1037b1f8
accounts: Writing accounts to disk.

Comment 13 Jochen Maes (RETIRED) gentoo-dev 2004-08-12 04:44:53 UTC
just got to logging in, added stable
Comment 14 Guy Martin (RETIRED) gentoo-dev 2004-08-12 05:16:33 UTC
Stable on hppa.
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-12 05:42:56 UTC
Sparc stable.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-12 09:07:47 UTC
GLSA drafted security please review
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-12 14:01:52 UTC
GLSA 200408-12.

alpha ia64 mips remember to mark stable to benifit from GLSA.
Comment 18 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-08-12 15:15:28 UTC
Stable on alpha.
Comment 19 Stephen Becker (RETIRED) gentoo-dev 2004-08-14 20:49:23 UTC
stable on mips