Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 61457

Summary: net-im/gaim Security vulnerabilities in current Gaim
Product: Gentoo Security Reporter: Curtis Magyar <curtm4n>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: dberkholz, gaim-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://gaim.sourceforge.net/security.php
Whiteboard: A1 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Curtis Magyar 2004-08-23 18:29:12 UTC 
Three potential vulnerabilites have been discovered in Gaim 0.81. They are all fixed for Gaim 0.82 and a patch from 0.81 is available here.
MSN Protocol Plugin

In two places in the MSN protocol plugins (object.c and slp.c), strncpy was used incorrectly; the size of the array was not checked before copying to it. Both bugs affect MSN's MSNSLP protocol, which is peer-to-peer, so this could potentially be easy to exploit.
Drag-and-Drop Smiley Themes

To install a new smiley theme, a user can drag a tarball from a graphical file manager, or a hypertext link to one from a web browser. When a tarball is dragged, Gaim executes a shell command to untar it. However, it does not escape the filename before sending it to the shell. Thus, a specially crafted filename could execute arbitrary commands if the user could be convinced to drag a file into the smiley theme selector.


Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-23 21:02:16 UTC 
gaim-bugs please bump to 0.82
Comment 2 Curtis Magyar 2004-08-23 21:13:00 UTC 
0.82 isn't out until Thursday, and like last time they aren't immediately releasing a minor version to fix the vulnerability.  I wasn't sure if the patch had been applied or not, and didn't see a notice about it so I filed this.  Please close it if the patch is already included.
Comment 3 Don Seiler (RETIRED) gentoo-dev 2004-08-24 06:27:48 UTC 
Patches for items listed on gaim webpage are already patched.  Two of them were patched in 0.81-r1 and the third is patched in 0.81-r3.

There are other known vulnerabilities and I am working closely with gaim and other distro managers on it.  All are already patched in CVS and I will working to extract those diffs, but regardless I am going to recommend putting 0.82 into stable ASAP when it comes out.
Comment 4 Don Seiler (RETIRED) gentoo-dev 2004-08-24 06:53:01 UTC 
Gaim has sent a nice uberpatch for all known vulnerabilities.  Just committed in the form of gaim-0.81-r5.  I'd suggest marking stable ASAP.  I can do x86.
Comment 5 Don Seiler (RETIRED) gentoo-dev 2004-08-24 06:59:52 UTC 
Stable in x86.  Other arches can you please mark gaim-0.81-r5 stable ASAP for security purposes.  Will also involve marking gaim-encryption-2.29 stable, which is not a problem.
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-24 08:13:04 UTC 
Sparc stable.
Comment 7 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-08-24 10:45:52 UTC 
ppc stable
Comment 8 Travis Tilley (RETIRED) gentoo-dev 2004-08-25 09:35:31 UTC 
stable on amd64
Comment 9 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-25 10:07:16 UTC 
Stable on alpha.
Comment 10 SpanKY gentoo-dev 2004-08-25 21:49:23 UTC 
hppa is stable
Comment 11 Hardave Riar (RETIRED) gentoo-dev 2004-08-26 00:54:17 UTC 
Stable on mips
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-26 08:29:53 UTC 
This one is ready for GLSA. Security please draft.
Comment 13 Tim Yamin (RETIRED) gentoo-dev 2004-08-26 09:12:48 UTC 
Stable on IA64.
Comment 14 Don Seiler (RETIRED) gentoo-dev 2004-08-27 07:16:24 UTC 
0.81-r5 now stable on all arches.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-27 12:08:57 UTC 
GLSA 200408-27