|Summary:||net-im/gaim Security vulnerabilities in current Gaim|
|Product:||Gentoo Security||Reporter:||Curtis Magyar <curtm4n>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Whiteboard:||A1 [glsa] jaervosz|
|Package list:||Runtime testing required:||---|
Description Curtis Magyar 2004-08-23 18:29:12 UTC
Three potential vulnerabilites have been discovered in Gaim 0.81. They are all fixed for Gaim 0.82 and a patch from 0.81 is available here. MSN Protocol Plugin In two places in the MSN protocol plugins (object.c and slp.c), strncpy was used incorrectly; the size of the array was not checked before copying to it. Both bugs affect MSN's MSNSLP protocol, which is peer-to-peer, so this could potentially be easy to exploit. Drag-and-Drop Smiley Themes To install a new smiley theme, a user can drag a tarball from a graphical file manager, or a hypertext link to one from a web browser. When a tarball is dragged, Gaim executes a shell command to untar it. However, it does not escape the filename before sending it to the shell. Thus, a specially crafted filename could execute arbitrary commands if the user could be convinced to drag a file into the smiley theme selector. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Comment 1 Sune Kloppenborg Jeppesen 2004-08-23 21:02:16 UTC
gaim-bugs please bump to 0.82
Comment 2 Curtis Magyar 2004-08-23 21:13:00 UTC
0.82 isn't out until Thursday, and like last time they aren't immediately releasing a minor version to fix the vulnerability. I wasn't sure if the patch had been applied or not, and didn't see a notice about it so I filed this. Please close it if the patch is already included.
Comment 3 Don Seiler (RETIRED) 2004-08-24 06:27:48 UTC
Patches for items listed on gaim webpage are already patched. Two of them were patched in 0.81-r1 and the third is patched in 0.81-r3. There are other known vulnerabilities and I am working closely with gaim and other distro managers on it. All are already patched in CVS and I will working to extract those diffs, but regardless I am going to recommend putting 0.82 into stable ASAP when it comes out.
Comment 4 Don Seiler (RETIRED) 2004-08-24 06:53:01 UTC
Gaim has sent a nice uberpatch for all known vulnerabilities. Just committed in the form of gaim-0.81-r5. I'd suggest marking stable ASAP. I can do x86.
Comment 5 Don Seiler (RETIRED) 2004-08-24 06:59:52 UTC
Stable in x86. Other arches can you please mark gaim-0.81-r5 stable ASAP for security purposes. Will also involve marking gaim-encryption-2.29 stable, which is not a problem.
Comment 6 Gustavo Zacarias (RETIRED) 2004-08-24 08:13:04 UTC
Comment 7 Pieter Van den Abeele (RETIRED) 2004-08-24 10:45:52 UTC
Comment 8 Travis Tilley (RETIRED) 2004-08-25 09:35:31 UTC
stable on amd64
Comment 9 Bryan Østergaard (RETIRED) 2004-08-25 10:07:16 UTC
Stable on alpha.
Comment 10 SpanKY 2004-08-25 21:49:23 UTC
hppa is stable
Comment 11 Hardave Riar (RETIRED) 2004-08-26 00:54:17 UTC
Stable on mips
Comment 12 Sune Kloppenborg Jeppesen 2004-08-26 08:29:53 UTC
This one is ready for GLSA. Security please draft.
Comment 13 Tim Yamin (RETIRED) 2004-08-26 09:12:48 UTC
Stable on IA64.
Comment 14 Don Seiler (RETIRED) 2004-08-27 07:16:24 UTC
0.81-r5 now stable on all arches.
Comment 15 Sune Kloppenborg Jeppesen 2004-08-27 12:08:57 UTC