Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 60034 - net-im/gaim MSN Protocol Parsing Function Multiple Overflows
Summary: net-im/gaim MSN Protocol Parsing Function Multiple Overflows
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A1 [glsa]
Depends on:
Reported: 2004-08-11 00:13 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Rats log for assessing the security issues. (rats.log,2.78 KB, text/plain)
2004-08-11 00:27 UTC, Chris White (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-11 00:13:54 UTC
Gaim contains several remote overflows related to the MSN-protocol parsing functions that may allow remote code execution. No further details have been provided.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-11 00:18:07 UTC
Unclear if this is fixed in gaim-0.81.
Comment 2 Chris White (RETIRED) gentoo-dev 2004-08-11 00:27:03 UTC
Created attachment 37199 [details]
Rats log for assessing the security issues.

Here's a rats log which might help in addressing the security issue.  There
appears to be a lot of High ranking bugs in it.  I'll take a look and see.
Comment 3 Don Seiler (RETIRED) gentoo-dev 2004-08-11 06:43:17 UTC
I'll ask upstream and report back.
Comment 4 Don Seiler (RETIRED) gentoo-dev 2004-08-11 07:17:41 UTC
Chris did you run RATS against the 0.81 package?
Comment 5 Don Seiler (RETIRED) gentoo-dev 2004-08-11 12:32:46 UTC
Upstream identified potential exploits from SuSE, one had already been fixed, other is patched in their CVS and now in net-im/gaim-0.81-r1, just committed to portage.
Comment 6 Don Seiler (RETIRED) gentoo-dev 2004-08-11 12:35:33 UTC
Thinking about ARCH vs ~ARCH, right now 0.80 is stable on all.  I was going to start pushing 0.81 later this week.  Should make that push for what I presume will be a GLSA or do you want me to backport the fix to 0.80 as well?

I'd rather see users moved to 0.81 for the bug fixes anyway.  Let me know what you guys think.
Comment 7 Don Seiler (RETIRED) gentoo-dev 2004-08-11 12:55:47 UTC
Stable on x86.  Other arches can you please push this through to stable for a security fix?
Comment 8 Don Seiler (RETIRED) gentoo-dev 2004-08-11 12:58:26 UTC
By "this" I mean net-im/gaim-0.81-r1.
Comment 9 Don Seiler (RETIRED) gentoo-dev 2004-08-11 14:34:48 UTC
lv marked stable on amd64
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-11 14:56:21 UTC
rizzo thanks for the swift reaction.
Comment 11 Jochen Maes (RETIRED) gentoo-dev 2004-08-12 00:40:25 UTC
i'm testing this on ppc
Comment 12 Jochen Maes (RETIRED) gentoo-dev 2004-08-12 04:41:25 UTC
Don't know if it's normal but i can't login: 
account: Connecting to account 0x10186408. gc = 0x1037b1f8
connection: Connecting. gc = 0x1037b1f8
connection: Calling serv_login
server: gaim 0.81 logging in using MSN
dns: Successfully sent DNS request to child 26777
dns: Host '' resolved
proxy: Connecting to with no proxy
proxy: Connect would have blocked.
proxy: Connected.
account: Disconnecting account 0x10186408
connection: Disconnecting connection 0x1037b1f8
blist: Destroying
connection: Destroying connection 0x1037b1f8
accounts: Writing accounts to disk.

Comment 13 Jochen Maes (RETIRED) gentoo-dev 2004-08-12 04:44:53 UTC
just got to logging in, added stable
Comment 14 Guy Martin (RETIRED) gentoo-dev 2004-08-12 05:16:33 UTC
Stable on hppa.
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-12 05:42:56 UTC
Sparc stable.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-12 09:07:47 UTC
GLSA drafted security please review
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-12 14:01:52 UTC
GLSA 200408-12.

alpha ia64 mips remember to mark stable to benifit from GLSA.
Comment 18 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-12 15:15:28 UTC
Stable on alpha.
Comment 19 Stephen Becker (RETIRED) gentoo-dev 2004-08-14 20:49:23 UTC
stable on mips