Three potential vulnerabilites have been discovered in Gaim 0.81. They are all fixed for Gaim 0.82 and a patch from 0.81 is available here.
MSN Protocol Plugin
In two places in the MSN protocol plugins (object.c and slp.c), strncpy was used incorrectly; the size of the array was not checked before copying to it. Both bugs affect MSN's MSNSLP protocol, which is peer-to-peer, so this could potentially be easy to exploit.
Drag-and-Drop Smiley Themes
To install a new smiley theme, a user can drag a tarball from a graphical file manager, or a hypertext link to one from a web browser. When a tarball is dragged, Gaim executes a shell command to untar it. However, it does not escape the filename before sending it to the shell. Thus, a specially crafted filename could execute arbitrary commands if the user could be convinced to drag a file into the smiley theme selector.
Steps to Reproduce:
gaim-bugs please bump to 0.82
0.82 isn't out until Thursday, and like last time they aren't immediately releasing a minor version to fix the vulnerability. I wasn't sure if the patch had been applied or not, and didn't see a notice about it so I filed this. Please close it if the patch is already included.
Patches for items listed on gaim webpage are already patched. Two of them were patched in 0.81-r1 and the third is patched in 0.81-r3.
There are other known vulnerabilities and I am working closely with gaim and other distro managers on it. All are already patched in CVS and I will working to extract those diffs, but regardless I am going to recommend putting 0.82 into stable ASAP when it comes out.
Gaim has sent a nice uberpatch for all known vulnerabilities. Just committed in the form of gaim-0.81-r5. I'd suggest marking stable ASAP. I can do x86.
Stable in x86. Other arches can you please mark gaim-0.81-r5 stable ASAP for security purposes. Will also involve marking gaim-encryption-2.29 stable, which is not a problem.
stable on amd64
Stable on alpha.
hppa is stable
Stable on mips
This one is ready for GLSA. Security please draft.
Stable on IA64.
0.81-r5 now stable on all arches.