Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 68271 - net-im/gaim-1.0.2, x11-plugins/gaim-encryption-2.32: multiple vulnerabilities
Summary: net-im/gaim-1.0.2, x11-plugins/gaim-encryption-2.32: multiple vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa]
Depends on:
Reported: 2004-10-20 06:58 UTC by Don Seiler (RETIRED)
Modified: 2004-10-24 17:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Don Seiler (RETIRED) gentoo-dev 2004-10-20 06:58:16 UTC
There will be a CAN security notice regarding gaim < 1.0.2.  I suggest testing and stabilisation of these packages ASAP.

One note is that evolution-data-server is not stable on any arch.  Right now repoman is giving me a warning.  It is only needed when USE="eds", which only ~arch people would do anyway.  I don't have a stable box to test on and will commit this for now in x86.
Comment 1 Don Seiler (RETIRED) gentoo-dev 2004-10-20 07:07:03 UTC
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-10-20 07:10:43 UTC
MSN SLP buffer overflow (CAN-2004-0891)
Buffer overflow. memcpy was used without checking the size of the buffer before copying to it. Additionally, a logic flaw was causing the wrong buffer to be used as the destination for the copy under certain circumstances.

MSN File transfer DOS (malloc error)
Remote crash. After accepting a file transfer request, Gaim will attempt to allocate a buffer of a size equal to the entire filesize, this allocation attempt will cause Gaim to crash if the size exceeds the amount of available memory.

MSN SLP DOS (malloc error)
Remote crash. Gaim allocates a buffer for the payload of each message received based on the size field in the header of the message. A malicious peer could specify an invalid size that exceeds the amount of available memory.
Comment 3 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-20 09:07:11 UTC
Are we just supposed to commit gaim to stable breaking the deps?
There's two choices IMHO:
1- drop the eds USE flag
2- bring some evolution-data-server into stable (which would involve net-libs/libsoup too).
Comment 4 Don Seiler (RETIRED) gentoo-dev 2004-10-20 09:20:24 UTC
I'm comfortable with removing EDS support for now.
Comment 5 Don Seiler (RETIRED) gentoo-dev 2004-10-20 09:31:25 UTC
OK EDS support removed.
Comment 6 Gustavo Zacarias (RETIRED) gentoo-dev 2004-10-20 09:44:00 UTC
thanks don.
sparc stable now.
Comment 7 Ken Garland 2004-10-20 10:23:41 UTC
Can someone tell me what this is alla bout:

make[3]: Entering directory `/var/tmp/portage/gaim-1.0.2/work/gaim-1.0.2/plugins/tcl'
/bin/sh ../../libtool --silent --mode=link gcc  -march=athlon-xp -mcpu=i686 -pipe -O2 -Wall -g3   -o -rpath /usr/lib/gaim -module -avoid-version -L/usr/lib -ltcl8.4 -L/usr/lib -ltk8.4 tcl.lo tcl_glib.lo tcl_cmds.lo tcl_signals.lo  -lnsl 
collect2: ld returned 1 exit status
make[3]: *** [] Error 1
make[3]: Leaving directory `/var/tmp/portage/gaim-1.0.2/work/gaim-1.0.2/plugins/tcl'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/var/tmp/portage/gaim-1.0.2/work/gaim-1.0.2/plugins'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/tmp/portage/gaim-1.0.2/work/gaim-1.0.2'
make: *** [all] Error 2

!!! ERROR: net-im/gaim-1.0.2 failed.
!!! Function src_compile, Line 96, Exitcode 2
!!! Make failed
Comment 8 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2004-10-20 11:16:50 UTC
Done on ppc.
Comment 9 Ken Garland 2004-10-20 11:26:03 UTC
My apologies for the comment above (#7) - I would delete it if I could. IF possible please delete both of these message.

Thanks - ang good work on the release!
Comment 10 SpanKY gentoo-dev 2004-10-20 11:33:57 UTC
hppa/ia64 stable
Comment 11 Hardave Riar (RETIRED) gentoo-dev 2004-10-21 00:09:40 UTC
Stable on mips.
Comment 12 Don Seiler (RETIRED) gentoo-dev 2004-10-21 08:54:13 UTC
Marked stable on amd64 and alpha.

net-im/gaim-1.0.2 now stable on all arches.  Should be OK to send GLSA.
Comment 13 Luke Macken (RETIRED) gentoo-dev 2004-10-24 17:15:18 UTC
GLSA 200410-23