83253 – net-im/gaim-1.1.4 contains security fixes

Bug 83253 - net-im/gaim-1.1.4 contains security fixes

Summary: net-im/gaim-1.1.4 contains security fixes

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2005-02-24 19:32 UTC by Don Seiler (RETIRED)
Modified:	2005-03-01 12:21 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Don Seiler (RETIRED) gentoo-dev

2005-02-24 19:32:14 UTC

CAN-2005-0208

HTML parsing bug can cause remote crash of gaim < 1.1.4.

Asking ARCHes to mark net-im/gaim-1.1.4 stable.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-02-25 00:36:12 UTC

was fixed in 1.1.3:

Remote DoS on receiving malformed HTML (CAN-2005-0473)
Remote crash. Receiving malformed HTML can result in an invalid memory access causing Gaim to crash.

AIM/ICQ remote denial of service (CAN-2005-0472)
Certain malformed SNAC packets sent by other AIM or ICQ users can trigger an infinite loop in Gaim when parsing the SNAC. The remote user would need a custom client, able to generate malformed SNAC

Comment 2 Gustavo Zacarias (RETIRED) gentoo-dev

2005-02-25 05:57:12 UTC

sparc-a-go-go.

Comment 3 Thomas B. 2005-02-25 07:08:13 UTC

1.1.3 fixed CAN-2005-0473, but opened yet another, almost identical security issue, CAN-2005-0208.
So 1.1.4 does contain security fixes (see http://gaim.sourceforge.net/security/index.php ).

Comment 4 Don Seiler (RETIRED) gentoo-dev

2005-02-25 07:21:07 UTC

Yes.  So 1.1.4 contains all three fixes, as 1.1.3 had not yet made stable on all ARCHes.

I've marked stable on x86, as that is my playground.

Comment 5 Don Seiler (RETIRED) gentoo-dev

2005-02-25 07:21:27 UTC

Removing cc on x86 team.

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-02-25 07:57:15 UTC

was fixed in 1.1.4:

Client crashes when receiving specific malformed HTML (CAN-2005-0208)
Remote crash. Receiving malformed HTML can result in an invalid memory access causing Gaim to crash.

Comment 7 Simon Stelling (RETIRED) gentoo-dev

2005-02-25 08:57:16 UTC

stable on amd64

Comment 8 Markus Rothe (RETIRED) gentoo-dev

2005-02-26 00:16:44 UTC

stable on ppc64

Comment 9 Stephen Becker (RETIRED) gentoo-dev

2005-02-26 19:33:54 UTC

stable on mipshttp://bugs.gentoo.org/show_bug.cgi?id=83253

Comment 10 Bryan Østergaard (RETIRED) gentoo-dev

2005-02-27 04:25:06 UTC

Stable on alpha.

Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev

2005-02-27 07:11:10 UTC

removing ia64

been marked stable without notice
no entry in Changelog but cvs log gives:
revision 1.4
date: 2005/02/25 16:19:09;  author: agriffis;  state: Exp;  lines: +2 -2
stable on ia64 #83253
(Portage version: 2.0.51-r15)

Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev

2005-02-28 14:24:01 UTC

Marked stable on ppc by blubb.

Comment 13 Don Seiler (RETIRED) gentoo-dev

2005-03-01 07:20:52 UTC

Vapier gave the OK to mark stable on HPPA and ARM.  I have done this.  That is the last of the arches.

Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-03-01 12:21:20 UTC

GLSA 200503-02