Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 83253 - net-im/gaim-1.1.4 contains security fixes
Summary: net-im/gaim-1.1.4 contains security fixes
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-02-24 19:32 UTC by Don Seiler (RETIRED)
Modified: 2005-03-01 12:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Don Seiler (RETIRED) gentoo-dev 2005-02-24 19:32:14 UTC
CAN-2005-0208

HTML parsing bug can cause remote crash of gaim < 1.1.4.

Asking ARCHes to mark net-im/gaim-1.1.4 stable.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 00:36:12 UTC
was fixed in 1.1.3:

Remote DoS on receiving malformed HTML (CAN-2005-0473)
Remote crash. Receiving malformed HTML can result in an invalid memory access causing Gaim to crash.

AIM/ICQ remote denial of service (CAN-2005-0472)
Certain malformed SNAC packets sent by other AIM or ICQ users can trigger an infinite loop in Gaim when parsing the SNAC. The remote user would need a custom client, able to generate malformed SNAC
Comment 2 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-25 05:57:12 UTC
sparc-a-go-go.
Comment 3 Thomas B. 2005-02-25 07:08:13 UTC
1.1.3 fixed CAN-2005-0473, but opened yet another, almost identical security issue, CAN-2005-0208.
So 1.1.4 does contain security fixes (see http://gaim.sourceforge.net/security/index.php ).
Comment 4 Don Seiler (RETIRED) gentoo-dev 2005-02-25 07:21:07 UTC
Yes.  So 1.1.4 contains all three fixes, as 1.1.3 had not yet made stable on all ARCHes.

I've marked stable on x86, as that is my playground.
Comment 5 Don Seiler (RETIRED) gentoo-dev 2005-02-25 07:21:27 UTC
Removing cc on x86 team.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 07:57:15 UTC
was fixed in 1.1.4:

Client crashes when receiving specific malformed HTML (CAN-2005-0208)
Remote crash. Receiving malformed HTML can result in an invalid memory access causing Gaim to crash.
Comment 7 Simon Stelling (RETIRED) gentoo-dev 2005-02-25 08:57:16 UTC
stable on amd64
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2005-02-26 00:16:44 UTC
stable on ppc64
Comment 9 Stephen Becker (RETIRED) gentoo-dev 2005-02-26 19:33:54 UTC
stable on mipshttp://bugs.gentoo.org/show_bug.cgi?id=83253
Comment 10 Bryan Østergaard (RETIRED) gentoo-dev 2005-02-27 04:25:06 UTC
Stable on alpha.
Comment 11 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-27 07:11:10 UTC
removing ia64

been marked stable without notice
no entry in Changelog but cvs log gives:
revision 1.4
date: 2005/02/25 16:19:09;  author: agriffis;  state: Exp;  lines: +2 -2
stable on ia64 #83253
(Portage version: 2.0.51-r15)
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-28 14:24:01 UTC
Marked stable on ppc by blubb.
Comment 13 Don Seiler (RETIRED) gentoo-dev 2005-03-01 07:20:52 UTC
Vapier gave the OK to mark stable on HPPA and ARM.  I have done this.  That is the last of the arches.
Comment 14 Sune Kloppenborg Jeppesen gentoo-dev 2005-03-01 12:21:20 UTC
GLSA 200503-02