Bug 102961 (CVE-2005-21)

Summary: VUL-0: CVE-2005-21: gaim problems
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: gnome-bugs, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-2103: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: One of the attchments
the other attachment
patchinfo for box
patchinfo for maintained

Description Sebastian Krahmer 2005-08-09 09:09:47 UTC 
Date: Mon, 8 Aug 2005 17:57:42 -0400
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] [mark@kingant.net: [Gaim-packagers] Gaim 1.5.0 and
    security problems]
Parts/Attachments:
   1 Shown    83 lines  Text
   2   OK     79 lines  Text
   3   OK     27 lines  Text
----------------------------------------

This came form the gaim folk:

----- Forwarded message from Mark Doliner <mark@kingant.net> -----

From: "Mark Doliner" <mark@kingant.net>
To: gaim-packagers@lists.sourceforge.net
In-Reply-To: <e61d333f0508071549132be364@mail.gmail.com>
X-Mailer: Open WebMail 2.51 20050228
X-OriginatingIP: 24.136.241.99 (mark@kingant.net)
X-Spam-Report: Spam Filtering performed by sourceforge.net.
       See http://spamassassin.org/tag/ for more details.
       Report problems to http://sf.net/tracker/?func=add&group_id=1&atid=200001
       0.0 SF_CHICKENPOX_PARATHESES_OPEN BODY: Text interparsed with (
       0.0 SF_CHICKENPOX_PERIOD   BODY: Text interparsed with .
       0.0 SF_CHICKENPOX_COMMA    BODY: Text interparsed with ,
       0.0 SF_CHICKENPOX_SLASH    BODY: Text interparsed with /
       0.0 SF_CHICKENPOX_MINUS    BODY: Text interparsed with -
       0.0 SF_CHICKENPOX_BRACKET_OPEN BODY: Text interparsed with [
       0.0 SF_CHICKENPOX_UNDERSCORE BODY: Text interparsed with _
       0.0 SF_CHICKENPOX_QUESTION BODY: Text interparsed with ?
       0.0 SF_CHICKENPOX_APOSTROPHE BODY: Text interparsed with '
       -0.1 AWL                    AWL: From: address is in the auto white-list
Subject: [Gaim-packagers] Gaim 1.5.0 and security problems
Errors-To: gaim-packagers-admin@lists.sourceforge.net
X-BeenThere: gaim-packagers@lists.sourceforge.net
X-Mailman-Version: 2.0.9-sf.net
Precedence: bulk
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/gaim-packagers>,
       <mailto:gaim-packagers-request@lists.sourceforge.net?subject=unsubscribe>
List-Id: <gaim-packagers.lists.sourceforge.net>
List-Post: <mailto:gaim-packagers@lists.sourceforge.net>
List-Help: <mailto:gaim-packagers-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/gaim-packagers>,
       <mailto:gaim-packagers-request@lists.sourceforge.net?subject=subscribe>
List-Archive:
<http://sourceforge.net/mailarchive/forum.php?forum=gaim-packagers>
X-RedHat-Spam-Score: 0
Date: Sun, 7 Aug 2005 21:59:40 -0500

On Sun, 7 Aug 2005 18:49:32 -0400, Sean Egan wrote
> All,
> 
> Let's release 1.5.0 this week. This comes from oldstatus, and may be
> the last release from there.
> 
> -s.

First off, I'll be out of down Monday, Tuesday and Wednesday.

In light of our pending release on Thursday, we should discuss some security
problems (yep--again).  I don't know if we'll need CVE numbers for this, I can
never remember quite how that works.  But if we DO need a CVE number or three,
then Warren and Josh, we would all very much appreciate your assisstance, yet
again.

1. The gadu-gadu PRPL.  There was a memory alignment bug that apparently only
affected can not be exploited on x86.  I do not believe the ekg/libgadu
project was issued a CAN for this.  You can grab a patch for Gaim from:
http://cvs.sourceforge.net/viewcvs.py/gaim/gaim/src/protocols/gg/libgg.c?r1=1.21
.2.1&r2=1.21.2.2

2. There is an oscar remotely exploitable crash bug.  A remote AIM or ICQ user
would need to compile their own client and send a specially crafted IM
(basically an IM containing lots of %s, and flag it as an away message).  It
results in a buffer overflow.  A fix for this has not yet been commited to
CVS, and the issue should be fairly unknown.  A patch for this is attached (I
would appreciate if some Gaim devs could double-check it--it's small).

3. Daniel Atallah fixed a crash in oscar dealing with invalid file names.  It
is remotely exploitable by anyone sending you a file with a non-utf8 filename.
 It sometimes causes a crash in pango.  It might be depending on the version
of gtk you're using.  And seems to crash Linux machines less than Windows
machines (if ever).  This has not yet been fixed in CVS, but it IS in the wild
and you can get a client from http://www.sevenz.net/ to exploit it.  A patch
is attached.  I haven't actually tested it, so hopefully it still applies. 
The logic is kosher.

Other Gaim developers: If you know of other crashes, please follow-up this
email.

Thanks!
-Mark
Comment 1 Sebastian Krahmer 2005-08-09 09:13:00 UTC 
Created attachment 45235 [details]
One of the attchments

...
Comment 2 Sebastian Krahmer 2005-08-09 09:13:36 UTC 
Created attachment 45236 [details]
the other attachment

...
Comment 3 Stanislav Brabec 2005-08-09 09:58:26 UTC 
Gadu-Gadu patch mentioned in comment #1 is mentioned in bug 97408 comment #18.
Comment 4 Stanislav Brabec 2005-08-09 15:36:55 UTC 
Updated for STABLE, 9.3, 9.2, SLES9-SLD:
- Fixed memory alignment bug in libgadu (#102961).
- Fixed AIM/ICQ malformed filename crash (#102961).
- Fixed AIM/ICQ away message buffer overflow (#102961).

Updated for STABLE, 9.1, 9.0:
- Fixed AIM/ICQ malformed filename crash (#102961).
- Fixed AIM/ICQ away message buffer overflow (#102961).

SLES8-SLEC:
- Fixed AIM/ICQ away message buffer overflow (#102961).

Not fixed for 8.2.
Comment 5 Sebastian Krahmer 2005-08-10 07:49:02 UTC 
Thanks. I will submit patchinfos.

SM-Tracker-2003.
Comment 6 Sebastian Krahmer 2005-08-10 08:09:18 UTC 
Submitted patchinfos. Go ahead :-)
Comment 7 Sebastian Krahmer 2005-08-10 08:10:40 UTC 
Created attachment 45469 [details]
patchinfo for box

...
Comment 8 Sebastian Krahmer 2005-08-10 08:11:23 UTC 
Created attachment 45470 [details]
patchinfo for maintained

...
Comment 9 Marcus Meissner 2005-08-11 08:48:41 UTC 
The 9.0 - 9.2 gaims use "gaim_utf8_salvage" in 
oscar_malformed_filename_crash_fix.patch  
 
This function does not exist in the 9.0 ... 9.2 versions yet.
Comment 10 Stanislav Brabec 2005-08-11 15:58:52 UTC 
For 9.0, 9.1, 9.2 gaim_utf8_salvage() was added as static function to oscar.c. I
hope it will fix the problem.
Comment 11 Sebastian Krahmer 2005-08-15 05:53:21 UTC 
need to re-submit patchinfos?
Comment 12 Marcus Meissner 2005-08-15 08:17:53 UTC 
no. they are checked in already and waiting for QA.
Comment 13 Thomas Biege 2005-08-18 07:48:57 UTC 
packages released
Comment 14 Marcus Meissner 2005-08-19 13:14:35 UTC 
CAN-2005-2103 (under review) 
Buffer overflow in the AIM and ICQ module in Gaim before 1.5.0 allows remote 
attackers to cause a denial of service (application crash) and possibly 
execute arbitrary code via an away message with a large number of AIM 
substitution strings, such as %t or %n. 
 
 
CAN-2005-2102 (under review) 
The AIM/ICQ module in Gaim before 1.5.0 allows remote attackers to cause a 
denial of service (application crash) via a filename that contains invalid 
UTF-8 characters.  
 
CAN-2005-1852 (under review) 
Multiple integer overflows in libgadu, as used in Kopete in KDE 3.2.3 to 
3.4.1, ekg before 1.6rc3, and other packages, allows remote attackers to cause 
a denial of service (crash) and possibly execute arbitrary code via an 
incoming message.
Comment 15 Thomas Biege 2009-10-13 21:40:44 UTC 
CVE-2005-2103: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)