Bug 59194 (CVE-2004-2589)

Summary: VUL-0: CVE-2004-2589: new gaim issues
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Sebastian Krahmer <krahmer>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gnome-bugs, qa-bugs, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-2589: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: vulnerability description
the patch. The MSN things, again, are already fixed by us
patch for 0.59 (8.1)
patch for 0.67 (9.0)
patch for 0.75 (9.1)
patch for 0.81 with only url_decode and url_encode fixed

Description Sebastian Krahmer 2004-08-25 16:40:14 UTC 
Date: Tue, 24 Aug 2004 12:17:53 -0400
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] New gaim issues
Parts/Attachments:
   1 Shown     12 lines  Text
   2   OK     106 lines  Text
   3   OK     331 lines  Text
----------------------------------------

There are some new Gaim security issues which are to be fixed in their 0.82
release.  The 0.82 release is supposed to be out on Thursday 20040826.


These fixes are in their CVS, but upstream would prefer no one point that
out until Thursday.  I'm attaching the 0.81->0.82 patch which covers these
issues along with a short summary of the problems.

I'll post the CVE id's when I have them.
Comment 1 Sebastian Krahmer 2004-08-25 16:40:14 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Sebastian Krahmer 2004-08-25 16:41:25 UTC 
Created attachment 22895 [details]
vulnerability description

The first thing has already been fixed by our last updates.
Comment 3 Sebastian Krahmer 2004-08-25 16:42:12 UTC 
Created attachment 22896 [details]
the patch. The MSN things, again, are already fixed by us

...
Comment 4 Holger Hetterich 2004-08-25 17:17:40 UTC 
on my todo list...
Comment 5 Ludwig Nussel 2004-08-25 19:46:18 UTC 
Created attachment 22899 [details]
patch for 0.59 (8.1)

only contains the hunks for url_decode and the hostname thing. the other stuff
does not seem to be present in this version. Additionally avoids possible
buffer overflow in url_encode.
Comment 6 Ludwig Nussel 2004-08-25 20:39:28 UTC 
Created attachment 22900 [details]
patch for 0.67 (9.0)

additionally contains the html content-length fix and the shell quoting fix
Comment 7 Holger Hetterich 2004-08-25 20:48:35 UTC 
many thanks, Ludwig, I am readying the packages...
Comment 8 Ludwig Nussel 2004-08-25 21:11:00 UTC 
Created attachment 22902 [details]
patch for 0.75 (9.1)
Comment 9 Holger Hetterich 2004-08-25 21:23:52 UTC 
would be nice if some Bug Identifier Number or some other reference are 
available, for the patchinfo description.
Comment 10 Ludwig Nussel 2004-08-25 21:30:04 UTC 
Created attachment 22904 [details]
patch for 0.81 with only url_decode and url_encode fixed
Comment 11 Holger Hetterich 2004-08-25 22:45:34 UTC 
the packages are ready. I think SUSE security  fixes should come out with 
references and Bug Identifiers.  
 
> I'll post the CVE id's when I have them. 
 
So I'll wait until tomorrow with the patchinfo descriptions
Comment 12 Holger Hetterich 2004-08-31 22:13:17 UTC 
any news on the bug Identifiers?
Comment 13 Ludwig Nussel 2004-08-31 22:24:15 UTC 
Oh. Here we go: 
 
> * An integer overflow in the groupware message handler exists in Gaim. 
 
CAN-2004-0754 
 
> * A shell escape vulnerability in the handling of smiley theme tarball 
> filenames could lead to arbitrary command execution. 
 
CAN-2004-0784 
 
> * Buffer overflows in Gaim could lead to a denial of service or arbitrary 
> code execution. 
 
CAN-2004-0785
Comment 14 Holger Hetterich 2004-08-31 22:52:53 UTC 
patchinfo for the boxes: 
 
DISTRIBUTION: 8.1-i386,8.2-i386,9.0-i386,9.0-x86_64,9.1-i386,9.1-x86_64 
PACKAGE: gaim 
PACKAGER: hhetter@suse.de 
BUGZILLA: 44196 
CATEGORY: security 
DESCRIPTION: 
This security update fixes three security issues which are registered as: 
 
CAN-2004-0754 
An integer overflow in the groupware message handler exists in Gaim.     
 
CAN-2004-0784 
A shell escape vulnerability in the handling of smiley theme tarball     
filenames could lead to arbitrary command execution.   
 
CAN-2004-0785 
Buffer overflows in Gaim could lead to a denial of service or arbitrary     
code execution.   
DESCRIPTION_DE: 
Dieses Security Update behebt drei Sicherheitslücken, welche registriert 
sind als: 
 
CAN-2004-0754 
Ein Integer-Überlauf im Groupware Message Handler von Gaim. 
 
CAN-2004-0784 
Eine Verwundbarkeit beim handling der Dateinamen von Themen-Tarballs 
konnte zur Ausführung von beliebigen Kommandos ausgenutzt werden. 
 
CAN-2004-0785 
Ein Pufferüberlauf in Gaim konnte zu einer Denial Of Service Attacke, oder 
zur Ausführung von beliebigen Kommandos ausgenutzt werden.
Comment 15 Holger Hetterich 2004-08-31 23:13:59 UTC 
submitted packages for 8.1,8.2,9.0,9.1 and patchinfo for the boxes
Comment 16 Ludwig Nussel 2004-08-31 23:28:06 UTC 
what about slec? Didn't we already have a gaim update? so the old fixes need 
to be included. Give me write access or move the file away, I'll take care of 
the patchinfos then.
Comment 17 Holger Hetterich 2004-08-31 23:30:41 UTC 
the SLEC gaim is the 8.1 gaim. I already submitted a patchinfo for SLEC. So all 
is right.
Comment 20 Marcus Meissner 2004-09-22 17:22:31 UTC 
no, we wait until QA gets there. otherwise resource problems will not get 
visible.
Comment 21 Marcus Meissner 2004-09-24 21:07:02 UTC 
updates released.
Comment 22 Marcus Meissner 2005-11-30 09:20:24 UTC 
there was a new CVE-2004-2589, text:

"Gaim before 0.82 allows remote servers to cause a denial of service (application crash) via a long HTTP Content-Length header, which causes Gaim to abort when attempting to allocate memory."

I think we fixed it at that time in gaim-secfix-08-25.dif
Comment 23 Marcus Meissner 2005-11-30 14:31:30 UTC 
make more open
Comment 24 Stanislav Brabec 2005-11-30 15:08:17 UTC 
In June 2005 I went through all issues from http://gaim.sourceforge.net/security/ and fixed missing ones. So I think this one should be fixed, too.

It seems to be http://gaim.sourceforge.net/security/?id=6 and is fixed by gaim-secfix-08-25.dif for 9.0 and 9.1. Sles8 seems to be too old and does not contain this code, sles9 and later are too new and has this bug fixed.
Comment 25 Marcus Meissner 2005-11-30 16:03:39 UTC 
so we have the fix in or not necessary for all of the products
and can leave this bug closed?
Comment 26 Stanislav Brabec 2005-11-30 17:03:28 UTC 
I think that yes. This bug has no CVE in http://gaim.sourceforge.net/security/
I did not find related code in version 0.59 from sles8-slec.
Comment 27 Marcus Meissner 2005-12-01 21:05:49 UTC 
the CVE id was assigned just now (because someone found out that there was non yet for this specific issue). So it was not there yet.
Comment 28 Thomas Biege 2009-10-13 19:48:28 UTC 
CVE-2004-2589: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)