Bug 62226 (CVE-2004-0891)

Summary: VUL-0: CVE-2004-0891: gaim flaws continued / CAN-2004-0891
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: gnome-bugs, mls, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0891: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: gaim-1.0.1-msn-security_fixes.patch

Description Ludwig Nussel 2004-10-14 19:15:31 UTC 
We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.
CRD is 2004-10-19

Date: Wed, 13 Oct 2004 13:37:55 -0400
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Cc: gaim-packagers@schierer.org
Subject: [vendor-sec] FWD: [gaim-packagers] Gaim 1.0.1 MSN security issues

Here's a new issue in the current Gaim MSN protocol parser.  Issue #3 below
has been given the CVE id CAN-2004-0891.

The current embargo date is 2004-10-19.


----- Forwarded message from Stu Tomlinson <stu@nosnilmot.com> -----

While investigating a crash in Gaim's MSN protocol I discovered 3
potential security issues.

1) Crash when accepting a large file transfer that exceeds the amount of
available memory.
Affected code: src/protocols/msn/slplink.c
After accepting a file transfer request, Gaim will attempt to allocate a
buffer of a size equal to the entire filesize, this allocation attempt
will cause Gaim to crash if the size exceeds the amount of available
memory.

Fix: don't allocate a buffer for file transfers, it's not necessary.

2) Crash when receiving malformed MSNSLP message
Affected code: src/protocols/msn/slplink.c
Gaim allocates a buffer for the payload of each message received based
on the size field in the header of the message. A malicious peer could
specify an invalid size that exceeds the amount of available memory.

Fix: Replace call to g_malloc() with call to g_try_malloc(). If the
memory could not be allocated the function returns instead of causing
the application to crash.

3) Buffer overflow when receiving unexpected sequence of MSNSLP messages
Affected code: src/protocols/msn/slplink.c
memcpy was used without checking the size of the buffer before copying
to it. Additionally, a logic flaw was causing the wrong buffer to be
used as the destination for the copy under certain circumstances.

Fix: Correct the logic to select the correct buffer, and add bounds
checking to prevent malformed messages causing a buffer overflow.


All 3 bugs affect MSN's MSNSLP protocol, which is peer-to-peer, so these
could potentially be easy to exploit. They have been present since Gaim
0.79

I have attached a patch against Gaim 1.0.1 which addresses these issues.

Regards,


Stu.



----- End forwarded message -----
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 1 Ludwig Nussel 2004-10-14 19:16:25 UTC 
Created attachment 24979 [details]
gaim-1.0.1-msn-security_fixes.patch
Comment 2 Stanislav Brabec 2004-10-18 21:56:45 UTC 
Fix submitted for STABLE, SLES9-SLD, 9.2 and PLUS.

Not needed for 9.1 (gaim-0.75) and older versions.
Comment 3 Michael Schröder 2004-10-20 20:26:00 UTC 
Patchinfo?
Comment 4 Ludwig Nussel 2004-10-21 16:39:45 UTC 
is SLES9-SLD already released, do we need a patchinfo for it as well?
Comment 5 Marcus Meissner 2004-10-21 16:47:01 UTC 
its not released yet, still in creation...
Comment 6 Marcus Meissner 2004-10-25 19:51:01 UTC 
is in NLD tree, so will be on NLD CDs ... none other affected -> fixed.
Comment 7 Marcus Meissner 2004-10-29 15:49:22 UTC 
updates approved for 9.2.
Comment 8 Thomas Biege 2009-10-13 19:53:50 UTC 
CVE-2004-0891: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)