Bug 66609 (CVE-2005-0208)

Summary: VUL-0: CVE-2005-0208: gaim: crash gaim remotely by using special filenames for uploading and MORE
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Stanislav Brabec <sbrabec>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:NVD:CVE-2005-0208:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: gaim-fixes.diff

Description Thomas Biege 2005-02-25 11:45:47 UTC 
Hi, 
this little bug was reported to full-disclosure. 
STABLE-only fix will suffice. Thanks! 
 
 
 Date: Thu, 24 Feb 2005 17:02:07 -0500 
To: full-disclosure@lists.netsys.com 
From: Randall Perry <lists@domain-logic.com> 
Subject: [Full-Disclosure] GAIM exploit 
Errors-To: full-disclosure-bounces@lists.netsys.com 
 
Platform: Windows (tested only on XP and 2000, might impact others) 
Application: GAIM v1.1.3 
Synopsis: Cause remote crash of GAIM client. 
Scenario: 
 
By sending a file to another GAIM user, you can cause their GAIM client 
to crash and completely close GAIM down. 
 
Simply send a file to someone with parenthesis in it, and it will crash 
when they accept the download (the download does not even begin, it just 
crashes). 
 
Example: filename of gaim1.1(windows).exe 
will cause it to crash. 
 
I am still playing with the debug version of GAIM, and having just run 
through GTK updates to 2.4 I do not have time to digest and post those. 
So far, it looks like it has to do with libglib-2.0-0.dll 
I am following up with a post to GAIM developers with a complete report. 
 
http://www.domain-logic.com/ 
 
 
-- 
No virus found in this outgoing message. 
Checked by AVG Anti-Virus.
Comment 1 Thomas Biege 2005-02-25 12:02:44 UTC 
From: Martin Pitt <martin.pitt@canonical.com> 
To: Vendor Security <vendor-sec@lst.de> 
Mail-Followup-To: Vendor Security <vendor-sec@lst.de> 
User-Agent: Mutt/1.5.6+20040907i 
Subject: [vendor-sec] [Fwd: [Gaim-packagers] One more security issue in Gaim 
1.1.3 :-(] 
Errors-To: vendor-sec-admin@lst.de 
Date: Fri, 25 Feb 2005 12:09:25 +0100 
 
[-- PGP Ausgabe folgt (aktuelle Zeit: Fr 25 Feb 2005 12:55:48 CET) --] 
gpg: Unterschrift vom Fr 25 Feb 2005 12:09:25 CET, DSA SchlÃ?ssel ID 5E0577F2 
gpg: Unterschrift kann nicht geprÃ?ft werden: Ãffentlicher SchlÃ?ssel nicht 
gefunden 
[-- Ende der PGP-Ausgabe --] 
 
[-- Die folgenden Daten sind signiert --] 
 
Hi! 
 
FYI, from the GAIM packager's list (which is private). In addition to 
the recently fixed malformed HTML (CAN-2005-0473) and AIM/ICQ remote 
DoS (CAN-2005-0472) there are two more vulnerabilities, see below. 
 
Probably these are published by doing a new release 1.1.4 over the 
weekend. 
 
I think these need new CAN numbers, can somebody please assign some? 
 
Thanks and have an nice day! 
 
Martin 
 
----- Forwarded message from Sebastien Bacher <sebastien.bacher@canonical.com> 
----- 
 
Subject: [Fwd: [Gaim-packagers] One more security issue in Gaim 1.1.3 :-(] 
From: Sebastien Bacher <sebastien.bacher@canonical.com> 
To: Martin Pitt <martin.pitt@canonical.com> 
Date: Fri, 25 Feb 2005 11:57:54 +0100 
X-Spam-Status: No, score=0.0 required=4.0 tests=none autolearn=no 
        version=3.0.2 
 
 
 
Content-Description: Message transféré - [Gaim-packagers] One more security 
issue in Gaim 1.1.3 :-( 
From: Stu Tomlinson <stu@nosnilmot.com> 
To: gaim-packagers@lists.sourceforge.net 
Subject: [Gaim-packagers] One more security issue in Gaim 1.1.3 :-( 
Date: Tue, 22 Feb 2005 13:12:45 -0500 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham 
        version=3.0.2 
 
There was one more security issue discovered in Gaim 1.1.3: 
 
An additional HTML parsing bug similar to the one already fixed in 1.1.3 
http://gaim.sourceforge.net/security/?id=11 
 
This is fixed in the attached gaim-1.1.3-html-parse-fix.patch 
 
Does this need a new CVE number? it is identical to the issue covered by 
CAN-2005-0473 
 
There are also some MSN crashes in 1.1.3 if a conversation uses multiple 
switchboard server sessions, this was highlighted by bugs which make the 
use of multiple switchboard sessions much more likely in Gaim 1.1.3. 
These problems are fixed in the attached gaim-1.1.3-msn-fixes.patch 
 
Regards, 
 
 
Stu. 
 
Index: src/protocols/msn/msn.c 
[attached]
Comment 2 Thomas Biege 2005-02-25 12:03:30 UTC 
Created attachment 28865 [details]
gaim-fixes.diff
Comment 3 Thomas Biege 2005-02-25 12:04:09 UTC 
From: Josh Bressers <bressers@redhat.com> 
To: Vendor Security <vendor-sec@lst.de> 
Subject: Re: [vendor-sec] [Fwd: [Gaim-packagers] One more security issue in 
Gaim 1.1.3 :-(] 
User-Agent: Mutt/1.4.1i 
Errors-To: vendor-sec-admin@lst.de 
Date: Fri, 25 Feb 2005 06:50:44 -0500 
 
On Fri, Feb 25, 2005 at 12:09:25PM +0100, Martin Pitt wrote: 
> Content-Description: Message transféré - [Gaim-packagers] One more 
security issue in Gaim 1.1.3 :-( 
> From: Stu Tomlinson <stu@nosnilmot.com> 
> To: gaim-packagers@lists.sourceforge.net 
> Subject: [Gaim-packagers] One more security issue in Gaim 1.1.3 :-( 
> Date: Tue, 22 Feb 2005 13:12:45 -0500 
> X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham 
>       version=3.0.2 
> 
> There was one more security issue discovered in Gaim 1.1.3: 
> 
> An additional HTML parsing bug similar to the one already fixed in 1.1.3 
> http://gaim.sourceforge.net/security/?id=11 
> 
> This is fixed in the attached gaim-1.1.3-html-parse-fix.patch 
> 
> Does this need a new CVE number? it is identical to the issue covered by 
> CAN-2005-0473 
 
This issue has already been given the name CAN-2005-0208. 
 
-- 
    JB
Comment 4 Marcus Meissner 2005-03-09 16:15:48 UTC 
hello?
Comment 5 Marcus Meissner 2005-03-10 08:13:47 UTC 
emerge from security internal ... otherwise the individual gnome maintainers 
cannot read it.
Comment 6 Sebastian Krahmer 2005-04-13 14:26:50 UTC 
Any news here?

Redhat issued an advisory which also fixes:


CAN-2005-0967 - Fehler im jabber Protocol Plugin



CAN-2005-0965 - Fehler in gaim_markup_strip_html

CAN-2005-0966 - Fehler im IRC Protocol Plugin
Comment 7 Stanislav Brabec 2005-04-13 15:03:25 UTC 
STABLE has gaim-1.1.4
SuSE Linux 9.3 has gaim-1.1.4
NLD has gaim-1.0.3
SuSE Linux 9.2 has gaim-0.82.1.

Is any of these versions affected by any of these bugs?
Comment 8 Ludwig Nussel 2005-05-12 07:30:26 UTC 
You'll have to check the code to find out :-) 
 
Anyways, there is yet another DoS (CAN-2005-1262): 
http://gaim.sourceforge.net/security/?id=17
Comment 9 Stanislav Brabec 2005-05-12 11:29:06 UTC 
Maybe we should check all of them, if not yet done:
http://gaim.sourceforge.net/security/
Comment 10 Marcus Meissner 2005-06-09 12:45:25 UTC 
if we are affected ... include those fixes too if possible
Comment 11 Stanislav Brabec 2005-06-14 14:48:50 UTC 
Fixing known issues altogether with bug 90337 (and bug 87377).

Please note, that for some patches, there is no official patch, so I have to dig
it from CVS and guess.
Comment 12 Stanislav Brabec 2005-06-15 15:46:33 UTC 
Fixed. For security tracking, follow the bug 90337.