Bug 82865 (CVE-2005-1261)

Summary: VUL-0: CVE-2005-1261: gaim overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: gnome-bugs, sbrabec, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1261: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: the fix from upstream
patchinfo box
patchinfo for maintained products

Description Sebastian Krahmer 2005-05-09 08:43:13 UTC 
Date: Fri, 06 May 2005 12:35:03 -0400
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] Gaim buffer overflow
Parts/Attachments:
   1 Shown     12 lines  Text
   2 Shown    141 lines  Text, "gaim-long_url.patch"
----------------------------------------

Gaim 1.3.0 is scheduled for release on Tuesday (2005-05-10), the exact time
is unknown to me, evening (US time) is expected.

There is a buffer overflow in gaim where an attacker can send a very long
URL in a message (>8192 bytes).  It's a stack based overflow, looks pretty
ugly.  I'm attaching the upstream patch.

This issue is CAN-2005-1261.

-- 
    JB


    [ Part 2: "gaim-long_url.patch" ]
Comment 1 Sebastian Krahmer 2005-05-09 08:45:35 UTC 
Created attachment 36583 [details]
the fix from upstream

...
Comment 2 Stanislav Brabec 2005-05-09 15:06:28 UTC 
Package submitted for STABLE, 9.3-all, 9.2-all, SLES9-SLD, SLES9-SLD-BETA.

For 9.2 (gaim-0.75) and older patch completely rejects, but code has some
similarities. Is there any info about oldest affected version?
Comment 3 Sebastian Krahmer 2005-05-10 14:00:53 UTC 
No, maybe the gaim maintainers know more?
I will make SWAMP task.
Comment 4 Sebastian Krahmer 2005-05-10 14:03:47 UTC 
SM-Tracker-1142
Comment 5 Stanislav Brabec 2005-05-10 15:06:56 UTC 
Code is probably affected, too. Backporting.
Comment 6 Michael Schröder 2005-05-10 17:07:38 UTC 
Patchinfo?
Comment 7 Stanislav Brabec 2005-05-10 17:16:17 UTC 
Patch backported and significantly modified for 9.1-all and 9.0-all. Only quick
test was done.

For 8.2-all and sles8-slec-all, patch from 9.1-all was applied and reformatted
using wiggle.

All packages submitted. Re-assigning to security-team - please create patchinfo.
Comment 8 Sebastian Krahmer 2005-05-11 08:36:36 UTC 
Ok, *now* where packages are available I will submit
patchinfos. :)

Stanislav, I assume 9.2 and 9.2 was affected as well?
Comment 9 Sebastian Krahmer 2005-05-11 09:05:13 UTC 
Patchinfos submitted. Please go ahead.
Comment 10 Sebastian Krahmer 2005-05-11 09:06:02 UTC 
Created attachment 36844 [details]
patchinfo box

...
Comment 11 Sebastian Krahmer 2005-05-11 09:06:36 UTC 
Created attachment 36845 [details]
patchinfo for maintained products

...
Comment 12 Stanislav Brabec 2005-05-11 10:40:04 UTC 
9.2 was submitted, too:

stable-all, 9.3-all, sles9-sld-beta-all: Original patch.

9.2-all, sles9-sld-all: Small change in patch.

9.1-all, 9.0-all: Patch backport and rewrite.

8:2-all, sles8-slec-all: Reformatted backported patch.

Backported patch needs more testing.
Comment 13 Thomas Biege 2005-05-24 16:03:14 UTC 
Looks like the patchinfo is messed up:

BUGZILLA: security
Comment 14 Thomas Biege 2005-05-24 16:04:45 UTC 
fixed them ;)
Comment 15 Ludwig Nussel 2005-06-09 08:09:25 UTC 
packages released
Comment 16 Thomas Biege 2009-10-13 21:21:59 UTC 
CVE-2005-1261: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)