Bug 90337 (CVE-2005-1934)

Summary: VUL-0: CVE-2005-1934: another gaim DoS
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-1934: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2005-0208:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: msn_malformed_MSG_fix.patch

Description Ludwig Nussel 2005-06-10 06:58:41 UTC 
We received the following report via vendor-sec.
The issue is public.

Date: Thu, 9 Jun 2005 15:05:56 -0400
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] Another gaim crasher

There is another DoS in gaim (they never end).

http://sourceforge.net/tracker/index.php?func=detail&aid=1205290&group_id=235&atid=100235

I'm attaching the patch.

I've already requested a CVE name, I'll follow up with it when I get it.

-- 
    JB
Comment 1 Ludwig Nussel 2005-06-10 07:00:14 UTC 
Created attachment 38961 [details]
msn_malformed_MSG_fix.patch
Comment 2 Ludwig Nussel 2005-06-10 07:00:30 UTC 
Candidate: CAN-2005-1934 
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1934 
Reference: 
CONFIRM:http://sourceforge.net/tracker/index.php?func=detail&aid=1205290&group_id=235&atid=100235 
 
Gaim before 1.3.1 allows remote attackers to cause a denial of service 
(crash) via a malformed MSN message that leads to a memory allocation 
of a large size, possibly due to an integer signedness error.
Comment 3 Stanislav Brabec 2005-06-14 14:51:14 UTC 
Fixing altogether with bug 87377 and bug 66609.

Fixed for 9.3 now backporting and checking older issues.

Please note, that for some patches, there is no official patch, so I have to dig
it from CVS and guess.

Packages need intensive testing!

9:3 issues fixed:
- Fixed MSN DoS using malformed message (#90337, CAN-2005-1934).
  http://gaim.sourceforge.net/security/?id=19
- Fixed Yahoo DoS by specially named file (#87377, CAN-2005-1269).
  http://gaim.sourceforge.net/security/?id=18
- Fixed MSN DoS by SLP with an empty body (#66609, CAN-2005-1262).
  http://gaim.sourceforge.net/security/?id=17
- Fixed Jabber invalid transfer request DoS (#66609, CAN-2005-0967).
  http://gaim.sourceforge.net/security/?id=15
  (updated 2005/04/28 to fix of another Jabber crash)
- Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966).
  http://gaim.sourceforge.net/security/?id=14
  (3 of 4 patches)
- Fixed malformed HTML DoS (#66609, CAN-2005-0965).
  http://gaim.sourceforge.net/security/?id=13
Comment 4 Ludwig Nussel 2005-06-14 14:58:33 UTC 
Sometimes it helps to just ask upstream for patches or look int other distros 
packages.
Comment 5 Stanislav Brabec 2005-06-14 15:08:54 UTC 
It seems that other distros do version update for most of these issues. (I have
been searching for patches, but not seen anywhere.)
Comment 6 Stanislav Brabec 2005-06-14 17:07:16 UTC 
SLES9-SLD-BETA fixed issues:
- Fixed MSN DoS using malformed message (#90337, CAN-2005-1934).
  http://gaim.sourceforge.net/security/?id=19
- Fixed Yahoo DoS by specially named file (#87377, CAN-2005-1269).
  http://gaim.sourceforge.net/security/?id=18
- Fixed MSN DoS by SLP with an empty body (#66609, CAN-2005-1262).
  http://gaim.sourceforge.net/security/?id=17
- Fixed Jabber invalid transfer request DoS (#66609, CAN-2005-0967).
  http://gaim.sourceforge.net/security/?id=15
  (updated 2005/04/28 to fix of another Jabber crash)
- Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966).
  http://gaim.sourceforge.net/security/?id=14
  (3 of 4 patches)
- Fixed malformed HTML DoS (#66609, CAN-2005-0965).
  http://gaim.sourceforge.net/security/?id=13

SLES9-SLD fixed issues:
- Fixed MSN DoS using malformed message (#90337, CAN-2005-1934).
  http://gaim.sourceforge.net/security/?id=19
- Fixed Yahoo DoS by specially named file (#87377, CAN-2005-1269).
  http://gaim.sourceforge.net/security/?id=18
- Fixed MSN DoS by SLP with an empty body (#66609, CAN-2005-1262).
  http://gaim.sourceforge.net/security/?id=17
- Fixed Jabber invalid transfer request DoS (#66609, CAN-2005-0967).
  http://gaim.sourceforge.net/security/?id=15
  (updated 2005/04/28 to fix of another Jabber crash)
- Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966).
  http://gaim.sourceforge.net/security/?id=14
  (4 patches)
- Fixed malformed HTML DoS (#66609, CAN-2005-0965).
  http://gaim.sourceforge.net/security/?id=13
- Fixed malformed HTML DoS (#66609, CAN-2005-0208).
  http://gaim.sourceforge.net/security/?id=12
- Fixed malformed HTML DoS (#66609, CAN-2005-0473).
  http://gaim.sourceforge.net/security/?id=11
- Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472).
  http://gaim.sourceforge.net/security/?id=10

For older products, there are still at least 4 older issues not included. Newer
issues has to be ported.
Comment 7 Marcus Meissner 2005-06-15 11:18:20 UTC 
if backporting patches is too hard we can consider version upgrades too  
but in general we want to avoid them.
Comment 8 Stanislav Brabec 2005-06-15 15:22:20 UTC 
9.2:
- Fixed MSN DoS using malformed message (#90337, CAN-2005-1934).
  http://gaim.sourceforge.net/security/?id=19
- Fixed Yahoo DoS by specially named file (#87377, CAN-2005-1269).
  http://gaim.sourceforge.net/security/?id=18
- Fixed MSN DoS by SLP with an empty body (#66609, CAN-2005-1262).
  http://gaim.sourceforge.net/security/?id=17
- Fixed Jabber invalid transfer request DoS (#66609, CAN-2005-0967).
  http://gaim.sourceforge.net/security/?id=15
  (updated 2005/04/28 to fix of another Jabber crash)
- Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966).
  http://gaim.sourceforge.net/security/?id=14
  (4 patches)
- Fixed malformed HTML DoS (#66609, CAN-2005-0965).
  http://gaim.sourceforge.net/security/?id=13
- Fixed malformed HTML DoS (#66609, CAN-2005-0208).
  http://gaim.sourceforge.net/security/?id=12
- Fixed malformed HTML DoS (#66609, CAN-2005-0473).
  http://gaim.sourceforge.net/security/?id=11
- Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472).
  http://gaim.sourceforge.net/security/?id=10

9.1:
- Fixed Yahoo DoS by specially named file (#87377, CAN-2005-1269).
  http://gaim.sourceforge.net/security/?id=18
- Fixed MSN DoS by SLP with an empty body (#66609, CAN-2005-1262).
  http://gaim.sourceforge.net/security/?id=17
- Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966).
  http://gaim.sourceforge.net/security/?id=14
  (4 patches)
- Fixed malformed HTML DoS (#66609, CAN-2005-0965).
  http://gaim.sourceforge.net/security/?id=13
- Fixed malformed HTML DoS (#66609, CAN-2005-0208).
  http://gaim.sourceforge.net/security/?id=12
- Fixed malformed HTML DoS (#66609, CAN-2005-0473).
  http://gaim.sourceforge.net/security/?id=11
- Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472).
  http://gaim.sourceforge.net/security/?id=10

9.0:
- Fixed MSN DoS using malformed message (#90337, CAN-2005-1934).
  http://gaim.sourceforge.net/security/?id=19
- Fixed Jabber invalid transfer request DoS (#66609, CAN-2005-0967).
  http://gaim.sourceforge.net/security/?id=15
  (updated 2005/04/28 to fix of another Jabber crash)
- Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966).
  http://gaim.sourceforge.net/security/?id=14
  (4 patches)
- Fixed malformed HTML DoS (#66609, CAN-2005-0965).
  http://gaim.sourceforge.net/security/?id=13
- Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472).
  http://gaim.sourceforge.net/security/?id=10
Comment 9 Ludwig Nussel 2005-06-15 15:27:37 UTC 
SM-Tracker-1578
Comment 10 Stanislav Brabec 2005-06-15 15:45:27 UTC 
Fix - 9.0 is only:
- Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966).
  http://gaim.sourceforge.net/security/?id=14
  (4 patches)
- Fixed malformed HTML DoS (#66609, CAN-2005-0965).
  http://gaim.sourceforge.net/security/?id=13
- Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472).
  http://gaim.sourceforge.net/security/?id=10

8.2:
- Fixed malformed HTML DoS (#66609, CAN-2005-0965).
  http://gaim.sourceforge.net/security/?id=13
- Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472).
  http://gaim.sourceforge.net/security/?id=10

sles8-slec:
- Fixed malformed HTML DoS (#66609, CAN-2005-0965).
  http://gaim.sourceforge.net/security/?id=13
- Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472).
  http://gaim.sourceforge.net/security/?id=10

Completed...

Please note, that I am very unsure with backporting of
gaim_markup_strip_html.patch and other HTML patches for old version (old version
is probably unaffected, because it expects ony 8 characters in IRC nick).

Packages needs testing to verify, that patch backports are correct. See URLs in
changelog for features to test.

Reassigning to security team.
Comment 11 Ludwig Nussel 2005-06-15 16:01:53 UTC 
Thanks!
Comment 12 Heiko Rommel 2005-06-23 07:58:46 UTC 
Please advise on how to test the fix, especially the fix to the DoS.
Comment 13 Thomas Biege 2005-06-23 10:07:50 UTC 
If we don't have a test-case we have to skip it.
Comment 14 Thomas Biege 2005-06-24 10:32:25 UTC 
approved
Comment 15 Thomas Biege 2009-10-13 21:27:14 UTC 
CVE-2005-1934: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)