Bugzilla – Bug 48991
VUL-0: CVE-2004-0007: gaim: 12 buffer overflows
Last modified: 2021-09-29 14:55:32 UTC
Hi Mads. Steffan Esser will release an advisory about several security vulnerabilities in gaim. I'll attach his original email ASAP.
<!-- SBZ_reproduce --> -
Created attachment 15668 [details] email by stefan esser There is no patch included but a detailed description of the bugs.
0.76 will include all fixes. Some fixes are already in their CVS.
Hi Mads, please ask Chris (???) about an version-upgrade for all affected gaim versions. Thank you.
Yes, if it's that simple, which I doubt. I checked their CVS, and I cannot see the fixes yet, and they still haven't release 0.76 yet. I'm monitoring it though.
First off, I want to say a version upgrade is not a possibility. Second I've sat down and looked through the items, here's the deal: Last shipped version we have is gaim-0.67 which is fairly old. I could only find 3 of the holes mentioned, but they're present in all versions all the way back to 0.50 which we shipped in 8.0. What I need from you (the security responsible person) now, is that you doublecheck that I'm right, since it's possible I missed a bit. It's as you said really well described in the mail from S. Esser, so no big deal. ~mmj/gaim has all the trees, with the patch (gaim-%version-secfix.diff) I also need a PATCHINFO.
Created attachment 15738 [details] gaim.patch patch from freebsd
Created attachment 15739 [details] patchinfo-box.gaim
Created attachment 15740 [details] patchinfo.gaim
patches look ok
Good, do you have a PATCHINFO file?
I wrote one. Submitted for 8.0 -> 9.0 and patchinfo in /work/src/done/PATCHINFO
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Tue Jan 27 08:38:43 2004
the patchinfos were in comment #8 and #9. reopened and reassigned for tracking
Ah, feel free to change the one I made. The packages were checked in the respective distributions already.
Hi Mads, one patch from Stefan eser was wrong. So, Harald will reject the current packages and we need new ones. Here his mail: Date: Tue, 27 Jan 2004 19:51:58 +0100 From: Stefan Esser <s.esser@e-matters.de> To: vendor-sec@lst.de Cc: gaim@marko.net, lowhalo@hush.com Subject: [vendor-sec] Problem with GAIM-Patch Hi, I was just contacted by a person that was confused by the Gaim patches. And he was right to be confused the patch is broken. This will result in gaim crashing on bad yahoo packets. while (pos + 1 < len) { if (data[pos] == 0xc0 && data[pos + 1] == 0x80) break; + if (x >= sizeof(key)-1) { + x++; + continue; + } key[x++] = data[pos++]; } + if (x >= sizeof(key)-1) { + x = 0; + } key[x] = 0; this code lacks a pos++; after the x++; before the continue. This will result in a very long loop and then a crash. (I suppose that the comparision is done signed, otherwise it will only loop and loop until x overflows and then start overwriting key from the beginning) Basicly I do not know why the patch was broken, because the version of 0.75 I have here is okay. Must have been a problem in the diff against the CVS. Stefan
Are you our package is wrong Thomas? I took what the gaim people have in their CVS.
I looked at the source and the patch seems wrong. It parses the paket and copies a byte from data[pos] to key[x]. When the code skips the loop it increments the x but not the pos index variable so we get out-of-sync.
Agreed. But then we should wait for the gaim people to fix it correctly.
No, we can't wait. Their response to these bugs is not very positive and every other vendor already released new packages. We should hurry up to release ours too. The advisory is ready, we just need the packages. Just try: + if (x >= sizeof(key)-1) { + x++;pos++; + continue; + } in the patch to avoid adjusting the line-numbers of the old diff file or making new diff files from the source.
Ok, I did this and submitted for 8.0 -> 9.0. You take care of the patchinfos this time please
Ok, I think my part is done here. Thomas, what should happen now?
thanks Mads. packages approved.
CVE-2004-0005 CVE-2004-0006 CVE-2004-0007
CVE-2004-0007: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)