59194 – (CVE-2004-2589) VUL-0: CVE-2004-2589: new gaim issues

Bug 59194 (CVE-2004-2589) - VUL-0: CVE-2004-2589: new gaim issues

Summary: VUL-0: CVE-2004-2589: new gaim issues

Status:	RESOLVED FIXED

Alias:	CVE-2004-2589

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Sebastian Krahmer
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2004-2589: CVSS v2 Base Score: 5....
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2004-08-25 16:40 UTC by Sebastian Krahmer
Modified:	2021-10-02 09:53 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
vulnerability description (6.37 KB, text/plain) 2004-08-25 16:41 UTC, Sebastian Krahmer	Details
the patch. The MSN things, again, are already fixed by us (10.06 KB, patch) 2004-08-25 16:42 UTC, Sebastian Krahmer	Details \| Diff
patch for 0.59 (8.1) (1.66 KB, patch) 2004-08-25 19:46 UTC, Ludwig Nussel	Details \| Diff
patch for 0.67 (9.0) (4.18 KB, patch) 2004-08-25 20:39 UTC, Ludwig Nussel	Details \| Diff
patch for 0.75 (9.1) (4.17 KB, patch) 2004-08-25 21:11 UTC, Ludwig Nussel	Details \| Diff
patch for 0.81 with only url_decode and url_encode fixed (665 bytes, patch) 2004-08-25 21:30 UTC, Ludwig Nussel	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2004-08-25 16:40:14 UTC

Date: Tue, 24 Aug 2004 12:17:53 -0400
From: Josh Bressers <bressers@redhat.com>
To: vendor-sec@lst.de
Subject: [vendor-sec] New gaim issues
Parts/Attachments:
   1 Shown     12 lines  Text
   2   OK     106 lines  Text
   3   OK     331 lines  Text
----------------------------------------

There are some new Gaim security issues which are to be fixed in their 0.82
release.  The 0.82 release is supposed to be out on Thursday 20040826.

These fixes are in their CVS, but upstream would prefer no one point that
out until Thursday.  I'm attaching the 0.81->0.82 patch which covers these
issues along with a short summary of the problems.

I'll post the CVE id's when I have them.

Comment 1 Sebastian Krahmer 2004-08-25 16:40:14 UTC

<!-- SBZ_reproduce  -->
...

Comment 2 Sebastian Krahmer 2004-08-25 16:41:25 UTC

Created attachment 22895 [details]
vulnerability description

The first thing has already been fixed by our last updates.

Comment 3 Sebastian Krahmer 2004-08-25 16:42:12 UTC

Created attachment 22896 [details]
the patch. The MSN things, again, are already fixed by us

...

Comment 4 Holger Hetterich 2004-08-25 17:17:40 UTC

on my todo list...

Comment 5 Ludwig Nussel 2004-08-25 19:46:18 UTC

Created attachment 22899 [details]
patch for 0.59 (8.1)

only contains the hunks for url_decode and the hostname thing. the other stuff
does not seem to be present in this version. Additionally avoids possible
buffer overflow in url_encode.

Comment 6 Ludwig Nussel 2004-08-25 20:39:28 UTC

Created attachment 22900 [details]
patch for 0.67 (9.0)

additionally contains the html content-length fix and the shell quoting fix

Comment 7 Holger Hetterich 2004-08-25 20:48:35 UTC

many thanks, Ludwig, I am readying the packages...

Comment 8 Ludwig Nussel 2004-08-25 21:11:00 UTC

Created attachment 22902 [details]
patch for 0.75 (9.1)

Comment 9 Holger Hetterich 2004-08-25 21:23:52 UTC

would be nice if some Bug Identifier Number or some other reference are 
available, for the patchinfo description.

Comment 10 Ludwig Nussel 2004-08-25 21:30:04 UTC

Created attachment 22904 [details]
patch for 0.81 with only url_decode and url_encode fixed

Comment 11 Holger Hetterich 2004-08-25 22:45:34 UTC

the packages are ready. I think SUSE security  fixes should come out with 
references and Bug Identifiers.  
 
> I'll post the CVE id's when I have them. 
 
So I'll wait until tomorrow with the patchinfo descriptions

Comment 12 Holger Hetterich 2004-08-31 22:13:17 UTC

any news on the bug Identifiers?

Comment 13 Ludwig Nussel 2004-08-31 22:24:15 UTC

Oh. Here we go: 
 
> * An integer overflow in the groupware message handler exists in Gaim. 
 
CAN-2004-0754 
 
> * A shell escape vulnerability in the handling of smiley theme tarball 
> filenames could lead to arbitrary command execution. 
 
CAN-2004-0784 
 
> * Buffer overflows in Gaim could lead to a denial of service or arbitrary 
> code execution. 
 
CAN-2004-0785

Comment 14 Holger Hetterich 2004-08-31 22:52:53 UTC

patchinfo for the boxes: 
 
DISTRIBUTION: 8.1-i386,8.2-i386,9.0-i386,9.0-x86_64,9.1-i386,9.1-x86_64 
PACKAGE: gaim 
PACKAGER: hhetter@suse.de 
BUGZILLA: 44196 
CATEGORY: security 
DESCRIPTION: 
This security update fixes three security issues which are registered as: 
 
CAN-2004-0754 
An integer overflow in the groupware message handler exists in Gaim.     
 
CAN-2004-0784 
A shell escape vulnerability in the handling of smiley theme tarball     
filenames could lead to arbitrary command execution.   
 
CAN-2004-0785 
Buffer overflows in Gaim could lead to a denial of service or arbitrary     
code execution.   
DESCRIPTION_DE: 
Dieses Security Update behebt drei Sicherheitslücken, welche registriert 
sind als: 
 
CAN-2004-0754 
Ein Integer-Überlauf im Groupware Message Handler von Gaim. 
 
CAN-2004-0784 
Eine Verwundbarkeit beim handling der Dateinamen von Themen-Tarballs 
konnte zur Ausführung von beliebigen Kommandos ausgenutzt werden. 
 
CAN-2004-0785 
Ein Pufferüberlauf in Gaim konnte zu einer Denial Of Service Attacke, oder 
zur Ausführung von beliebigen Kommandos ausgenutzt werden.

Comment 15 Holger Hetterich 2004-08-31 23:13:59 UTC

submitted packages for 8.1,8.2,9.0,9.1 and patchinfo for the boxes

Comment 16 Ludwig Nussel 2004-08-31 23:28:06 UTC

what about slec? Didn't we already have a gaim update? so the old fixes need 
to be included. Give me write access or move the file away, I'll take care of 
the patchinfos then.

Comment 17 Holger Hetterich 2004-08-31 23:30:41 UTC

the SLEC gaim is the 8.1 gaim. I already submitted a patchinfo for SLEC. So all 
is right.

Comment 20 Marcus Meissner 2004-09-22 17:22:31 UTC

no, we wait until QA gets there. otherwise resource problems will not get 
visible.

Comment 21 Marcus Meissner 2004-09-24 21:07:02 UTC

updates released.

Comment 22 Marcus Meissner 2005-11-30 09:20:24 UTC

there was a new CVE-2004-2589, text:

"Gaim before 0.82 allows remote servers to cause a denial of service (application crash) via a long HTTP Content-Length header, which causes Gaim to abort when attempting to allocate memory."

I think we fixed it at that time in gaim-secfix-08-25.dif

Comment 23 Marcus Meissner 2005-11-30 14:31:30 UTC

make more open

Comment 24 Stanislav Brabec 2005-11-30 15:08:17 UTC

In June 2005 I went through all issues from http://gaim.sourceforge.net/security/ and fixed missing ones. So I think this one should be fixed, too.

It seems to be http://gaim.sourceforge.net/security/?id=6 and is fixed by gaim-secfix-08-25.dif for 9.0 and 9.1. Sles8 seems to be too old and does not contain this code, sles9 and later are too new and has this bug fixed.

Comment 25 Marcus Meissner 2005-11-30 16:03:39 UTC

so we have the fix in or not necessary for all of the products
and can leave this bug closed?

Comment 26 Stanislav Brabec 2005-11-30 17:03:28 UTC

I think that yes. This bug has no CVE in http://gaim.sourceforge.net/security/
I did not find related code in version 0.59 from sles8-slec.

Comment 27 Marcus Meissner 2005-12-01 21:05:49 UTC

the CVE id was assigned just now (because someone found out that there was non yet for this specific issue). So it was not there yet.

Comment 28 Thomas Biege 2009-10-13 19:48:28 UTC

CVE-2004-2589: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)