Bugzilla – Bug 66609
VUL-0: CVE-2005-0208: gaim: crash gaim remotely by using special filenames for uploading and MORE
Last modified: 2021-09-27 08:56:41 UTC
Hi, this little bug was reported to full-disclosure. STABLE-only fix will suffice. Thanks! Date: Thu, 24 Feb 2005 17:02:07 -0500 To: full-disclosure@lists.netsys.com From: Randall Perry <lists@domain-logic.com> Subject: [Full-Disclosure] GAIM exploit Errors-To: full-disclosure-bounces@lists.netsys.com Platform: Windows (tested only on XP and 2000, might impact others) Application: GAIM v1.1.3 Synopsis: Cause remote crash of GAIM client. Scenario: By sending a file to another GAIM user, you can cause their GAIM client to crash and completely close GAIM down. Simply send a file to someone with parenthesis in it, and it will crash when they accept the download (the download does not even begin, it just crashes). Example: filename of gaim1.1(windows).exe will cause it to crash. I am still playing with the debug version of GAIM, and having just run through GTK updates to 2.4 I do not have time to digest and post those. So far, it looks like it has to do with libglib-2.0-0.dll I am following up with a post to GAIM developers with a complete report. http://www.domain-logic.com/ -- No virus found in this outgoing message. Checked by AVG Anti-Virus.
From: Martin Pitt <martin.pitt@canonical.com> To: Vendor Security <vendor-sec@lst.de> Mail-Followup-To: Vendor Security <vendor-sec@lst.de> User-Agent: Mutt/1.5.6+20040907i Subject: [vendor-sec] [Fwd: [Gaim-packagers] One more security issue in Gaim 1.1.3 :-(] Errors-To: vendor-sec-admin@lst.de Date: Fri, 25 Feb 2005 12:09:25 +0100 [-- PGP Ausgabe folgt (aktuelle Zeit: Fr 25 Feb 2005 12:55:48 CET) --] gpg: Unterschrift vom Fr 25 Feb 2005 12:09:25 CET, DSA SchlÃ?ssel ID 5E0577F2 gpg: Unterschrift kann nicht geprÃ?ft werden: Ãffentlicher SchlÃ?ssel nicht gefunden [-- Ende der PGP-Ausgabe --] [-- Die folgenden Daten sind signiert --] Hi! FYI, from the GAIM packager's list (which is private). In addition to the recently fixed malformed HTML (CAN-2005-0473) and AIM/ICQ remote DoS (CAN-2005-0472) there are two more vulnerabilities, see below. Probably these are published by doing a new release 1.1.4 over the weekend. I think these need new CAN numbers, can somebody please assign some? Thanks and have an nice day! Martin ----- Forwarded message from Sebastien Bacher <sebastien.bacher@canonical.com> ----- Subject: [Fwd: [Gaim-packagers] One more security issue in Gaim 1.1.3 :-(] From: Sebastien Bacher <sebastien.bacher@canonical.com> To: Martin Pitt <martin.pitt@canonical.com> Date: Fri, 25 Feb 2005 11:57:54 +0100 X-Spam-Status: No, score=0.0 required=4.0 tests=none autolearn=no version=3.0.2 Content-Description: Message transféré - [Gaim-packagers] One more security issue in Gaim 1.1.3 :-( From: Stu Tomlinson <stu@nosnilmot.com> To: gaim-packagers@lists.sourceforge.net Subject: [Gaim-packagers] One more security issue in Gaim 1.1.3 :-( Date: Tue, 22 Feb 2005 13:12:45 -0500 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.2 There was one more security issue discovered in Gaim 1.1.3: An additional HTML parsing bug similar to the one already fixed in 1.1.3 http://gaim.sourceforge.net/security/?id=11 This is fixed in the attached gaim-1.1.3-html-parse-fix.patch Does this need a new CVE number? it is identical to the issue covered by CAN-2005-0473 There are also some MSN crashes in 1.1.3 if a conversation uses multiple switchboard server sessions, this was highlighted by bugs which make the use of multiple switchboard sessions much more likely in Gaim 1.1.3. These problems are fixed in the attached gaim-1.1.3-msn-fixes.patch Regards, Stu. Index: src/protocols/msn/msn.c [attached]
Created attachment 28865 [details] gaim-fixes.diff
From: Josh Bressers <bressers@redhat.com> To: Vendor Security <vendor-sec@lst.de> Subject: Re: [vendor-sec] [Fwd: [Gaim-packagers] One more security issue in Gaim 1.1.3 :-(] User-Agent: Mutt/1.4.1i Errors-To: vendor-sec-admin@lst.de Date: Fri, 25 Feb 2005 06:50:44 -0500 On Fri, Feb 25, 2005 at 12:09:25PM +0100, Martin Pitt wrote: > Content-Description: Message transféré - [Gaim-packagers] One more security issue in Gaim 1.1.3 :-( > From: Stu Tomlinson <stu@nosnilmot.com> > To: gaim-packagers@lists.sourceforge.net > Subject: [Gaim-packagers] One more security issue in Gaim 1.1.3 :-( > Date: Tue, 22 Feb 2005 13:12:45 -0500 > X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham > version=3.0.2 > > There was one more security issue discovered in Gaim 1.1.3: > > An additional HTML parsing bug similar to the one already fixed in 1.1.3 > http://gaim.sourceforge.net/security/?id=11 > > This is fixed in the attached gaim-1.1.3-html-parse-fix.patch > > Does this need a new CVE number? it is identical to the issue covered by > CAN-2005-0473 This issue has already been given the name CAN-2005-0208. -- JB
hello?
emerge from security internal ... otherwise the individual gnome maintainers cannot read it.
Any news here? Redhat issued an advisory which also fixes: CAN-2005-0967 - Fehler im jabber Protocol Plugin CAN-2005-0965 - Fehler in gaim_markup_strip_html CAN-2005-0966 - Fehler im IRC Protocol Plugin
STABLE has gaim-1.1.4 SuSE Linux 9.3 has gaim-1.1.4 NLD has gaim-1.0.3 SuSE Linux 9.2 has gaim-0.82.1. Is any of these versions affected by any of these bugs?
You'll have to check the code to find out :-) Anyways, there is yet another DoS (CAN-2005-1262): http://gaim.sourceforge.net/security/?id=17
Maybe we should check all of them, if not yet done: http://gaim.sourceforge.net/security/
if we are affected ... include those fixes too if possible
Fixing known issues altogether with bug 90337 (and bug 87377). Please note, that for some patches, there is no official patch, so I have to dig it from CVS and guess.
Fixed. For security tracking, follow the bug 90337.