Bugzilla – Bug 90337
VUL-0: CVE-2005-1934: another gaim DoS
Last modified: 2021-10-12 13:35:37 UTC
We received the following report via vendor-sec. The issue is public. Date: Thu, 9 Jun 2005 15:05:56 -0400 From: Josh Bressers <bressers@redhat.com> To: vendor-sec@lst.de Subject: [vendor-sec] Another gaim crasher There is another DoS in gaim (they never end). http://sourceforge.net/tracker/index.php?func=detail&aid=1205290&group_id=235&atid=100235 I'm attaching the patch. I've already requested a CVE name, I'll follow up with it when I get it. -- JB
Created attachment 38961 [details] msn_malformed_MSG_fix.patch
Candidate: CAN-2005-1934 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1934 Reference: CONFIRM:http://sourceforge.net/tracker/index.php?func=detail&aid=1205290&group_id=235&atid=100235 Gaim before 1.3.1 allows remote attackers to cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error.
Fixing altogether with bug 87377 and bug 66609. Fixed for 9.3 now backporting and checking older issues. Please note, that for some patches, there is no official patch, so I have to dig it from CVS and guess. Packages need intensive testing! 9:3 issues fixed: - Fixed MSN DoS using malformed message (#90337, CAN-2005-1934). http://gaim.sourceforge.net/security/?id=19 - Fixed Yahoo DoS by specially named file (#87377, CAN-2005-1269). http://gaim.sourceforge.net/security/?id=18 - Fixed MSN DoS by SLP with an empty body (#66609, CAN-2005-1262). http://gaim.sourceforge.net/security/?id=17 - Fixed Jabber invalid transfer request DoS (#66609, CAN-2005-0967). http://gaim.sourceforge.net/security/?id=15 (updated 2005/04/28 to fix of another Jabber crash) - Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966). http://gaim.sourceforge.net/security/?id=14 (3 of 4 patches) - Fixed malformed HTML DoS (#66609, CAN-2005-0965). http://gaim.sourceforge.net/security/?id=13
Sometimes it helps to just ask upstream for patches or look int other distros packages.
It seems that other distros do version update for most of these issues. (I have been searching for patches, but not seen anywhere.)
SLES9-SLD-BETA fixed issues: - Fixed MSN DoS using malformed message (#90337, CAN-2005-1934). http://gaim.sourceforge.net/security/?id=19 - Fixed Yahoo DoS by specially named file (#87377, CAN-2005-1269). http://gaim.sourceforge.net/security/?id=18 - Fixed MSN DoS by SLP with an empty body (#66609, CAN-2005-1262). http://gaim.sourceforge.net/security/?id=17 - Fixed Jabber invalid transfer request DoS (#66609, CAN-2005-0967). http://gaim.sourceforge.net/security/?id=15 (updated 2005/04/28 to fix of another Jabber crash) - Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966). http://gaim.sourceforge.net/security/?id=14 (3 of 4 patches) - Fixed malformed HTML DoS (#66609, CAN-2005-0965). http://gaim.sourceforge.net/security/?id=13 SLES9-SLD fixed issues: - Fixed MSN DoS using malformed message (#90337, CAN-2005-1934). http://gaim.sourceforge.net/security/?id=19 - Fixed Yahoo DoS by specially named file (#87377, CAN-2005-1269). http://gaim.sourceforge.net/security/?id=18 - Fixed MSN DoS by SLP with an empty body (#66609, CAN-2005-1262). http://gaim.sourceforge.net/security/?id=17 - Fixed Jabber invalid transfer request DoS (#66609, CAN-2005-0967). http://gaim.sourceforge.net/security/?id=15 (updated 2005/04/28 to fix of another Jabber crash) - Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966). http://gaim.sourceforge.net/security/?id=14 (4 patches) - Fixed malformed HTML DoS (#66609, CAN-2005-0965). http://gaim.sourceforge.net/security/?id=13 - Fixed malformed HTML DoS (#66609, CAN-2005-0208). http://gaim.sourceforge.net/security/?id=12 - Fixed malformed HTML DoS (#66609, CAN-2005-0473). http://gaim.sourceforge.net/security/?id=11 - Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472). http://gaim.sourceforge.net/security/?id=10 For older products, there are still at least 4 older issues not included. Newer issues has to be ported.
if backporting patches is too hard we can consider version upgrades too but in general we want to avoid them.
9.2: - Fixed MSN DoS using malformed message (#90337, CAN-2005-1934). http://gaim.sourceforge.net/security/?id=19 - Fixed Yahoo DoS by specially named file (#87377, CAN-2005-1269). http://gaim.sourceforge.net/security/?id=18 - Fixed MSN DoS by SLP with an empty body (#66609, CAN-2005-1262). http://gaim.sourceforge.net/security/?id=17 - Fixed Jabber invalid transfer request DoS (#66609, CAN-2005-0967). http://gaim.sourceforge.net/security/?id=15 (updated 2005/04/28 to fix of another Jabber crash) - Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966). http://gaim.sourceforge.net/security/?id=14 (4 patches) - Fixed malformed HTML DoS (#66609, CAN-2005-0965). http://gaim.sourceforge.net/security/?id=13 - Fixed malformed HTML DoS (#66609, CAN-2005-0208). http://gaim.sourceforge.net/security/?id=12 - Fixed malformed HTML DoS (#66609, CAN-2005-0473). http://gaim.sourceforge.net/security/?id=11 - Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472). http://gaim.sourceforge.net/security/?id=10 9.1: - Fixed Yahoo DoS by specially named file (#87377, CAN-2005-1269). http://gaim.sourceforge.net/security/?id=18 - Fixed MSN DoS by SLP with an empty body (#66609, CAN-2005-1262). http://gaim.sourceforge.net/security/?id=17 - Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966). http://gaim.sourceforge.net/security/?id=14 (4 patches) - Fixed malformed HTML DoS (#66609, CAN-2005-0965). http://gaim.sourceforge.net/security/?id=13 - Fixed malformed HTML DoS (#66609, CAN-2005-0208). http://gaim.sourceforge.net/security/?id=12 - Fixed malformed HTML DoS (#66609, CAN-2005-0473). http://gaim.sourceforge.net/security/?id=11 - Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472). http://gaim.sourceforge.net/security/?id=10 9.0: - Fixed MSN DoS using malformed message (#90337, CAN-2005-1934). http://gaim.sourceforge.net/security/?id=19 - Fixed Jabber invalid transfer request DoS (#66609, CAN-2005-0967). http://gaim.sourceforge.net/security/?id=15 (updated 2005/04/28 to fix of another Jabber crash) - Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966). http://gaim.sourceforge.net/security/?id=14 (4 patches) - Fixed malformed HTML DoS (#66609, CAN-2005-0965). http://gaim.sourceforge.net/security/?id=13 - Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472). http://gaim.sourceforge.net/security/?id=10
SM-Tracker-1578
Fix - 9.0 is only: - Fixed IRC DoS arbitrary markup injection (#66609, CAN-2005-0966). http://gaim.sourceforge.net/security/?id=14 (4 patches) - Fixed malformed HTML DoS (#66609, CAN-2005-0965). http://gaim.sourceforge.net/security/?id=13 - Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472). http://gaim.sourceforge.net/security/?id=10 8.2: - Fixed malformed HTML DoS (#66609, CAN-2005-0965). http://gaim.sourceforge.net/security/?id=13 - Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472). http://gaim.sourceforge.net/security/?id=10 sles8-slec: - Fixed malformed HTML DoS (#66609, CAN-2005-0965). http://gaim.sourceforge.net/security/?id=13 - Fixed malformed SNAC packet AIM/ICQ DoS (#66609, CAN-2005-0472). http://gaim.sourceforge.net/security/?id=10 Completed... Please note, that I am very unsure with backporting of gaim_markup_strip_html.patch and other HTML patches for old version (old version is probably unaffected, because it expects ony 8 characters in IRC nick). Packages needs testing to verify, that patch backports are correct. See URLs in changelog for features to test. Reassigning to security team.
Thanks!
Please advise on how to test the fix, especially the fix to the DoS.
If we don't have a test-case we have to skip it.
approved
CVE-2005-1934: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)