Bug 48991 - (CVE-2004-0007) VUL-0: CVE-2004-0007: gaim: 12 buffer overflows
(CVE-2004-0007)
VUL-0: CVE-2004-0007: gaim: 12 buffer overflows
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Linux
: P3 - Medium : Normal
: ---
Assigned To: Thomas Biege
Security Team bot
CVE-2004-0007: CVSS v2 Base Score: 7....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-16 18:03 UTC by Thomas Biege
Modified: 2021-09-29 14:55 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
email by stefan esser (18.33 KB, text/plain)
2004-01-16 18:05 UTC, Thomas Biege
Details
gaim.patch (10.26 KB, patch)
2004-01-23 21:19 UTC, Thomas Biege
Details | Diff
patchinfo-box.gaim (462 bytes, text/plain)
2004-01-23 21:48 UTC, Thomas Biege
Details
patchinfo.gaim (349 bytes, text/plain)
2004-01-23 21:49 UTC, Thomas Biege
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2004-01-16 18:03:38 UTC
Hi Mads. 
Steffan Esser will release an advisory about several 
security vulnerabilities in gaim. 
I'll attach his original email ASAP.
Comment 1 Thomas Biege 2004-01-16 18:03:38 UTC
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-01-16 18:05:37 UTC
Created attachment 15668 [details]
email by stefan esser

There is no patch included but a detailed description of the bugs.
Comment 3 Thomas Biege 2004-01-16 18:09:41 UTC
0.76 will include all fixes. Some fixes are already in their CVS. 
Comment 4 Thomas Biege 2004-01-22 00:24:21 UTC
Hi Mads, 
please ask Chris (???) about an version-upgrade for all affected gaim 
versions. Thank you. 
Comment 5 Mads Martin Joergensen 2004-01-22 16:51:15 UTC
Yes, if it's that simple, which I doubt.

I checked their CVS, and I cannot see the fixes yet, and they still
haven't release 0.76 yet.

I'm monitoring it though.
Comment 6 Mads Martin Joergensen 2004-01-22 18:34:07 UTC
First off, I want to say a version upgrade is not a possibility.

Second I've sat down and looked through the items, here's the deal:

Last shipped version we have is gaim-0.67 which is fairly old.
I could only find 3 of the holes mentioned, but they're present in all versions
all the way back to 0.50 which we shipped in 8.0.

What I need from you (the security responsible person) now, is that you
doublecheck that I'm right, since it's possible I missed a bit. It's as you
said really well described in the mail from S. Esser, so no big deal.

~mmj/gaim has all the trees, with the patch (gaim-%version-secfix.diff)

I also need a PATCHINFO.
Comment 7 Thomas Biege 2004-01-23 21:19:19 UTC
Created attachment 15738 [details]
gaim.patch

patch from freebsd
Comment 8 Thomas Biege 2004-01-23 21:48:23 UTC
Created attachment 15739 [details]
patchinfo-box.gaim
Comment 9 Thomas Biege 2004-01-23 21:49:35 UTC
Created attachment 15740 [details]
patchinfo.gaim
Comment 10 Thomas Biege 2004-01-26 18:04:58 UTC
patches look ok 
Comment 11 Mads Martin Joergensen 2004-01-26 18:07:41 UTC
Good, do you have a PATCHINFO file?
Comment 12 Mads Martin Joergensen 2004-01-26 21:25:23 UTC
I wrote one. Submitted for 8.0 -> 9.0 and patchinfo in /work/src/done/PATCHINFO
Comment 13 Thomas Biege 2004-01-27 15:38:43 UTC
<!-- SBZ_reopen -->Reopened by thomas@suse.de at Tue Jan 27 08:38:43 2004
Comment 14 Thomas Biege 2004-01-27 15:38:43 UTC
the patchinfos were in comment #8 and #9. 
 
reopened and reassigned for tracking 
Comment 15 Mads Martin Joergensen 2004-01-27 18:55:39 UTC
Ah, feel free to change the one I made. The packages were checked in the
respective distributions already.
Comment 16 Thomas Biege 2004-01-28 16:20:49 UTC
Hi Mads, 
one patch from Stefan eser was wrong. 
So, Harald will reject the current packages and we need new ones. 
 
Here his mail: 
Date: Tue, 27 Jan 2004 19:51:58 +0100 
From: Stefan Esser <s.esser@e-matters.de> 
To: vendor-sec@lst.de 
Cc: gaim@marko.net, lowhalo@hush.com 
Subject: [vendor-sec] Problem with GAIM-Patch 
 
Hi, 
 
I was just contacted by a person that was confused by the Gaim patches. 
And he was right to be confused the patch is broken. 
 
This will result in gaim crashing on bad yahoo packets. 
 
                while (pos + 1 < len) { 
                        if (data[pos] == 0xc0 && data[pos + 1] == 0x80) 
                                break; 
+                       if (x >= sizeof(key)-1) { 
+                               x++; 
+                               continue; 
+                       } 
                        key[x++] = data[pos++]; 
                } 
+               if (x >= sizeof(key)-1) { 
+                       x = 0; 
+               } 
                key[x] = 0; 
 
this code lacks a pos++; after the x++; before the continue. This will 
result in a very long loop and then a crash. (I suppose that the 
comparision is done signed, otherwise it will only loop and loop 
until x overflows and then start overwriting key from the beginning) 
 
Basicly I do not know why the patch was broken, because the version 
of 0.75 I have here is okay. Must have been a problem in the diff 
against the CVS. 
 
Stefan 
Comment 17 Mads Martin Joergensen 2004-01-28 19:29:49 UTC
Are you our package is wrong Thomas? I took what the gaim people have in their
CVS.
Comment 18 Thomas Biege 2004-01-28 20:50:58 UTC
I looked at the source and the patch seems wrong. 
 
 
It parses the paket and copies a byte from data[pos] to key[x]. 
When the code skips the loop it increments the x but not the pos 
index variable so we get out-of-sync. 
 
Comment 19 Mads Martin Joergensen 2004-01-28 20:58:10 UTC
Agreed. But then we should wait for the gaim people to fix it correctly.
Comment 20 Thomas Biege 2004-01-28 21:19:01 UTC
No, we can't wait. 
Their response to these bugs is not very positive and every other vendor 
already released new packages. 
We should hurry up to release ours too. The advisory is ready, we just need 
the packages. 
Just try: 
+                       if (x >= sizeof(key)-1) { 
+                               x++;pos++; 
+                               continue; 
+                       } 
in the patch to avoid adjusting the line-numbers of the old diff file 
or making new diff files from the source. 
Comment 21 Mads Martin Joergensen 2004-01-28 21:26:27 UTC
Ok, I did this and submitted for 8.0 -> 9.0.

You take care of the patchinfos this time please
Comment 22 Mads Martin Joergensen 2004-01-29 08:23:13 UTC
Ok, I think my part is done here. Thomas, what should happen now?
Comment 23 Thomas Biege 2004-01-29 17:36:28 UTC
thanks Mads. 
 
packages approved. 
Comment 24 Marcus Meissner 2007-12-09 16:41:50 UTC
CVE-2004-0005 CVE-2004-0006 CVE-2004-0007
Comment 25 Thomas Biege 2009-10-13 19:53:10 UTC
CVE-2004-0007: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)