[ GLSA 200401-04 ] GAIM 0.75 Remote overflows

[Tim Yamin <plasmaroo () gentoo org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200401-04
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~                                            http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

~  Severity: Normal
~     Title: GAIM 0.75 Remote overflows
~      Date: January 27, 2004
~      Bugs: #39470
~        ID: 200401-04

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Various overflows in the handling of AIM DirectIM packets was revealed
in GAIM that could lead to a remote compromise of the IM client.

Background
==========

Gaim is a multi-platform and multi-protocol instant messaging client. It
is compatible with AIM , ICQ, MSN Messenger, Yahoo, IRC, Jabber,
Gadu-Gadu, and the Zephyr networks.

Description
===========

Yahoo changed the authentication methods to their IM servers, rendering
GAIM useless. The GAIM team released a rushed release solving this
issue, however, at the same time a code audit revealed 12
vulnerabilities [ 1 ].

Impact
======

Due to the nature of instant messaging many of these bugs require
man-in-the-middle attacks between the client and the server. But the
underlying protocols are easy to implement and attacking ordinary TCP
sessions is a fairly simple task. As a result, all users are advised to
upgrade their GAIM installation.

[ * ] Users of GAIM 0.74 or below are affected by 7 of the
~      vulnerabilities and are encouraged to upgrade.

[ * ] Users of GAIM 0.75 are affected by 11 of the vulnerabilities
~      and are encouraged to upgrade to the patched version of GAIM
~      offered by Gentoo.

[ * ] Users of GAIM 0.75-r6 are only affected by 4 of the
~      vulnerabilities, but are still urged to upgrade to maintain
~      security.

Workaround
==========

There is no immediate workaround; a software upgrade is required.

Resolution
==========

All users are recommended to upgrade GAIM to 0.75-r7.

~    $> emerge sync
~    $> emerge -pv ">=net-im/gaim-0.75-r7"
~    $> emerge ">=net-im/gaim-0.75-r7"

References
==========

~    [ 1 ] : http://www.securityfocus.com/archive/1/351235

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security () gentoo org or alternatively, you may file a bug at
http://bugs.gentoo.org.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAFrwkMMXbAy2b2EIRAgXNAKDv5xVitt263W3Zuhbr0XbYFFn60ACdGdKO
7ltFFxnxeXHJbOmb3BkQLOM=
=shTi
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html