Bugtraq mailing list archives
[ GLSA 200508-06 ] Gaim: Remote execution of arbitrary code
From: Sune Kloppenborg Jeppesen <jaervosz () gentoo org>
Date: Mon, 15 Aug 2005 07:19:28 +0200
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200508-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Gaim: Remote execution of arbitrary code Date: August 15, 2005 Bugs: #102000 ID: 200508-06 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Gaim is vulnerable to a buffer overflow which could lead to the execution of arbitrary code or to a Denial of Service. Background ========== Gaim is a full featured instant messaging client which handles a variety of instant messaging protocols. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-im/gaim < 1.5.0 >= 1.5.0 Description =========== Brandon Perry discovered that Gaim is vulnerable to a heap-based buffer overflow when handling away messages (CAN-2005-2103). Furthermore, Daniel Atallah discovered a vulnerability in the handling of file transfers (CAN-2005-2102). Impact ====== A remote attacker could create a specially crafted away message which, when viewed by the target user, could lead to the execution of arbitrary code. Also, an attacker could send a file with a non-UTF8 filename to a user, which would result in a Denial of Service. Workaround ========== There is no known workaround at this time. Resolution ========== All Gaim users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-im/gaim-1.5.0" References ========== [ 1 ] CAN-2005-2102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2102 [ 2 ] CAN-2005-2103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2103 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200508-06.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at http://bugs.gentoo.org. License ======= Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0
Attachment:
_bin
Description:
Current thread:
- [ GLSA 200508-06 ] Gaim: Remote execution of arbitrary code Sune Kloppenborg Jeppesen (Aug 15)