1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200401-04 / GAIM |
| Release Date | January 26, 2004 |
| Latest Revision | January 26, 2004: 01 |
| Impact | normal |
| Exploitable | man-in-the-middle |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| net-im/gaim | < 0.75-r7 | >= 0.75-r7 | All supported architectures |
Related bugreports: #39470
Various overflows in the handling of AIM DirectIM packets was revealed in GAIM that could lead to a remote compromise of the IM client.
Gaim is a multi-platform and multi-protocol instant messaging client. It is compatible with AIM , ICQ, MSN Messenger, Yahoo, IRC, Jabber, Gadu-Gadu, and the Zephyr networks.
Yahoo changed the authentication methods to their IM servers, rendering GAIM useless. The GAIM team released a rushed release solving this issue, however, at the same time a code audit revealed 12 new vulnerabilities.
Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between the client and the server. But the underlying protocols are easy to implement and attacking ordinary TCP sessions is a fairly simple task. As a result, all users are advised to upgrade their GAIM installation.
There is no immediate workaround; a software upgrade is required.
All users are recommended to upgrade GAIM to 0.75-r7.
Code Listing 3.1: Resolution |
$> emerge sync $> emerge -pv ">=net-im/gaim-0.75-r7" $> emerge ">=net-im/gaim-0.75-r7" |