Gentoo Logo

Gaim: Denial of Service and buffer overflow vulnerabilties

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200505-09 / gaim
Release Date May 12, 2005
Latest Revision May 12, 2005: 01
Impact high
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
net-im/gaim < 1.3.0 >= 1.3.0 All supported architectures

Related bugreports: #91862

Synopsis

Gaim contains two vulnerabilities, potentially resulting in the execution of arbitrary code or Denial of Service.

2.  Impact Information

Background

Gaim is a full featured instant messaging client which handles a variety of instant messaging protocols.

Description

Stu Tomlinson discovered that Gaim is vulnerable to a remote stack based buffer overflow when receiving messages in certain protocols, like Jabber and SILC, with a very long URL (CAN-2005-1261). Siebe Tolsma discovered that Gaim is also vulnerable to a remote Denial of Service attack when receiving a specially crafted MSN message (CAN-2005-1262).

Impact

A remote attacker could cause a buffer overflow by sending an instant message with a very long URL, potentially leading to the execution of malicious code. By sending a SLP message with an empty body, a remote attacker could cause a Denial of Service or crash of the Gaim client.

3.  Resolution Information

Workaround

There are no known workarounds at this time.

Resolution

All Gaim users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-im/gaim-1.3.0"

4.  References



Print

Page updated May 12, 2005

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2014 Gentoo Foundation, Inc. Questions, Comments? Contact us.