[Full-Disclosure] [gentoo-announce] [ GLSA 200401-04 ] GAIM 0.75 Remote overflows

From: Tim Yamin (plasmaroo_at_gentoo.org)
Date: 01/27/04

  • Next message: Jason Ellison: "[Full-Disclosure] mydoom listening ports"
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, security-alerts@linuxsecurity.com, gentoo-core@lists.gentoo.org, gentoo-announce@lists.gentoo.org
    Date: Tue, 27 Jan 2004 19:29:41 +0000
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Gentoo Linux Security Advisory GLSA 200401-04
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ~ http://security.gentoo.org
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    ~ Severity: Normal
    ~ Title: GAIM 0.75 Remote overflows
    ~ Date: January 27, 2004
    ~ Bugs: #39470
    ~ ID: 200401-04

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Synopsis
    ========

    Various overflows in the handling of AIM DirectIM packets was revealed
    in GAIM that could lead to a remote compromise of the IM client.

    Background
    ==========

    Gaim is a multi-platform and multi-protocol instant messaging client. It
    is compatible with AIM , ICQ, MSN Messenger, Yahoo, IRC, Jabber,
    Gadu-Gadu, and the Zephyr networks.

    Description
    ===========

    Yahoo changed the authentication methods to their IM servers, rendering
    GAIM useless. The GAIM team released a rushed release solving this
    issue, however, at the same time a code audit revealed 12
    vulnerabilities [ 1 ].

    Impact
    ======

    Due to the nature of instant messaging many of these bugs require
    man-in-the-middle attacks between the client and the server. But the
    underlying protocols are easy to implement and attacking ordinary TCP
    sessions is a fairly simple task. As a result, all users are advised to
    upgrade their GAIM installation.

    [ * ] Users of GAIM 0.74 or below are affected by 7 of the
    ~ vulnerabilities and are encouraged to upgrade.

    [ * ] Users of GAIM 0.75 are affected by 11 of the vulnerabilities
    ~ and are encouraged to upgrade to the patched version of GAIM
    ~ offered by Gentoo.

    [ * ] Users of GAIM 0.75-r6 are only affected by 4 of the
    ~ vulnerabilities, but are still urged to upgrade to maintain
    ~ security.

    Workaround
    ==========

    There is no immediate workaround; a software upgrade is required.

    Resolution
    ==========

    All users are recommended to upgrade GAIM to 0.75-r7.

    ~ $> emerge sync
    ~ $> emerge -pv ">=net-im/gaim-0.75-r7"
    ~ $> emerge ">=net-im/gaim-0.75-r7"

    References
    ==========

    ~ [ 1 ] : http://www.securityfocus.com/archive/1/351235

    Concerns?
    =========

    Security is a primary focus of Gentoo Linux and ensuring the
    confidentiality and security of our users machines is of utmost
    importance to us. Any security concerns should be addressed to
    security@gentoo.org or alternatively, you may file a bug at
    http://bugs.gentoo.org.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFAFrwkMMXbAy2b2EIRAgXNAKDv5xVitt263W3Zuhbr0XbYFFn60ACdGdKO
    7ltFFxnxeXHJbOmb3BkQLOM=
    =shTi
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Jason Ellison: "[Full-Disclosure] mydoom listening ports"

    Relevant Pages

    • Re: [SLE] < RANT > *5
      ... Go ahead and upgrade only the applications you want. ... You want SuSE to do it for you?! ... Using a non broken versions of an IM client (GAIM), ... If you want stability and easy of use, what you do is you go to a distro ...
      (SuSE)
    • RE: [Full-Disclosure] [ GLSA 200401-04 ] GAIM 0.75 Remote overflo ws
      ... [Full-Disclosure] GAIM 0.75 Remote overflows ... upgrade their GAIM installation. ... Security is a primary focus of Gentoo Linux and ensuring the ...
      (Full-Disclosure)
    • [SLE] < RANT > *5
      ... I can't even easily upgrade KDE to 3.2 using SuSE provided RPM's ... All I want is a working app like k3b, gaim, mozilla, ... And people tell me thats normal linux sound. ...
      (SuSE)
    • D-Bus error trying to run gaim AND how do i ensure better upgrades?
      ... i did an upgrade of my testing system recently and afterwards have found a ... i had some problems earlier with gaim and dealt with them by copying the ... What is the D-Bus error about? ... how can i lessen my chances of breaking things when i upgrade. ...
      (Debian-User)
    • [Full-Disclosure] [gentoo-announce] [ GLSA 200401-04 ] GAIM 0.75 Remote overflows
      ... in GAIM that could lead to a remote compromise of the IM client. ... Due to the nature of instant messaging many of these bugs require ... upgrade their GAIM installation. ... Security is a primary focus of Gentoo Linux and ensuring the ...
      (Full-Disclosure)