[Full-Disclosure] MDKSA-2005:049 - Updated gaim packages fix multiple vulnerabilities

From: Mandrakelinux Security Team (security_at_linux-mandrake.com)
Date: 03/04/05

  • Next message: Danny: "[Full-Disclosure] "No such thing as spyware"" 
    To: full-disclosure@lists.netsys.com
Date: Fri, 04 Mar 2005 14:22:46 -0700

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

     _______________________________________________________________________

                     Mandrakelinux Security Update Advisory
     _______________________________________________________________________

     Package name: gaim
     Advisory ID: MDKSA-2005:049
     Date: March 4th, 2005

     Affected versions: 10.0, 10.1, Corporate 3.0
     ______________________________________________________________________

     Problem Description:

     Gaim versions prior to version 1.1.4 suffer from a few security issues
     such as the HTML parses not sufficiently validating its input. This
     allowed a remote attacker to crash the Gaim client be sending certain
     malformed HTML messages (CAN-2005-0208 and CAN-2005-0473).
     
     As well, insufficient input validation was also discovered in the
     "Oscar" protocol handler, used for ICQ and AIM. By sending specially
     crafted packets, remote users could trigger an inifinite loop in Gaim
     causing it to become unresponsive and hang (CAN-2005-0472).
     
     Gaim 1.1.4 is provided and fixes these issues.
     _______________________________________________________________________

     References:

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0208
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0472
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0473
      http://gaim.sourceforge.net/security/index.php?id=10
      http://gaim.sourceforge.net/security/index.php?id=11
      http://gaim.sourceforge.net/security/index.php?id=12
     ______________________________________________________________________

     Updated Packages:
      
     Mandrakelinux 10.0:
     ee4aaf22c265f3f6e7f37beccf212301 10.0/RPMS/gaim-1.1.4-2.1.100mdk.i586.rpm
     b19bd7c212fa8c9427d88a5fa7b489ef 10.0/RPMS/gaim-devel-1.1.4-2.1.100mdk.i586.rpm
     628d5e1b676124e01454dea9ea05aa73 10.0/RPMS/gaim-perl-1.1.4-2.1.100mdk.i586.rpm
     797ab3e00c5d0f2616afb86edb782859 10.0/RPMS/gaim-tcl-1.1.4-2.1.100mdk.i586.rpm
     8b9e89290a35eb7b4e4e9829e0275312 10.0/RPMS/libgaim-remote0-1.1.4-2.1.100mdk.i586.rpm
     519796a3cd3ca9813369b6cb22954f89 10.0/RPMS/libgaim-remote0-devel-1.1.4-2.1.100mdk.i586.rpm
     7819e5b641eb8fe7f34e930ff3d699a6 10.0/SRPMS/gaim-1.1.4-2.1.100mdk.src.rpm

     Mandrakelinux 10.0/AMD64:
     cc92e812426003d7b7e36ea7cee7a96d amd64/10.0/RPMS/gaim-1.1.4-2.1.100mdk.amd64.rpm
     9588ea7e5912fffa33bcb354c38c4a18 amd64/10.0/RPMS/gaim-devel-1.1.4-2.1.100mdk.amd64.rpm
     b5a180a8888a5da8e8d323fa9a575e78 amd64/10.0/RPMS/gaim-perl-1.1.4-2.1.100mdk.amd64.rpm
     1f591a16acfb9c69204865a41df0a917 amd64/10.0/RPMS/gaim-tcl-1.1.4-2.1.100mdk.amd64.rpm
     81a37dafd3c90ece97fd228fe7d733df amd64/10.0/RPMS/lib64gaim-remote0-1.1.4-2.1.100mdk.amd64.rpm
     665f07ab92a205812235526599bf65df amd64/10.0/RPMS/lib64gaim-remote0-devel-1.1.4-2.1.100mdk.amd64.rpm
     7819e5b641eb8fe7f34e930ff3d699a6 amd64/10.0/SRPMS/gaim-1.1.4-2.1.100mdk.src.rpm

     Mandrakelinux 10.1:
     4cda3906dcb6520428b4f1bc42f6174e 10.1/RPMS/gaim-1.1.4-2.1.101mdk.i586.rpm
     49f93da18c44ba5c22c87186e4c0988f 10.1/RPMS/gaim-devel-1.1.4-2.1.101mdk.i586.rpm
     0f2dda29cdf649ba976cd0721b5a867c 10.1/RPMS/gaim-gevolution-1.1.4-2.1.101mdk.i586.rpm
     1bb9c654b3d226b6209a95248fc1723f 10.1/RPMS/gaim-perl-1.1.4-2.1.101mdk.i586.rpm
     d923dad213f3538205b1ef0cac626a35 10.1/RPMS/gaim-tcl-1.1.4-2.1.101mdk.i586.rpm
     a930169e43850f519a0eacd11212e78a 10.1/RPMS/libgaim-remote0-1.1.4-2.1.101mdk.i586.rpm
     dda84886d6c3f18fc24c5b73621bdaef 10.1/RPMS/libgaim-remote0-devel-1.1.4-2.1.101mdk.i586.rpm
     729dca43d227506fcf39e6b8583496fa 10.1/SRPMS/gaim-1.1.4-2.1.101mdk.src.rpm

     Mandrakelinux 10.1/X86_64:
     697c22ee6faa5a0e5e745ca590704b6f x86_64/10.1/RPMS/gaim-1.1.4-2.1.101mdk.x86_64.rpm
     cd39d48dc21ead77da4c9739e9098de0 x86_64/10.1/RPMS/gaim-devel-1.1.4-2.1.101mdk.x86_64.rpm
     01188511f0315df83f46cee36d9d3427 x86_64/10.1/RPMS/gaim-gevolution-1.1.4-2.1.101mdk.x86_64.rpm
     5a44092f51a6de2bf1ebb5f516b91cfa x86_64/10.1/RPMS/gaim-perl-1.1.4-2.1.101mdk.x86_64.rpm
     82b356c4f8bd0f43a2bc390ce5c34442 x86_64/10.1/RPMS/gaim-tcl-1.1.4-2.1.101mdk.x86_64.rpm
     038bb0b8edfa3eb9716e9bd08d24cd2c x86_64/10.1/RPMS/lib64gaim-remote0-1.1.4-2.1.101mdk.x86_64.rpm
     149c20340da5935666152c83749ca8d0 x86_64/10.1/RPMS/lib64gaim-remote0-devel-1.1.4-2.1.101mdk.x86_64.rpm
     729dca43d227506fcf39e6b8583496fa x86_64/10.1/SRPMS/gaim-1.1.4-2.1.101mdk.src.rpm

     Corporate 3.0:
     face699482ea9de9d93b42c5c8d5a384 corporate/3.0/RPMS/gaim-1.1.4-2.1.C30mdk.i586.rpm
     39a2f2e483c68fb3ca5714a0d27e14e9 corporate/3.0/RPMS/gaim-devel-1.1.4-2.1.C30mdk.i586.rpm
     a63a03508343e78353edbe99aca94ec9 corporate/3.0/RPMS/gaim-perl-1.1.4-2.1.C30mdk.i586.rpm
     3bbcff0593e85157d0e0bb02dfbfa90c corporate/3.0/RPMS/gaim-tcl-1.1.4-2.1.C30mdk.i586.rpm
     87ac2f9b85cbaf9309c17ce0fbb9daf9 corporate/3.0/RPMS/libgaim-remote0-1.1.4-2.1.C30mdk.i586.rpm
     2352333d9dc21a41645b0f26ae47f6b3 corporate/3.0/RPMS/libgaim-remote0-devel-1.1.4-2.1.C30mdk.i586.rpm
     e9d4f10f138cdb3af653f3bb13319f62 corporate/3.0/SRPMS/gaim-1.1.4-2.1.C30mdk.src.rpm

     Corporate 3.0/X86_64:
     fa834d8d43b2cde15f94da06d228c704 x86_64/corporate/3.0/RPMS/gaim-1.1.4-2.1.C30mdk.x86_64.rpm
     dd31e9bf2d7497ab5452df2c75194e1b x86_64/corporate/3.0/RPMS/gaim-devel-1.1.4-2.1.C30mdk.x86_64.rpm
     8283718b4bc5a9fa51655b2affed2136 x86_64/corporate/3.0/RPMS/gaim-perl-1.1.4-2.1.C30mdk.x86_64.rpm
     11ecf0ed5491cf98f68d0a3224765e1e x86_64/corporate/3.0/RPMS/gaim-tcl-1.1.4-2.1.C30mdk.x86_64.rpm
     3c10e0b33ec75788c0a4ac97e8057c58 x86_64/corporate/3.0/RPMS/lib64gaim-remote0-1.1.4-2.1.C30mdk.x86_64.rpm
     f1a2c0cf86d65ed2366d984bfe5104bc x86_64/corporate/3.0/RPMS/lib64gaim-remote0-devel-1.1.4-2.1.C30mdk.x86_64.rpm
     e9d4f10f138cdb3af653f3bb13319f62 x86_64/corporate/3.0/SRPMS/gaim-1.1.4-2.1.C30mdk.src.rpm
     _______________________________________________________________________

     To upgrade automatically use MandrakeUpdate or urpmi. The verification
     of md5 checksums and GPG signatures is performed automatically for you.

     All packages are signed by Mandrakesoft for security. You can obtain
     the GPG public key of the Mandrakelinux Security Team by executing:

      gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

     You can view other update advisories for Mandrakelinux at:

      http://www.mandrakesoft.com/security/advisories

     If you want to report vulnerabilities, please contact

      security_linux-mandrake.com

     Type Bits/KeyID Date User ID
     pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
      <security linux-mandrake.com>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (GNU/Linux)

    iD8DBQFCKNGmmqjQ0CJFipgRAkkuAJ9JhXEDunqTrXkT0BARjvvrjHEMZwCgxI+w
    3REK8OF4tdIuoEGrIsguS2k=
    =N53O
    -----END PGP SIGNATURE-----
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Danny: "[Full-Disclosure] "No such thing as spyware""

    Relevant Pages

    • [UNIX] Gaim Arbitrary Email Access
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Gaim lets you use AIM, ICQ, Yahoo, MSN, IRC, Jabber, ... Gaim starts up and checks your hotmail email (if this option is enabled ...
      (Securiteam)
    • [ GLSA 200408-27 ] Gaim: New vulnerabilities
      ... Gaim contains several security issues that might allow an attacker to ... execute arbitrary code or commands. ... supports many instant messaging protocols. ...
      (Bugtraq)
    • [Full-Disclosure] [ GLSA 200408-27 ] Gaim: New vulnerabilities
      ... Gaim contains several security issues that might allow an attacker to ... execute arbitrary code or commands. ... supports many instant messaging protocols. ...
      (Full-Disclosure)
    • [ GLSA 200408-27 ] Gaim: New vulnerabilities
      ... Gaim contains several security issues that might allow an attacker to ... execute arbitrary code or commands. ... supports many instant messaging protocols. ...
      (Full-Disclosure)
    • MDKSA-2005:049 - Updated gaim packages fix multiple vulnerabilities
      ... Gaim versions prior to version 1.1.4 suffer from a few security issues ... such as the HTML parses not sufficiently validating its input. ... All packages are signed by Mandrakesoft for security. ... the GPG public key of the Mandrakelinux Security Team by executing: ...
      (Bugtraq)