Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code

lowhalo_at_hush.com
Date: 01/27/04

Next message: Liu Die Yu: "Re: Self-Executing FOLDERS: Windows XP Explorer Part V"

Previous message: AntiVir Support: "Re: symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 26 Jan 2004 17:16:14 -0800
To: bugtraq@securityfocus.com

Ultramagnetic Advisory #001: January 26th, 2004
http://ultramagnetic.sourceforge.net/advisories/001.html
Severity: 9 (High)
Document Revision: 1.0

Overview

Ultramagnetic is a concurrent fork of the Gaim instant messaging software
which adds strong end-to-end encryption and authentication using GnuPG's
libgcrypt and anonymous routing with Hacktivismo's Six/Four protocol.

Multiple buffer overflow vulnerabilities have been found in the code
forked from Gaim. Full details are available at this URL:
http://security.e-matters.de/advisories/012004.html

Note that these vulnerabilities DO NOT compromise the
integrity of the encryption or authentication.

Affected Versions

All versions prior to Ultramagnetic v0.81 are affected by CAN-2004-0006,

CAN-2004-0007, CAN-2004-0008:

v0.01 Preview Alpha 1
v0.02 Preview Alpha 2
v0.03 Preview Alpha 3
v0.10 Beta
v0.20 Beta
v0.40 Beta
v0.50 Beta
v0.55 Beta
v0.60 Beta
v0.65 Beta
v0.70 Beta
v0.80 Beta

None of the versions mentioned above are vulnerable to CAN-2004-0005.

Solution

All users are strongly encouraged to upgrade to Ultramagnetic v0.81
(or later):

Source bz2:
    http://prdownloads.sourceforge.net/ultramagnetic/
        ultramagnetic-0.81.tar.bz2?download
    http://prdownloads.sourceforge.net/ultramagnetic/
        ultramagnetic-0.81.tar.bz2.sig?download

Linux x86 RPM:
    http://prdownloads.sourceforge.net/ultramagnetic/
        ultramagnetic-0.81-1.i386.rpm?download
    http://prdownloads.sourceforge.net/ultramagnetic/
        ultramagnetic-0.81-1.i386.rpm.sig?download

References

    * E-matters: 12 x Gaim remote overflows:
          http://security.e-matters.de/advisories/012004.html
    * CVE: CAN-2004-0006
    * CVE: CAN-2004-0007
    * CVE: CAN-2004-0008

- --
low halo
Defender of Truth and Liberty
http://ultramagnetic.sourceforge.net/

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AFB17F6
9AB1 FF04 016F 89A3 5B4E A585 BDBB 5FBE 3AFB 17F6

Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427

text/plain attachment: 001.txt.asc

Next message: Liu Die Yu: "Re: Self-Executing FOLDERS: Windows XP Explorer Part V"

Previous message: AntiVir Support: "Re: symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-Disclosure] Ultramagnetic Advisory: Multiple vulnerabilities in Gaim code
... Ultramagnetic is a concurrent fork of the Gaim instant messaging software ... which adds strong end-to-end encryption and authentication using GnuPG\'s ... integrity of the encryption or authentication. ... v0.10 Beta ...
(Full-Disclosure)
Re: Getting Challenged for Credentials with using DNS name
... I've had cases where the authentication box has not appeared even though I ... I have however noticed problems with some sites when using IE 7 Beta 2 .. ... Farm Config, One front-end server, seperate back-end SQL server. ...
(microsoft.public.sharepoint.windowsservices)