Gaim vulnerable to DoS via specially crafted HTML

2005-02-28T00:00:00
ID VU:795812
Type cert
Reporter CERT
Modified 2005-02-28T00:00:00

Description

Overview

Gaim contains a flaw in HTML processing that may result in an invalid memory access and denial of service condition.

Description

From the Gaim project:

Gaim is a multi-protocol instant messaging (IM) client for Linux, BSD, MacOS X, and Windows. It is compatible with AIM and ICQ (Oscar protocol), MSN Messenger, Yahoo!, IRC, Jabber, Gadu-Gadu, SILC, GroupWise Messenger, and Zephyr networks

Gaim is susceptible to receiving a malformed HTML message which may result in an invalid memory access.


Impact

A remote attacker can cause Gaim to crash, causing a denial of service condition.


Solution

Apply an update
This flaw has been fixed in Gaim 1.1.4. All users may download an update at the Gaim Downloads page.


As a best practice and potential workaround, users should not accept unexpected messages from unknown sources.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Gaim| | -| 28 Feb 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://gaim.sourceforge.net/security/index.php?id=12>
  • <http://secunia.com/advisories/14386/>

Credit

Thanks to the Gaim project for reporting this vulnerability.

This document was written by Ken MacInnis based primarily on information from the Gaim project.

Other Information

  • CVE IDs: CAN-2005-0208
  • Date Public: 28 Feb 2005
  • Date First Published: 28 Feb 2005
  • Date Last Updated: 28 Feb 2005
  • Severity Metric: 1.28
  • Document Revision: 4