Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DSA-434-1:360FF
HistoryFeb 05, 2004 - 2:06 p.m.

[SECURITY] [DSA 434-1] New gaim packages fix several vulnerabilities

2004-02-0514:06:18
lists.debian.org
4

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Debian Security Advisory DSA 434-1 [email protected]
http://www.debian.org/security/ Martin Schulze
February 5th, 2004 http://www.debian.org/security/faq

Package : gaim
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2004-0005 CAN-2004-0006 CAN-2004-0007 CAN-2004-0008

Stefan Esser discovered several security related problems in Gaim, a
multi-protocol instant messaging client. Not all of them are
applicable for the version in Debian stable, but affected the version
in the unstable distribution at least. The problems were grouped for
the Common Vulnerabilities and Exposures as follows:

CAN-2004-0005

When the Yahoo Messenger handler decodes an octal value for email
notification functions two different kinds of overflows can be
triggered.  When the MIME decoder decoded a quoted printable
encoded string for email notification two other different kinds of
overflows can be triggered.  These problems only affect the
version in the unstable distribution.

CAN-2004-0006

When parsing the cookies within the HTTP reply header of a Yahoo
web connection a buffer overflow can happen.  When parsing the
Yahoo Login Webpage the YMSG protocol overflows stack buffers if
the web page returns oversized values.  When splitting an URL into
its parts a stack overflow can be caused.  These problems only
affect the version in the unstable distribution

When an oversized keyname is read from a Yahoo Messenger packet a
stack overflow can be triggered.  When Gaim is setup to use a HTTP
proxy for connecting to the server a malicious HTTP proxy can
exploit it.  These problems affect all versions Debian ships.
However, the connection to Yahoo doesn't work in the version in
Debian stable.

CAN-2004-0007

Internally data is copied between two tokens into a fixed size
stack buffer without a size check.  This only affects the version
of gaim in the unstable distribution

CAN-2004-0008

When allocating memory for AIM/Oscar DirectIM packets an integer
overflow can happen, resulting in a heap overflow.  This only
affects the version of gaim in the unstable distribution

For the stable distribution (woody) this problem has been fixed in
version 0.58-2.4.

For the unstable distribution (sid) this problem has been fixed in
version 0.75-2.

We recommend that you upgrade your gaim packages.

Upgrade Instructions

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4.dsc
  Size/MD5 checksum:      681 6d563a59f4e5079140dd3335893edf42
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4.diff.gz
  Size/MD5 checksum:    21828 b174b13ab2e3d3e3e3000ca55b7f8b83
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58.orig.tar.gz
  Size/MD5 checksum:  1928057 644df289daeca5f9dd3983d65c8b2407

Alpha architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_alpha.deb
  Size/MD5 checksum:   479682 c149c1ca25747be24b1635064e0834b5
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_alpha.deb
  Size/MD5 checksum:   674762 a8412859564fe0f7273b8ba6ede648a8
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_alpha.deb
  Size/MD5 checksum:   501300 5434fb6169a8e2008612a58be22a4236

ARM architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_arm.deb
  Size/MD5 checksum:   401880 423943d6c3a7e86448fc556284f9b8b0
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_arm.deb
  Size/MD5 checksum:   615070 77a94ab4bea00313b44067bf1e72051b
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_arm.deb
  Size/MD5 checksum:   422412 1b1ccee64d9a9759ba78fcc1bc6b3980

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_i386.deb
  Size/MD5 checksum:   389304 35af8883424ba172682e1a0646b019df
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_i386.deb
  Size/MD5 checksum:   606280 398099bc94edf46952fcbbf63039d9f8
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_i386.deb
  Size/MD5 checksum:   409072 8ce75a4310d600c3e12e0f3e8145ee34

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_ia64.deb
  Size/MD5 checksum:   557110 27c8ed8b15f8048c49410c9fe5d05814
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_ia64.deb
  Size/MD5 checksum:   765302 5272fd8b41fcf2e566c52233456f948b
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_ia64.deb
  Size/MD5 checksum:   569886 08c1f2353a03e795cd2885c0fc325c9d

HP Precision architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_hppa.deb
  Size/MD5 checksum:   459514 26ae81af1fb0c175bbe230cd197f198e
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_hppa.deb
  Size/MD5 checksum:   691214 b0a4ae10d12baf30dedc9c511815600e
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_hppa.deb
  Size/MD5 checksum:   481394 5e5841e694dd7ce98fe8bd4a4ffb7122

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_m68k.deb
  Size/MD5 checksum:   370652 94f557698d5cce6538daae1f0fe1d2f1
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_m68k.deb
  Size/MD5 checksum:   622696 bd4724ffaea59658fa2d195c7cdd3a01
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_m68k.deb
  Size/MD5 checksum:   392134 a839062657735a6594ca7f14e536a586

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_mips.deb
  Size/MD5 checksum:   406448 7b2d7477187ea27652c0790088edfbc2
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_mips.deb
  Size/MD5 checksum:   614952 a2d9b74c24e4f633effd815b7ab89dd0
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_mips.deb
  Size/MD5 checksum:   427220 ac747694c422ee179cf19db2276ebb94

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_mipsel.deb
  Size/MD5 checksum:   397064 20b5679ca489b038d00307acaf2ab4dc
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_mipsel.deb
  Size/MD5 checksum:   607404 3ac2517372e8d24a86b64a09ca04a717
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_mipsel.deb
  Size/MD5 checksum:   416744 bd64d1035aa6490819cf95736281093c

PowerPC architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_powerpc.deb
  Size/MD5 checksum:   413604 cab5437c978971b577b26b752f456d35
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_powerpc.deb
  Size/MD5 checksum:   642924 5b01b15209f968e53e67737554b2430f
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_powerpc.deb
  Size/MD5 checksum:   434388 430e43e5ffd3bf6324f0a79cba7fd94f

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_s390.deb
  Size/MD5 checksum:   399502 7f7d7b08b57353f4d06b3e54eeab190b
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_s390.deb
  Size/MD5 checksum:   644122 e264f798b5affb2d7dfabdab1eaa745f
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_s390.deb
  Size/MD5 checksum:   422030 8e63cda1208b568ad157096e2753e377

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_sparc.deb
  Size/MD5 checksum:   409750 ebd452c72e27de0a97a89946b7f4e1f0
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_sparc.deb
  Size/MD5 checksum:   653942 8b58b5b637c927816b56717229426612
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_sparc.deb
  Size/MD5 checksum:   428552 29317f37a8506f5a968b4ceb545a0ff9

These files will probably be moved into the stable distribution on
its next revision.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: [email protected]
Package info: `apt-cache show <pkg>' and http://packages.debian.org/&lt;pkg&gt;

OSVersionArchitecturePackageVersionFilename
Debian3allgaim< 0.58-2.4gaim_0.58-2.4_all.deb

Related

openvas 6
nessus 6
securityvulns 1
freebsd 1
osv 1
debian 1
suse 1
redhat 2
cert 12
cve 4
ubuntucve 1
openvas
openvas
Debian: Security Advisory (DSA-434)
2008-01-17 00:00:00
Debian Security Advisory DSA 434-1 (gaim)
2008-01-17 00:00:00
Gentoo Security Advisory GLSA 200401-04 (GAIM)
2008-09-24 00:00:00
nessus
nessus
FreeBSD : Several remotely exploitable buffer overflows in gaim (6fd02439-5d70-11d8-80e3-0020ed76ef5a)
2009-04-23 00:00:00
FreeBSD : Several remotely exploitable buffer overflows in gaim (52)
2004-07-06 00:00:00
Debian DSA-434-1 : gaim - several vulnerabilities
2004-09-29 00:00:00
securityvulns
securityvulns
Advisory 01/2004: 12 x Gaim remote overflows
2004-01-26 00:00:00
freebsd
freebsd
Several remotely exploitable buffer overflows in gaim
2004-01-26 00:00:00
osv
osv
gaim - several vulnerabilities
2004-02-05 00:00:00
debian
debian
[SECURITY] [DSA 434-1] New gaim packages fix several vulnerabilities
2004-02-05 14:06:18
suse
suse
remote system compromise in gaim
2004-01-29 12:56:32
redhat
redhat
(RHSA-2004:033) gaim security update
2004-01-26 00:00:00
(RHSA-2004:045) gaim security update
2004-02-09 00:00:00
cert
cert
Gaim contains a buffer overflow vulnerability in the Extract Info Field function
2004-05-10 00:00:00
Gaim contains a buffer overflow vulnerability in the gaim_quotedp_decode() function
2004-04-30 00:00:00
Gaim contains a buffer overflow vulnerability in the gaim_url_parse() function
2004-05-06 00:00:00
cve
cve
CVE-2004-0005
2004-03-03 05:00:00
CVE-2004-0006
2004-03-03 05:00:00
CVE-2004-0007
2004-03-03 05:00:00
ubuntucve
ubuntucve
CVE-2004-0006
2004-03-03 00:00:00

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON
Related for DEBIAN:DSA-434-1:360FF
openvas6nessus6securityvulns1freebsd1osv1debian1suse1redhat2cert12cve4ubuntucve1