libgadu -- multiple vulnerabilities

2005-07-2100:00:00

vuxml.freebsd.org

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.086 Low

EPSS

Percentile

94.5%

JSON

Wojtek Kaniewski reports:

Multiple vulnerabilities have been found in libgadu, a
library for handling Gadu-Gadu instant messaging
protocol. It is a part of ekg, a Gadu-Gadu client, but is
widely used in other clients. Also some of the user
contributed scripts were found to behave in an insecure
manner.

integer overflow in libgadu (CVE-2005-1852) that could
be triggered by an incomming message and lead to
application crash and/or remote code execution
insecure file creation (CVE-2005-1850) and shell
command injection (CVE-2005-1851) in other user
contributed scripts (discovered by Marcin Owsiany and
Wojtek Kaniewski)
several signedness errors in libgadu that could be
triggered by an incomming network data or an application
passing invalid user input to the library
memory alignment errors in libgadu that could be
triggered by an incomming message and lead to bus errors
on architectures like SPARC
endianness errors in libgadu that could cause invalid
behaviour of applications on big-endian
architectures

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchgaim< 1.4.0_1UNKNOWN
FreeBSDanynoarchja-gaim< 1.4.0_1UNKNOWN
FreeBSDanynoarchko-gaim< 1.4.0_1UNKNOWN
FreeBSDanynoarchru-gaim< 1.4.0_1UNKNOWN
FreeBSDanynoarchkdenetwork< 3.4.2UNKNOWN
FreeBSDanynoarchpl-ekg< 1.6r3,1UNKNOWN
FreeBSDanynoarchcentericq< 4.21.0_1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
FreeBSD	any	noarch	gaim	< 1.4.0_1	UNKNOWN
FreeBSD	any	noarch	ja-gaim	< 1.4.0_1	UNKNOWN
FreeBSD	any	noarch	ko-gaim	< 1.4.0_1	UNKNOWN
FreeBSD	any	noarch	ru-gaim	< 1.4.0_1	UNKNOWN
FreeBSD	any	noarch	kdenetwork	< 3.4.2	UNKNOWN
FreeBSD	any	noarch	pl-ekg	< 1.6r3,1	UNKNOWN
FreeBSD	any	noarch	centericq	< 4.21.0_1	UNKNOWN