ID OSVDB:3733 Type osvdb Reporter e-matters() Modified 2004-01-27T02:50:42
Description
Vulnerability Description
A remote overflow exists in Gaim. The Extract Info Field Function combines data from two tokens into a fixed-length stack buffer without properly checking the size of the resulting string, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity.
Solution Description
Upgrade to version 0.76 or higher, as it has been reported to fix this vulnerability. The FreeBSD security team has released an unoffcial patch which also corrects this vulnerability.
Short Description
A remote overflow exists in Gaim. The Extract Info Field Function combines data from two tokens into a fixed-length stack buffer without properly checking the size of the resulting string, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity.
{"edition": 1, "title": "Gaim Extract Info Field Function Buffer Overflow", "bulletinFamily": "software", "published": "2004-01-27T02:50:42", "lastseen": "2017-04-28T13:19:58", "modified": "2004-01-27T02:50:42", "reporter": "e-matters()", "viewCount": 5, "href": "https://vulners.com/osvdb/OSVDB:3733", "description": "## Vulnerability Description\nA remote overflow exists in Gaim. The Extract Info Field Function combines data from two tokens into a fixed-length stack buffer without properly checking the size of the resulting string, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 0.76 or higher, as it has been reported to fix this vulnerability. The FreeBSD security team has released an unoffcial patch which also corrects this vulnerability.\n## Short Description\nA remote overflow exists in Gaim. The Extract Info Field Function combines data from two tokens into a fixed-length stack buffer without properly checking the size of the resulting string, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://sourceforge.net/tracker/index.php?func=detail&aid=885370&group_id=235&atid=100235)\n[Secunia Advisory ID:10705](https://secuniaresearch.flexerasoftware.com/advisories/10705/)\n[Related OSVDB ID: 3731](https://vulners.com/osvdb/OSVDB:3731)\n[Related OSVDB ID: 3730](https://vulners.com/osvdb/OSVDB:3730)\n[Related OSVDB ID: 3732](https://vulners.com/osvdb/OSVDB:3732)\nOther Solution URL: http://security.e-matters.de/patches/gaim-0.75-fix.diff\nOther Advisory URL: http://security.e-matters.de/advisories/012004.html\nISS X-Force ID: 14946\n[CVE-2004-0007](https://vulners.com/cve/CVE-2004-0007)\n", "affectedSoftware": [{"name": "gaim", "version": "0.74", "operator": "eq"}], "type": "osvdb", "references": [], "enchantments": {"score": {"value": 8.7, "vector": "NONE", "modified": "2017-04-28T13:19:58", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-0007"]}, {"type": "cert", "idList": ["VU:197142"]}, {"type": "nessus", "idList": ["FREEBSD_PKG_6FD024395D7011D880E30020ED76EF5A.NASL", "FREEBSD_GAIM_076.NASL", "MANDRAKE_MDKSA-2004-006.NASL", "DEBIAN_DSA-434.NASL", "REDHAT-RHSA-2004-033.NASL"]}, {"type": "redhat", "idList": ["RHSA-2004:033"]}, {"type": "suse", "idList": ["SUSE-SA:2004:004"]}, {"type": "openvas", "idList": ["OPENVAS:53132", "OPENVAS:54518", "OPENVAS:52486"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:5678"]}, {"type": "freebsd", "idList": ["6FD02439-5D70-11D8-80E3-0020ED76EF5A"]}, {"type": "debian", "idList": ["DEBIAN:DSA-434-1:84ED5"]}], "modified": "2017-04-28T13:19:58", "rev": 2}, "vulnersScore": 8.7}, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "cvelist": ["CVE-2004-0007"], "id": "OSVDB:3733"}
{"cve": [{"lastseen": "2020-12-09T19:21:31", "description": "Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.", "edition": 5, "cvss3": {}, "published": "2004-03-03T05:00:00", "title": "CVE-2004-0007", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0007"], "modified": "2017-10-11T01:29:00", "cpe": ["cpe:/a:ultramagnetic:ultramagnetic:0.81", "cpe:/a:rob_flynn:gaim:0.74"], "id": "CVE-2004-0007", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0007", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:rob_flynn:gaim:0.74:*:*:*:*:*:*:*", "cpe:2.3:a:ultramagnetic:ultramagnetic:0.81:*:*:*:*:*:*:*"]}], "cert": [{"lastseen": "2020-09-18T20:43:54", "bulletinFamily": "info", "cvelist": ["CVE-2004-0007"], "description": "### Overview \n\nThere is a buffer overflow vulnerability in the `gaim_markup_extract_info_field()` function, which could allow an unauthenticated, remote attacker to cause a denial of service or execute arbitrary code.\n\n### Description \n\n[Gaim](<http://gaim.sourceforge.net/>) is a multi-protocol instant messenger client available for a number of operating systems. There is a buffer overflow vulnerability in the `gaim_markup_extract_info_field()` function. This function is used by the Yahoo Messenger (YMSG) and MSN protocol handlers. Within this function, a buffer with a fixed size of 1024 bytes is allocated in memory. When copying data, the function fails to check the size of the data copied to the buffer. This could result in a buffer overflow. \n \n--- \n \n### Impact \n\nAn unauthenticated, remote attacker could cause a denial of service or potentially execute arbitrary code with the privileges of the vulnerable process. \n \n--- \n \n### Solution \n\n**Upgrade**\n\nUpgrade to Gaim version [0.75](<http://gaim.sourceforge.net/downloads.php>) or later. \n \n--- \n \n### Vendor Information\n\n197142\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Gaim __ Affected\n\nUpdated: May 10, 2004 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThis vulnerability has been addressed in versions [0.75](<http://gaim.sourceforge.net/downloads.php>) and later.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23197142 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://security.e-matters.de/advisories/012004.html>\n * <http://www.debian.org/security/2004/dsa-434>\n * [http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000813](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000813>)\n * <http://www.secunia.com/advisories/10705/>\n\n### Acknowledgements\n\nThis vulnerability was publicly reported by Stefan Esser of e-matters.\n\nThis document was written by Damon Morda.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2004-0007](<http://web.nvd.nist.gov/vuln/detail/CVE-2004-0007>) \n---|--- \n**Severity Metric:** | 11.81 \n**Date Public:** | 2004-01-26 \n**Date First Published:** | 2004-05-10 \n**Date Last Updated: ** | 2004-05-10 19:37 UTC \n**Document Revision: ** | 12 \n", "modified": "2004-05-10T19:37:00", "published": "2004-05-10T00:00:00", "id": "VU:197142", "href": "https://www.kb.cert.org/vuls/id/197142", "type": "cert", "title": "Gaim contains a buffer overflow vulnerability in the Extract Info Field function", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-05-29T14:33:33", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0006", "CVE-2004-0007", "CVE-2004-0008"], "description": "Gaim is an instant messenger client that can handle multiple protocols.\n\nStefan Esser audited the Gaim source code and found a number of bugs that\nhave security implications. Due to the nature of instant messaging many of\nthese bugs require man-in-the-middle attacks between client and server.\nHowever at least one of the buffer overflows could be exploited by an\nattacker sending a carefully-constructed malicious message through a server.\n\nThe issues include:\n\nMultiple buffer overflows that affect versions of Gaim 0.75 and earlier. \n1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol\noverflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4)\nflaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0006 to these issues.\n\nA buffer overflow in Gaim 0.74 and earlier in the Extract Info\nField Function used for MSN and YMSG protocol handlers. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0007 to this issue.\n\nAn integer overflow in Gaim 0.74 and earlier, when allocating\nmemory for a directIM packet results in heap overflow.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0008 to this issue.\n\nAll users of Gaim should upgrade to these erratum packages, which contain\nbackported security patches correcting these issues. \n\nRed Hat would like to thank Steffan Esser for finding and reporting these\nissues and Jacques A. Vidrine for providing initial patches.", "modified": "2017-07-29T20:32:39", "published": "2004-01-26T05:00:00", "id": "RHSA-2004:033", "href": "https://access.redhat.com/errata/RHSA-2004:033", "type": "redhat", "title": "(RHSA-2004:033) gaim security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T11:40:57", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0006", "CVE-2004-0005", "CVE-2004-0007"], "description": "Gaim is a multi-protocol instant-messaging client. Stefan Esser found 12 vulnerabilities in gaim that can lead to a remote system compromise with the privileges of the user running GAIM. The GAIM package that SUSE LINUX ships is affected by just two of these bug: - Yahoo Packet Parser Overflow - HTTP Proxy Connect Overflow", "edition": 1, "modified": "2004-01-29T12:56:32", "published": "2004-01-29T12:56:32", "id": "SUSE-SA:2004:004", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-01/msg00007.html", "title": "remote system compromise in gaim", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-07T11:51:20", "description": "A number of vulnerabilities were discovered in the gaim instant\nmessenger program by Steffan Esser, versions 0.75 and earlier. Thanks\nto Jacques A. Vidrine for providing initial patches.\n\nMultiple buffer overflows exist in gaim 0.75 and earlier: When parsing\ncookies in a Yahoo web connection; YMSG protocol overflows parsing the\nYahoo login webpage; a YMSG packet overflow; flaws in the URL parser;\nand flaws in the HTTP Proxy connect (CAN-2004-006).\n\nA buffer overflow in gaim 0.74 and earlier in the Extract Info Field\nFunction used for MSN and YMSG protocol handlers (CAN-2004-007).\n\nAn integer overflow in gaim 0.74 and earlier, when allocating memory\nfor a directIM packet results in a heap overflow (CVE-2004-0008).\n\nUpdate :\n\nThe patch used to correct the problem was slightly malformed and could\ncause an infinite loop and crash with the Yahoo protocol. The new\npackages have a corrected patch that resolves the problem.", "edition": 24, "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : gaim (MDKSA-2004:006-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0007"], "modified": "2004-07-31T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:gaim-encrypt", "p-cpe:/a:mandriva:linux:lib64gaim-remote0-devel", "cpe:/o:mandrakesoft:mandrake_linux:9.1", "p-cpe:/a:mandriva:linux:gaim", "p-cpe:/a:mandriva:linux:lib64gaim-remote0", "p-cpe:/a:mandriva:linux:libgaim-remote0-devel", "cpe:/o:mandrakesoft:mandrake_linux:9.2", "p-cpe:/a:mandriva:linux:libgaim-remote0", "p-cpe:/a:mandriva:linux:gaim-perl", "p-cpe:/a:mandriva:linux:gaim-festival"], "id": "MANDRAKE_MDKSA-2004-006.NASL", "href": "https://www.tenable.com/plugins/nessus/14106", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2004:006. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14106);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n script_xref(name:\"MDKSA\", value:\"2004:006-1\");\n\n script_name(english:\"Mandrake Linux Security Advisory : gaim (MDKSA-2004:006-1)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A number of vulnerabilities were discovered in the gaim instant\nmessenger program by Steffan Esser, versions 0.75 and earlier. Thanks\nto Jacques A. Vidrine for providing initial patches.\n\nMultiple buffer overflows exist in gaim 0.75 and earlier: When parsing\ncookies in a Yahoo web connection; YMSG protocol overflows parsing the\nYahoo login webpage; a YMSG packet overflow; flaws in the URL parser;\nand flaws in the HTTP Proxy connect (CAN-2004-006).\n\nA buffer overflow in gaim 0.74 and earlier in the Extract Info Field\nFunction used for MSN and YMSG protocol handlers (CAN-2004-007).\n\nAn integer overflow in gaim 0.74 and earlier, when allocating memory\nfor a directIM packet results in a heap overflow (CVE-2004-0008).\n\nUpdate :\n\nThe patch used to correct the problem was slightly malformed and could\ncause an infinite loop and crash with the Yahoo protocol. The new\npackages have a corrected patch that resolves the problem.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gaim-encrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gaim-festival\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gaim-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64gaim-remote0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64gaim-remote0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libgaim-remote0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libgaim-remote0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"gaim-0.75-1.2.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"gaim-encrypt-0.75-1.2.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libgaim-remote0-0.75-1.2.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libgaim-remote0-devel-0.75-1.2.91mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", reference:\"gaim-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"gaim-encrypt-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"gaim-festival-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"gaim-perl-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64gaim-remote0-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64gaim-remote0-devel-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libgaim-remote0-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libgaim-remote0-devel-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:05:17", "description": "Updated Gaim packages that fix a number of serious vulnerabilities are\nnow available.\n\nGaim is an instant messenger client that can handle multiple\nprotocols.\n\nStefan Esser audited the Gaim source code and found a number of bugs\nthat have security implications. Due to the nature of instant\nmessaging many of these bugs require man-in-the-middle attacks between\nclient and server. However at least one of the buffer overflows could\nbe exploited by an attacker sending a carefully-constructed malicious\nmessage through a server.\n\nThe issues include :\n\nMultiple buffer overflows that affect versions of Gaim 0.75 and\nearlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG\nprotocol overflows parsing the Yahoo login webpage, 3) a YMSG packet\noverflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy\nconnect. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2004-0006 to these issues.\n\nA buffer overflow in Gaim 0.74 and earlier in the Extract Info Field\nFunction used for MSN and YMSG protocol handlers. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0007 to this issue.\n\nAn integer overflow in Gaim 0.74 and earlier, when allocating memory\nfor a directIM packet results in heap overflow. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0008 to this issue.\n\nAll users of Gaim should upgrade to these erratum packages, which\ncontain backported security patches correcting these issues.\n\nRed Hat would like to thank Steffan Esser for finding and reporting\nthese issues and Jacques A. Vidrine for providing initial patches.", "edition": 26, "published": "2004-07-06T00:00:00", "title": "RHEL 3 : gaim (RHSA-2004:033)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0007"], "modified": "2004-07-06T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:3", "p-cpe:/a:redhat:enterprise_linux:gaim"], "id": "REDHAT-RHSA-2004-033.NASL", "href": "https://www.tenable.com/plugins/nessus/12455", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:033. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(12455);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n script_xref(name:\"RHSA\", value:\"2004:033\");\n\n script_name(english:\"RHEL 3 : gaim (RHSA-2004:033)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated Gaim packages that fix a number of serious vulnerabilities are\nnow available.\n\nGaim is an instant messenger client that can handle multiple\nprotocols.\n\nStefan Esser audited the Gaim source code and found a number of bugs\nthat have security implications. Due to the nature of instant\nmessaging many of these bugs require man-in-the-middle attacks between\nclient and server. However at least one of the buffer overflows could\nbe exploited by an attacker sending a carefully-constructed malicious\nmessage through a server.\n\nThe issues include :\n\nMultiple buffer overflows that affect versions of Gaim 0.75 and\nearlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG\nprotocol overflows parsing the Yahoo login webpage, 3) a YMSG packet\noverflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy\nconnect. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2004-0006 to these issues.\n\nA buffer overflow in Gaim 0.74 and earlier in the Extract Info Field\nFunction used for MSN and YMSG protocol handlers. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0007 to this issue.\n\nAn integer overflow in Gaim 0.74 and earlier, when allocating memory\nfor a directIM packet results in heap overflow. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0008 to this issue.\n\nAll users of Gaim should upgrade to these erratum packages, which\ncontain backported security patches correcting these issues.\n\nRed Hat would like to thank Steffan Esser for finding and reporting\nthese issues and Jacques A. Vidrine for providing initial patches.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0006\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0007\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2004-0008\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2004:033\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected gaim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/03/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:033\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"gaim-0.75-3.2.0\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gaim\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-09-26T17:25:59", "description": "The following package needs to be updated: gaim", "edition": 1, "published": "2004-07-06T00:00:00", "type": "nessus", "title": "FreeBSD : Several remotely exploitable buffer overflows in gaim (52)", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2004-07-06T00:00:00", "id": "FREEBSD_GAIM_076.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12543", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated by freebsd_pkg_6fd024395d7011d880e30020ed76ef5a.nasl.\n#\n# Disabled on 2011/10/02.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This script contains information extracted from VuXML :\n#\n# Copyright 2003-2006 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n#\n#\n\ninclude('compat.inc');\n\nif ( description )\n{\n script_id(12543);\n script_version(\"$Revision: 1.8 $\");\n script_cve_id(\"CVE-2004-0008\");\n script_cve_id(\"CVE-2004-0007\");\n script_cve_id(\"CVE-2004-0006\");\n script_cve_id(\"CVE-2004-0005\");\n\n script_name(english:\"FreeBSD : Several remotely exploitable buffer overflows in gaim (52)\");\n\nscript_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');\nscript_set_attribute(attribute:'description', value:'The following package needs to be updated: gaim');\nscript_set_attribute(attribute: 'cvss_vector', value: 'CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P');\nscript_set_attribute(attribute:'solution', value: 'Update the package on the remote host');\nscript_set_attribute(attribute: 'see_also', value: 'http://bugs.libgd.org/?do=details&task_id=70\nhttp://bugs.libgd.org/?do=details&task_id=87\nhttp://bugs.libgd.org/?do=details&task_id=89\nhttp://bugs.libgd.org/?do=details&task_id=94\nhttp://secunia.com/advisories/11804\nhttp://security.e-matters.de/advisories/012004.txt\nhttp://www.frsirt.com/english/advisories/2007/2336\nhttp://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false\nhttp://www.libgd.org/ReleaseNote020035\nhttp://www.mozilla.org/projects/security/known-vulnerabilities.html\nhttp://www.mozilla.org/security/announce/mfsa2005-46.html\nhttp://www.mozilla.org/security/announce/mfsa2005-47.html\nhttp://www.osvdb.org/6791');\nscript_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/06\");\n script_end_attributes();\n script_summary(english:\"Check for gaim\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"FreeBSD Local Security Checks\";\n script_family(english:family[\"english\"]);\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/FreeBSD/pkg_info\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Refer to plugin #37025 (freebsd_pkg_6fd024395d7011d880e30020ed76ef5a.nasl) instead.\");\n\nglobal_var cvss_score;\ncvss_score=7;\ninclude('freebsd_package.inc');\n\n\npkg_test(pkg:\"gaim<0.75_3\");\n\npkg_test(pkg:\"gaim=0.75_5\");\n\npkg_test(pkg:\"gaim=0.76\");\n\npkg_test(pkg:\"ja-gaim<0.75_3\");\n\npkg_test(pkg:\"ja-gaim=0.75_5\");\n\npkg_test(pkg:\"ja-gaim=0.76\");\n\npkg_test(pkg:\"ko-gaim<0.75_3\");\n\npkg_test(pkg:\"ko-gaim=0.75_5\");\n\npkg_test(pkg:\"ko-gaim=0.76\");\n\npkg_test(pkg:\"ru-gaim<0.75_3\");\n\npkg_test(pkg:\"ru-gaim=0.75_5\");\n\npkg_test(pkg:\"ru-gaim=0.76\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-01-06T09:54:51", "description": "Stefan Esser discovered several security related problems in Gaim, a\nmulti-protocol instant messaging client. Not all of them are\napplicable for the version in Debian stable, but affected the version\nin the unstable distribution at least. The problems were grouped for\nthe Common Vulnerabilities and Exposures as follows :\n\n - CAN-2004-0005\n When the Yahoo Messenger handler decodes an octal value\n for email notification functions two different kinds of\n overflows can be triggered. When the MIME decoder\n decoded a quoted printable encoded string for email\n notification two other different kinds of overflows can\n be triggered. These problems only affect the version in\n the unstable distribution.\n\n - CAN-2004-0006\n\n When parsing the cookies within the HTTP reply header of\n a Yahoo web connection a buffer overflow can happen.\n When parsing the Yahoo Login Webpage the YMSG protocol\n overflows stack buffers if the web page returns\n oversized values. When splitting a URL into its parts a\n stack overflow can be caused. These problems only affect\n the version in the unstable distribution.\n\n When an oversized keyname is read from a Yahoo Messenger packet a\n stack overflow can be triggered. When Gaim is setup to use an HTTP\n proxy for connecting to the server a malicious HTTP proxy can\n exploit it. These problems affect all versions Debian ships.\n However, the connection to Yahoo doesn't work in the version in\n Debian stable.\n\n - CAN-2004-0007\n\n Internally data is copied between two tokens into a\n fixed size stack buffer without a size check. This only\n affects the version of gaim in the unstable\n distribution.\n\n - CAN-2004-0008\n\n When allocating memory for AIM/Oscar DirectIM packets an\n integer overflow can happen, resulting in a heap\n overflow. This only affects the version of gaim in the\n unstable distribution.", "edition": 25, "published": "2004-09-29T00:00:00", "title": "Debian DSA-434-1 : gaim - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2004-09-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:gaim", "cpe:/o:debian:debian_linux:3.0"], "id": "DEBIAN_DSA-434.NASL", "href": "https://www.tenable.com/plugins/nessus/15271", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-434. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15271);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2004-0005\", \"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n script_bugtraq_id(9489);\n script_xref(name:\"DSA\", value:\"434\");\n\n script_name(english:\"Debian DSA-434-1 : gaim - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Esser discovered several security related problems in Gaim, a\nmulti-protocol instant messaging client. Not all of them are\napplicable for the version in Debian stable, but affected the version\nin the unstable distribution at least. The problems were grouped for\nthe Common Vulnerabilities and Exposures as follows :\n\n - CAN-2004-0005\n When the Yahoo Messenger handler decodes an octal value\n for email notification functions two different kinds of\n overflows can be triggered. When the MIME decoder\n decoded a quoted printable encoded string for email\n notification two other different kinds of overflows can\n be triggered. These problems only affect the version in\n the unstable distribution.\n\n - CAN-2004-0006\n\n When parsing the cookies within the HTTP reply header of\n a Yahoo web connection a buffer overflow can happen.\n When parsing the Yahoo Login Webpage the YMSG protocol\n overflows stack buffers if the web page returns\n oversized values. When splitting a URL into its parts a\n stack overflow can be caused. These problems only affect\n the version in the unstable distribution.\n\n When an oversized keyname is read from a Yahoo Messenger packet a\n stack overflow can be triggered. When Gaim is setup to use an HTTP\n proxy for connecting to the server a malicious HTTP proxy can\n exploit it. These problems affect all versions Debian ships.\n However, the connection to Yahoo doesn't work in the version in\n Debian stable.\n\n - CAN-2004-0007\n\n Internally data is copied between two tokens into a\n fixed size stack buffer without a size check. This only\n affects the version of gaim in the unstable\n distribution.\n\n - CAN-2004-0008\n\n When allocating memory for AIM/Oscar DirectIM packets an\n integer overflow can happen, resulting in a heap\n overflow. This only affects the version of gaim in the\n unstable distribution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-434\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gaim packages.\n\nFor the stable distribution (woody) these problems has been fixed in\nversion 0.58-2.4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"gaim\", reference:\"0.58-2.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"gaim-common\", reference:\"0.58-2.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"gaim-gnome\", reference:\"0.58-2.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:45:29", "description": "Stefan Esser of e-matters found almost a dozen remotely exploitable\nvulnerabilities in Gaim. From the e-matters advisory :\n\nWhile developing a custom add-on, an integer overflow in the handling\nof AIM DirectIM packets was revealed that could lead to a remote\ncompromise of the IM client. After disclosing this bug to the vendor,\nthey had to make a hurried release because of a change in the Yahoo\nconnection procedure that rendered GAIM useless. Unfourtunately at the\nsame time a closer look onto the sourcecode revealed 11 more\nvulnerabilities.\n\nThe 12 identified problems range from simple standard stack overflows,\nover heap overflows to an integer overflow that can be abused to cause\na heap overflow. Due to the nature of instant messaging many of these\nbugs require man-in-the-middle attacks between client and server. But\nthe underlying protocols are easy to implement and MIM attacks on\nordinary TCP sessions is a fairly simple task.\n\nIn combination with the latest kernel vulnerabilities or the habit of\nusers to work as root/administrator these bugs can result in remote\nroot compromises.", "edition": 24, "published": "2009-04-23T00:00:00", "title": "FreeBSD : Several remotely exploitable buffer overflows in gaim (6fd02439-5d70-11d8-80e3-0020ed76ef5a)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2009-04-23T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:ko-gaim", "p-cpe:/a:freebsd:freebsd:gaim", "p-cpe:/a:freebsd:freebsd:gaim", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ja-gaim", "p-cpe:/a:freebsd:freebsd:ru-gaim"], "id": "FREEBSD_PKG_6FD024395D7011D880E30020ED76EF5A.NASL", "href": "https://www.tenable.com/plugins/nessus/37025", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(37025);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0005\", \"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n\n script_name(english:\"FreeBSD : Several remotely exploitable buffer overflows in gaim (6fd02439-5d70-11d8-80e3-0020ed76ef5a)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Esser of e-matters found almost a dozen remotely exploitable\nvulnerabilities in Gaim. From the e-matters advisory :\n\nWhile developing a custom add-on, an integer overflow in the handling\nof AIM DirectIM packets was revealed that could lead to a remote\ncompromise of the IM client. After disclosing this bug to the vendor,\nthey had to make a hurried release because of a change in the Yahoo\nconnection procedure that rendered GAIM useless. Unfourtunately at the\nsame time a closer look onto the sourcecode revealed 11 more\nvulnerabilities.\n\nThe 12 identified problems range from simple standard stack overflows,\nover heap overflows to an integer overflow that can be abused to cause\na heap overflow. Due to the nature of instant messaging many of these\nbugs require man-in-the-middle attacks between client and server. But\nthe underlying protocols are easy to implement and MIM attacks on\nordinary TCP sessions is a fairly simple task.\n\nIn combination with the latest kernel vulnerabilities or the habit of\nusers to work as root/administrator these bugs can result in remote\nroot compromises.\"\n );\n # http://security.e-matters.de/advisories/012004.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fdb6dd3c\"\n );\n # https://vuxml.freebsd.org/freebsd/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?91332096\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ja-gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ko-gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ru-gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/01/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"gaim<0.75_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"gaim=0.75_5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"gaim=0.76\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ja-gaim<0.75_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ja-gaim=0.75_5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ja-gaim=0.76\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ko-gaim<0.75_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ko-gaim=0.75_5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ko-gaim=0.76\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-gaim<0.75_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-gaim=0.75_5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-gaim=0.76\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"gaim>=20030000\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2017-07-24T12:49:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200401-04.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:54518", "href": "http://plugins.openvas.org/nasl.php?oid=54518", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200401-04 (GAIM)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Various overflows in the handling of AIM DirectIM packets was revealed in\nGAIM that could lead to a remote compromise of the IM client.\";\ntag_solution = \"All users are recommended to upgrade GAIM to 0.75-r7.\n\n $> emerge sync\n $> emerge -pv '>=net-im/gaim-0.75-r7'\n $> emerge '>=net-im/gaim-0.75-r7'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200401-04\nhttp://bugs.gentoo.org/show_bug.cgi?id=39470\nhttp://www.securityfocus.com/archive/1/351235/2004-01-23/2004-01-29/0\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200401-04.\";\n\n \n\nif(description)\n{\n script_id(54518);\n script_cve_id(\"CVE-2004-0005\",\"CVE-2004-0006\",\"CVE-2004-0007\",\"CVE-2004-0008\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200401-04 (GAIM)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-im/gaim\", unaffected: make_list(\"ge 0.75-r7\"), vulnerable: make_list(\"lt 0.75-r7\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2016-09-20T00:00:00", "published": "2008-09-04T00:00:00", "id": "OPENVAS:52486", "href": "http://plugins.openvas.org/nasl.php?oid=52486", "type": "openvas", "title": "FreeBSD Ports: gaim, ja-gaim, ko-gaim, ru-gaim", "sourceData": "#\n#VID 6fd02439-5d70-11d8-80e3-0020ed76ef5a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n gaim\n ja-gaim\n ko-gaim\n ru-gaim\n\nThe installed versions suffer from numerous buffer\noverflows that allow attackers to execute arbitrary\ncode on the system.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://security.e-matters.de/advisories/012004.txt\nhttp://www.vuxml.org/freebsd/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52486);\n script_version(\"$Revision: 4118 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-20 07:32:38 +0200 (Tue, 20 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0005\", \"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: gaim, ja-gaim, ko-gaim, ru-gaim\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"gaim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_3\")<0) {\n txt += 'Package gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_5\")==0) {\n txt += 'Package gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.76\")==0) {\n txt += 'Package gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ja-gaim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_3\")<0) {\n txt += 'Package ja-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_5\")==0) {\n txt += 'Package ja-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.76\")==0) {\n txt += 'Package ja-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ko-gaim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_3\")<0) {\n txt += 'Package ko-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_5\")==0) {\n txt += 'Package ko-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.76\")==0) {\n txt += 'Package ko-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ru-gaim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_3\")<0) {\n txt += 'Package ru-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_5\")==0) {\n txt += 'Package ru-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.76\")==0) {\n txt += 'Package ru-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"gaim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"20030000\")>=0) {\n txt += 'Package gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "description": "The remote host is missing an update to gaim\nannounced via advisory DSA 434-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53132", "href": "http://plugins.openvas.org/nasl.php?oid=53132", "type": "openvas", "title": "Debian Security Advisory DSA 434-1 (gaim)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_434_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 434-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Stefan Esser discovered several security related problems in Gaim, a\nmulti-protocol instant messaging client. Not all of them are\napplicable for the version in Debian stable, but affected the version\nin the unstable distribution at least. The problems were grouped for\nthe Common Vulnerabilities and Exposures as follows:\n\nCVE-2004-0005\n\nWhen the Yahoo Messenger handler decodes an octal value for email\nnotification functions two different kinds of overflows can be\ntriggered. When the MIME decoder decoded a quoted printable\nencoded string for email notification two other different kinds of\noverflows can be triggered. These problems only affect the\nversion in the unstable distribution.\n\nCVE-2004-0006\n\nWhen parsing the cookies within the HTTP reply header of a Yahoo\nweb connection a buffer overflow can happen. When parsing the\nYahoo Login Webpage the YMSG protocol overflows stack buffers if\nthe web page returns oversized values. When splitting an URL into\nits parts a stack overflow can be caused. These problems only\naffect the version in the unstable distribution\n\nWhen an oversized keyname is read from a Yahoo Messenger packet a\nstack overflow can be triggered. When Gaim is setup to use a HTTP\nproxy for connecting to the server a malicious HTTP proxy can\nexploit it. These problems affect all versions Debian ships.\nHowever, the connection to Yahoo doesn't work in the version in\nDebian stable.\n\nCVE-2004-0007\n\nInternally data is copied between two tokens into a fixed size\nstack buffer without a size check. This only affects the version\nof gaim in the unstable distribution\n\nCVE-2004-0008\n\nWhen allocating memory for AIM/Oscar DirectIM packets an integer\noverflow can happen, resulting in a heap overflow. This only\naffects the version of gaim in the unstable distribution\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 0.58-2.4.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 0.75-2.\n\nWe recommend that you upgrade your gaim packages.\";\ntag_summary = \"The remote host is missing an update to gaim\nannounced via advisory DSA 434-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20434-1\";\n\nif(description)\n{\n script_id(53132);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2004-0005\", \"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 434-1 (gaim)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"gaim\", ver:\"0.58-2.4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gaim-common\", ver:\"0.58-2.4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gaim-gnome\", ver:\"0.58-2.4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:09", "bulletinFamily": "software", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "description": " e-matters GmbH\r\n www.e-matters.de\r\n\r\n -= Security Advisory =-\r\n\r\n\r\n\r\n Advisory: 12 x Gaim remote overflows\r\n Release Date: 2004/01/26\r\nLast Modified: 2004/01/26\r\n Author: Stefan Esser [s.esser@e-matters.de]\r\n\r\n Application: Gaim <= 0.75\r\n Severity: 12 vulnerabilities were found in the instant \r\n messenger GAIM that allow remote compromise\r\n Risk: Critical\r\nVendor Status: Vendor has fixed in CVS, but feels not ready for\r\n release because of problems with HEAD\r\n Reference: http://security.e-matters.de/advisories/012004.html\r\n\r\n\r\nOverview:\r\n\r\n Gaim is a multi-protocol instant messaging client for Linux, BSD, \r\n MacOS X, and Windows. It is compatible with AIM (Oscar and TOC \r\n protocols), ICQ, MSN Messenger, Yahoo, IRC, Jabber, Gadu-Gadu, \r\n and Zephyr networks. It is a very popular choice among the users\r\n of instant messaging networks and especially in the community of\r\n migrated windows users. \r\n \r\n While developing a custom add-on, an integer overflow in the \r\n handling of AIM DirectIM packets was revealed that could lead \r\n to a remote compromise of the IM client. After disclosing this\r\n bug to the vendor, they had to make a hurried release because\r\n of a change in the Yahoo connection procedure that rendered\r\n GAIM useless. Unfourtunately at the same time a closer look\r\n onto the sourcecode revealed 11 more vulnerabilities.\r\n \r\n The 12 identified problems range from simple standard stack\r\n overflows, over heap overflows to an integer overflow that can\r\n be abused to cause a heap overflow. Due to the nature of instant\r\n messaging many of these bugs require man-in-the-middle attacks\r\n between client and server. But the underlying protocols are\r\n easy to implement and MIM attacks on ordinary TCP sessions is\r\n a fairly simple task.\r\n \r\n In combination with the latest kernel vulnerabilities or the \r\n habit of users to work as root/administrator these bugs can \r\n result in remote root compromises.\r\n \r\n \r\nDetails:\r\n \r\n While auditing the Gaim source code the following 12 \r\n vulnerabilities were discovered:\r\n \r\n Overflows in YMSG protocol (yahoo messenger) handler\r\n ----------------------------------------------------\r\n \r\n 01) Yahoo Octal-Encoding Decoder Overflow\r\n 02) Yahoo Octal-Encoding Decoder Out-Of-Bounds Overflow\r\n 03) Yahoo Web Cookie Parser Overflow\r\n 04) Yahoo Login Page Name Parser Overflow \r\n 05) Yahoo Login Page Value Parser Overflow \r\n 06) Yahoo Packet Parser Overflow\r\n \r\n Overflows in oscar protocol (AIM) handler\r\n -----------------------------------------\r\n \r\n 07) AIM/Oscar DirectIM Integer Overflow\r\n \r\n Overflows in utility functions\r\n (called in various protocols)\r\n ------------------------------\r\n \r\n 08) Quoted Printable Decoder Overflow\r\n 09) Quoted Printable Decoder Out-Of-Bounds Overflow\r\n 10) URL Parser Function Overflow \r\n 11) Extract Info Field Function Overflow\r\n \r\n Overflows that do not fit into\r\n the other categories\r\n ------------------------------\r\n \r\n 12) HTTP Proxy Connect Overflow\r\n \r\n\r\n Detailed Bug Description \r\n ------------------------\r\n \r\n [01 - Yahoo Octal-Encoding Decoder Overflow]\r\n [02 - Yahoo Octal-Encoding Decoder Out-Of-Bounds Overflow]\r\n \r\n When the Yahoo Messenger handler decodes an octal value for\r\n email notification functions 2 different kind of overflows\r\n can be triggered\r\n \r\n Affected version: 0.75 (only)\r\n File: gaim/src/protocols/yahoo/yahoo.c\r\n Function: yahoo_decode()\r\n Code:\r\n \r\n static char *yahoo_decode(const char *text)\r\n {\r\n char *converted;\r\n char *p, *n, *new;\r\n \r\n n = new = g_malloc(strlen (text) + 1);\r\n \r\n for (p = (char *)text; *p; p++, n++) {\r\n if (*p == '\\') {\r\n sscanf(p + 1, "%3o\n", (int *)n); <-------- [01]\r\n p += 3; <--------------------------------- [02]\r\n }\r\n else\r\n *n = *p;\r\n }\r\n \r\n *n = '\0';\r\n ...\r\n \r\n The way sscanf is used, it will always write 4 bytes to the \r\n allocated buffer. The author did not see the possibility of \r\n malformed input like "\1" (the backslash is only a backslash) it\r\n is possible to write 1-2 zero bytes over the buffer boundaries.\r\n On linux this is exploitable like any heap off by one into the\r\n malloc() chunks. The second vulnerability is that no matter how\r\n many bytes sscanf() consumes it always increases the pointer\r\n with assumed 4 bytes. This can result in overjumping the\r\n terminating zero byte and with special prepared memory after\r\n the string it is possible to overwrite the heap with an \r\n arbitrary amount of bytes.\r\n \r\n These bugs are counted as 2 because for most people [02] is not\r\n obvious. As an example the vendor fixed only [01] first, because\r\n my description was not good enough. Additionally the misuse of \r\n sscanf() caused an incompatibility to all big endian platforms.\r\n \r\n \r\n [03 - Yahoo Web Cookie Parser Overflow]\r\n \r\n When parsing the cookies within the HTTP reply header of a\r\n yahoo web connection a bufferoverflow can happen.\r\n \r\n Affected version: <= 0.75\r\n File: gaim/src/protocols/yahoo/yahoo.c\r\n Function: yahoo_web_pending()\r\n Code:\r\n \r\n void yahoo_web_pending(gpointer data, gint source, ...\r\n { \r\n GaimConnection *gc = data;\r\n GaimAccount *account = gaim_connection_get_account(gc);\r\n struct yahoo_data *yd = gc->proto_data;\r\n char buf[1024], buf2[256], *i = buf, *r = buf2;\r\n int len, o = 0;\r\n \r\n len = read(source, buf, sizeof(buf));\r\n ...\r\n while ((i = strstr(i, "Set-Cookie: ")) && 0 < 2) {\r\n i += strlen("Set-Cookie: ");\r\n for (;*i != ';'; r++, i++) {\r\n *r = *i;\r\n }\r\n *r=';';\r\n r++;\r\n ...\r\n }\r\n ...\r\n \r\n Here all cookie data contained in the first 1024 byte of a\r\n HTTP reply header is copied into a 256 byte buffer without\r\n a size check. Because source and destination buffer are\r\n both on the stack and stack layout will most probably\r\n result in the smaller buffer overflowing into the smaller\r\n one this bug is believed to be not exploitable with the\r\n normal stack layout. Note also the typo in the while()\r\n condition 0 < 2 which should be o < 2\r\n \r\n \r\n [04 - Yahoo Login Page Name Parser Overflow]\r\n [05 - Yahoo Login Page Value Parser Overflow]\r\n \r\n When parsing the Yahoo Login Webpage the YMSG protocol overflows\r\n stachbuffers if the webpage returns oversized values.\r\n\r\n Affected version: <= 0.75\r\n File: gaim/src/protocols/yahoo/yahoo.c\r\n Function: yahoo_login_page_hash()\r\n Code:\r\n \r\n static \r\n GHashTable *yahoo_login_page_hash(const char *buf,size_t len)\r\n {\r\n GHashTable *hash = g_hash_table_new_full(g_str_hash, g_s...\r\n const char *c = buf;\r\n char *d;\r\n char name[64], value[64];\r\n while ((c < (buf + len)) && (c = strstr(c, "<input "))) {\r\n c = strstr(c, "name=\"") + strlen("name=\"");\r\n for (d = name; *c!='"'; c++, d++) <----------- [04]\r\n *d = *c; <---------/\r\n *d = '\0';\r\n d = strstr(c, "value=\"") + strlen("value=\"");\r\n if (strchr(c, '>') < d)\r\n break;\r\n for (c = d, d = value; *c!='"'; c++, d++) <--- [05]\r\n *d = *c; <-----------------------------/\r\n *d = '\0';\r\n g_hash_table_insert(hash, g_strdup(name), g_strdup(value));\r\n }\r\n return hash;\r\n }\r\n\r\n The content of the yahoo login webpage is trusted although it\r\n could be changed with a simple man-in-the-middle attack on the\r\n HTTP session. name and value are filled directly from the page\r\n without any kind of size check. This results in two independent\r\n ways to overflow the stack.\r\n\r\n \r\n [06 - Yahoo Packet Parser Overflow]\r\n \r\n A Yahoo Messenger packet consist of a header and a list of keys\r\n with their associated values. When reading an oversized keyname\r\n a standard stackoverflow can be triggered. This is nost probably \r\n the most dangerous discovered vulnerability because the nature \r\n of the bug makes it very easy to exploit and additonally a TCP \r\n man-in-the-middle attack is NOT needed. It is possible to send \r\n a malicious YMSG packet to the yahoo server so that it will\r\n be forwarded like any normal message.\r\n\r\n Affected version: <= 0.75\r\n File: gaim/src/protocols/yahoo/yahoo.c\r\n Function: yahoo_packet_read()\r\n Code:\r\n \r\n static void yahoo_packet_read(struct yahoo_packet *pkt, \r\n guchar *data, int len)\r\n {\r\n int pos = 0;\r\n \r\n while (pos + 1 < len) {\r\n char key[64], *value = NULL, *esc;\r\n int accept;\r\n int x;\r\n \r\n struct yahoo_pair *pair = g_new0(struct yahoo_pair, 1);\r\n \r\n x = 0;\r\n while (pos + 1 < len) {\r\n if (data[pos] == 0xc0 && data[pos + 1] == 0x80)\r\n break;\r\n key[x++] = data[pos++]; <----------------- [06]\r\n }\r\n key[x] = 0;\r\n pos += 2;\r\n ...\r\n\r\n Everytime the YMSG handler receives a complete packet it will\r\n give it this function to split it into its keys and values.\r\n Because the keyname is copied without any kind of size check\r\n into the key variable which is a 64 byte stackbuffer it is very\r\n easy to exploit.\r\n NOTE: This bug is also exploitable on systems with non executable\r\n stacks, or stack overflow detections as long free() exploits are\r\n possible on that platform,\r\n \r\n \r\n [07 - AIM/Oscar DirectIM Integer Overflow]\r\n \r\n Integer Overflow when allocating memory for a directIM packet\r\n results in heap overflow. directIM is a client 2 client protocol\r\n and therefore does not require a mim.\r\n \r\n Affected version: <= 0.74\r\n File: gaim/src/protocols/oscar/ft.c\r\n Function: handlehdr_odc()\r\n Code:\r\n \r\n static int handlehdr_odc(aim_session_t *sess, aim_...\r\n {\r\n aim_frame_t fr;\r\n int ret = 0;\r\n aim_rxcallback_t userfunc;\r\n fu32_t payloadlength;\r\n fu16_t flags, encoding;\r\n char *snptr = NULL;\r\n \r\n fr.conn = conn;\r\n \r\n /* AAA - ugly */\r\n aim_bstream_setpos(bs, 20);\r\n payloadlength = aimbs_get32(bs);\r\n \r\n ...\r\n \r\n if (payloadlength) {\r\n char *msg;\r\n ...\r\n\r\n if (!(msg = calloc(1, payloadlength+1))) { <--- [07]\r\n free(snptr);\r\n return -ENOMEM;\r\n }\r\n\r\n while (payloadlength - recvd) {\r\n if (payloadlength - recvd >= 1024)\r\n i = aim_recv(conn->fd, &msg[recvd], 1024);\r\n else\r\n ...\r\n \r\n Within this code snipset payloadlength is taken directly from the\r\n network and passed to the calloc() function in an unsafe manner.\r\n \r\n A user supplied payloadlength of UINT_MAX (0xffffffff) will cause\r\n an integer overflow within the second parameter of calloc() and\r\n therefore only allocate a 0 byte buffer. Please notice that this\r\n bug is not an integer overflow due to the multiplication within \r\n calloc() and therefore it is not catched by the recent security\r\n patches to calloc() on different platforms. Please also note that\r\n calloc(1, 0) will not return a NULL pointer but a pointer into\r\n the legal heap on at least all tested platforms (f.e. linux, bsd)\r\n On BSD systems this is configureable but it defaults to this\r\n behaviour. After allocating the 0 byte buffer aim_recv() is called\r\n repeatedly by the while loop to read and overwrite with up to 4GB\r\n of data.\r\n\r\n\r\n [08 - Quoted Printable Decoder Overflow]\r\n [09 - Quoted Printable Decoder Out-Of-Bounds Overflow]\r\n \r\n When the MIME decoder decosed a quoted printable encoded string\r\n for email notification 2 different kind of overflows can be\r\n triggered.\r\n \r\n Affected version: 0.75 (only)\r\n File: gaim/src/util.c\r\n Function: quotedp_decode()\r\n Code:\r\n \r\n void\r\n gaim_quotedp_decode(const char *str, char **ret_str, int ...\r\n {\r\n char *p, *n, *new;\r\n \r\n n = new = g_malloc(strlen (str) + 1);\r\n \r\n for (p = (char *)str; *p; p++, n++) {\r\n if (*p == '=') {\r\n sscanf(p + 1, "%2x\n", (int *)n); <-------- [08]\r\n p += 2; <--------------------------------- [09]\r\n }\r\n else if (*p == '_')\r\n *n = ' ';\r\n else\r\n *n = *p;\r\n }\r\n \r\n *n = '\0';\r\n ...\r\n \r\n Because these bugs are very similar to [01] and [02] only the\r\n vulnerable code snipset is shown here. For an explanation read\r\n the yahoo_decode() vulnerability description.\r\n \r\n \r\n [10 - URL Parser Function Overflow]\r\n \r\n At various placed this utility function is used to split an\r\n url into its parts. Because temporary fixed size stackbuffers\r\n are used in an unsafe way a standard stackoverflow can be\r\n caused.\r\n \r\n Affected version: <= 0.75\r\n File: gaim/src/util.c\r\n Function: gaim_url_parse()\r\n Code:\r\n \r\n gboolean\r\n gaim_url_parse(const char *url, char **ret_host,\r\n int *ret_port, char **ret_path)\r\n {\r\n char scan_info[255];\r\n char port_str[5];\r\n int f;\r\n const char *turl;\r\n char host[256], path[256];\r\n int port = 0;\r\n /* hyphen at end includes it in control set */\r\n static char addr_ctrl[] = "A-Za-z0-9.-";\r\n static char port_ctrl[] = "0-9";\r\n static char page_ctrl[] = "A-Za-z0-9.~_/:*!@&%%?=+^-";\r\n \r\n ...\r\n g_snprintf(scan_info, sizeof(scan_info),\r\n "%%[%s]:%%[%s]/%%[%s]", addr_ctrl, \r\n port_ctrl, page_ct\r\n\r\n f = sscanf(url, scan_info, host, port_str, path); <-- [10]\r\n ...\r\n\r\n Here sscanf() is again used in an unsafe manner. When this\r\n function is called with an oversized url, which can be triggered\r\n from several protocol handlers in different ways sscanf() will\r\n overwrite the stackbuffers host and path. The problem at this\r\n point is, that it is only possible to overwrite the buffers with\r\n a limited characterset which makes exploitation tricky.\r\n \r\n \r\n [11 - Extract Info Field Function Overflow]\r\n \r\n At various places this utility function is called to copy the\r\n data between 2 tokens into a fixed size stackbuffer without a\r\n size check.\r\n\r\n Affected version: <= 0.74\r\n File: gaim/src/util.c\r\n Function: gaim_markup_extract_info_field()\r\n Code:\r\n \r\n ...\r\n const char *p, *q;\r\n char buf[1024];\r\n \r\n ...\r\n p = strstr(str, start_token);\r\n ...\r\n p += strlen(start_token) + skip;\r\n ...\r\n q = strstr(p, end_token);\r\n \r\n if (q != NULL && (!no_value_token ||\r\n (no_value_token && strncmp(p, no_value\r\n\r\n {\r\n ...\r\n if (is_link)\r\n {\r\n strcat(dest_buffer, "<br><a href=\"");\r\n memcpy(buf, p, q - p); <---------------------- [11]\r\n buf[q - p] = '\0';\r\n ...\r\n \r\n Here it is obvious that if q - p is bigger than 1024 bytes\r\n memcpy() will overwrite the stack which will result in a\r\n standard stack overflow. At the moment this routine is\r\n called from within the get_user_info functions of the MSN\r\n and YMSG protocol handlers.\r\n\r\n\r\n [12 - HTTP Proxy Connect Overflow]\r\n \r\n When Gaim is setup to use a HTTP proxy for connecting to the\r\n server a malicious HTTP proxy can exploit it.\r\n \r\n Affected version: <= 0.75\r\n File: gaim/src/proxy.c\r\n Function: http_canread()\r\n Code:\r\n \r\n static void\r\n http_canread(gpointer data, gint source, GaimInputCondit...\r\n {\r\n int nlc = 0;\r\n int pos = 0;\r\n int minor, major, status, error=0;\r\n struct PHB *phb = data;\r\n char inputline[8192], *p;\r\n \r\n gaim_input_remove(phb->inpa);\r\n \r\n while ((nlc != 2) && \r\n (read(source, &inputline[pos++], 1) == 1)) {\r\n if (inputline[pos - 1] == '\n')\r\n nlc++;\r\n else if (inputline[pos - 1] != '\r')\r\n nlc = 0;\r\n }\r\n inputline[pos] = '\0';\r\n ...\r\n \r\n Here the author never thought about the possibility that a\r\n proxy server could be malicious. The inputline is read into\r\n the 8192 byte buffer byte after byte until a double \r\n is\r\n found. Because there is no size check at all the buffer will\r\n overflow as soon the proxy sends more than 8192 bytes in a\r\n line. This bug is exploitable even if stack overwrite\r\n protections are in place because it is possible to overwrite\r\n the pointer phb which points to a struct that contains a\r\n callback function which is later called in the function.\r\n By overwriting the pointer and so controlling the callback\r\n function pointer it is possible to gain control over the\r\n instruction pointer before the function is left.\r\n\r\n\r\nProof of Concept:\r\n\r\n e-matters is not going to release exploit for any of the these \r\n vulnerability to the public. \r\n \r\n\r\nCVE Information:\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) \r\n has assigned the following names to these issues. \r\n \r\n CAN-2004-0005: version 0.75 only, buffer overflows:\r\n\r\n [01 - Yahoo Octal-Encoding Decoder Overflow]\r\n [02 - Yahoo Octal-Encoding Decoder Out-Of-Bounds Overflow]\r\n [08 - Quoted Printable Decoder Overflow]\r\n [09 - Quoted Printable Decoder Out-Of-Bounds Overflow]\r\n\r\n CAN-2004-0006: 0.75 and earlier, buffer overflows:\r\n\r\n [03 - Yahoo Web Cookie Parser Overflow]\r\n [04 - Yahoo Login Page Name Parser Overflow]\r\n [05 - Yahoo Login Page Value Parser Overflow]\r\n [06 - Yahoo Packet Parser Overflow]\r\n [10 - URL Parser Function Overflow]\r\n [12 - HTTP Proxy Connect Overflow]\r\n\r\n CAN-2004-0007: 0.74 and earlier, buffer overflows:\r\n\r\n [11 - Extract Info Field Function Overflow]\r\n\r\n CAN-2004-0008: 0.74 and earlier, integer overflow:\r\n\r\n [07 - AIM/Oscar DirectIM Integer Overflow]\r\n\r\n\r\nDisclosure Timeline:\r\n\r\n 04. January 2004 - The Oscar filetransfer bug was sent to the \r\n Gaim vendor by email. Within an hour the bug\r\n was fixed within the CVS\r\n 10. January 2004 - Gaim vendor released version 0.75 because of\r\n a Yahoo protocol change problem(?)\r\n Some freetime allowed deeper analysis of the\r\n new version. This revealed more bugs: 1 fixed\r\n in 0.75, some new in 0.75 and some old which \r\n are still in 0.75. All these bugs were again\r\n mailed to the vendor\r\n 15. January 2004 - Vendor was contacted with a patch because\r\n they had not fixed the bugs yet. Our Patch \r\n was applied in the same night\r\n 16. January 2004 - Vendor-sec was contacted to coordinate the \r\n disclosure process. Vendor was asked by email\r\n when 0.76 is about to come out and that this\r\n should be as soon as possible because the\r\n bugfixes were visible in their CVS with\r\n explicit commit messaged. No response to this\r\n mail until today\r\n 23. January 2004 - Vendor was notified about public disclosure\r\n at the 26th.\r\n 25. January 2004 - Notification by the vendor that gaim 0.76 \r\n releasedate is not planned yet.\r\n 26. January 2004 - Public Disclosure\r\n\r\n\r\nRecommendation:\r\n\r\n Because there is no official new version out yet, you can download\r\n a diff against version 0.75 from\r\n \r\n http://security.e-matters.de/patches/gaim-0.75-fix.diff\r\n \r\n This patch was done by the FreeBSD security team. It is different\r\n from the official patches in the Gaim CVS. We suggest that you\r\n upgrade as soon as possible, because the explicit commit message\r\n into the official CVS tree seems to have leaked. At least it was\r\n reported to us that a link to the message on the sourceforge \r\n WebCVS was pasted into an IRC channel.\r\n \r\n \r\nGPG-Key:\r\n\r\n http://security.e-matters.de/gpg_key.asc\r\n \r\n pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam\r\n Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6\r\n\r\n\r\nCopyright 2004 Stefan Esser. All rights reserved.\r\n\r\n\r\n\r\n\r\n-- \r\n\r\n--------------------------------------------------------------------------\r\n Stefan Esser s.esser@e-matters.de\r\n e-matters Security http://security.e-matters.de/\r\n\r\n GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 \r\n Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69\r\n--------------------------------------------------------------------------\r\n Did I help you? Consider a gift: http://wishlist.suspekt.org/\r\n--------------------------------------------------------------------------\r\n", "edition": 1, "modified": "2004-01-26T00:00:00", "published": "2004-01-26T00:00:00", "id": "SECURITYVULNS:DOC:5678", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5678", "title": "Advisory 01/2004: 12 x Gaim remote overflows", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2020-11-11T13:21:49", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "description": "- --------------------------------------------------------------------------\nDebian Security Advisory DSA 434-1 security@debian.org\nhttp://www.debian.org/security/ Martin Schulze\nFebruary 5th, 2004 http://www.debian.org/security/faq\n- --------------------------------------------------------------------------\n\nPackage : gaim\nVulnerability : several\nProblem-Type : remote\nDebian-specific: no\nCVE ID : CAN-2004-0005 CAN-2004-0006 CAN-2004-0007 CAN-2004-0008\n\nStefan Esser discovered several security related problems in Gaim, a\nmulti-protocol instant messaging client. Not all of them are\napplicable for the version in Debian stable, but affected the version\nin the unstable distribution at least. The problems were grouped for\nthe Common Vulnerabilities and Exposures as follows:\n\nCAN-2004-0005\n\n When the Yahoo Messenger handler decodes an octal value for email\n notification functions two different kinds of overflows can be\n triggered. When the MIME decoder decoded a quoted printable\n encoded string for email notification two other different kinds of\n overflows can be triggered. These problems only affect the\n version in the unstable distribution.\n\nCAN-2004-0006\n\n When parsing the cookies within the HTTP reply header of a Yahoo\n web connection a buffer overflow can happen. When parsing the\n Yahoo Login Webpage the YMSG protocol overflows stack buffers if\n the web page returns oversized values. When splitting an URL into\n its parts a stack overflow can be caused. These problems only\n affect the version in the unstable distribution\n\n When an oversized keyname is read from a Yahoo Messenger packet a\n stack overflow can be triggered. When Gaim is setup to use a HTTP\n proxy for connecting to the server a malicious HTTP proxy can\n exploit it. These problems affect all versions Debian ships.\n However, the connection to Yahoo doesn't work in the version in\n Debian stable.\n\nCAN-2004-0007\n\n Internally data is copied between two tokens into a fixed size\n stack buffer without a size check. This only affects the version\n of gaim in the unstable distribution\n\nCAN-2004-0008\n\n When allocating memory for AIM/Oscar DirectIM packets an integer\n overflow can happen, resulting in a heap overflow. This only\n affects the version of gaim in the unstable distribution\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 0.58-2.4.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 0.75-2.\n\nWe recommend that you upgrade your gaim packages.\n\n\nUpgrade Instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 3.0 alias woody\n- --------------------------------\n\n Source archives:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4.dsc\n Size/MD5 checksum: 681 6d563a59f4e5079140dd3335893edf42\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4.diff.gz\n Size/MD5 checksum: 21828 b174b13ab2e3d3e3e3000ca55b7f8b83\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58.orig.tar.gz\n Size/MD5 checksum: 1928057 644df289daeca5f9dd3983d65c8b2407\n\n Alpha architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_alpha.deb\n Size/MD5 checksum: 479682 c149c1ca25747be24b1635064e0834b5\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_alpha.deb\n Size/MD5 checksum: 674762 a8412859564fe0f7273b8ba6ede648a8\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_alpha.deb\n Size/MD5 checksum: 501300 5434fb6169a8e2008612a58be22a4236\n\n ARM architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_arm.deb\n Size/MD5 checksum: 401880 423943d6c3a7e86448fc556284f9b8b0\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_arm.deb\n Size/MD5 checksum: 615070 77a94ab4bea00313b44067bf1e72051b\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_arm.deb\n Size/MD5 checksum: 422412 1b1ccee64d9a9759ba78fcc1bc6b3980\n\n Intel IA-32 architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_i386.deb\n Size/MD5 checksum: 389304 35af8883424ba172682e1a0646b019df\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_i386.deb\n Size/MD5 checksum: 606280 398099bc94edf46952fcbbf63039d9f8\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_i386.deb\n Size/MD5 checksum: 409072 8ce75a4310d600c3e12e0f3e8145ee34\n\n Intel IA-64 architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_ia64.deb\n Size/MD5 checksum: 557110 27c8ed8b15f8048c49410c9fe5d05814\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_ia64.deb\n Size/MD5 checksum: 765302 5272fd8b41fcf2e566c52233456f948b\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_ia64.deb\n Size/MD5 checksum: 569886 08c1f2353a03e795cd2885c0fc325c9d\n\n HP Precision architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_hppa.deb\n Size/MD5 checksum: 459514 26ae81af1fb0c175bbe230cd197f198e\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_hppa.deb\n Size/MD5 checksum: 691214 b0a4ae10d12baf30dedc9c511815600e\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_hppa.deb\n Size/MD5 checksum: 481394 5e5841e694dd7ce98fe8bd4a4ffb7122\n\n Motorola 680x0 architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_m68k.deb\n Size/MD5 checksum: 370652 94f557698d5cce6538daae1f0fe1d2f1\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_m68k.deb\n Size/MD5 checksum: 622696 bd4724ffaea59658fa2d195c7cdd3a01\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_m68k.deb\n Size/MD5 checksum: 392134 a839062657735a6594ca7f14e536a586\n\n Big endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_mips.deb\n Size/MD5 checksum: 406448 7b2d7477187ea27652c0790088edfbc2\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_mips.deb\n Size/MD5 checksum: 614952 a2d9b74c24e4f633effd815b7ab89dd0\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_mips.deb\n Size/MD5 checksum: 427220 ac747694c422ee179cf19db2276ebb94\n\n Little endian MIPS architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_mipsel.deb\n Size/MD5 checksum: 397064 20b5679ca489b038d00307acaf2ab4dc\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_mipsel.deb\n Size/MD5 checksum: 607404 3ac2517372e8d24a86b64a09ca04a717\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_mipsel.deb\n Size/MD5 checksum: 416744 bd64d1035aa6490819cf95736281093c\n\n PowerPC architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_powerpc.deb\n Size/MD5 checksum: 413604 cab5437c978971b577b26b752f456d35\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_powerpc.deb\n Size/MD5 checksum: 642924 5b01b15209f968e53e67737554b2430f\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_powerpc.deb\n Size/MD5 checksum: 434388 430e43e5ffd3bf6324f0a79cba7fd94f\n\n IBM S/390 architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_s390.deb\n Size/MD5 checksum: 399502 7f7d7b08b57353f4d06b3e54eeab190b\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_s390.deb\n Size/MD5 checksum: 644122 e264f798b5affb2d7dfabdab1eaa745f\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_s390.deb\n Size/MD5 checksum: 422030 8e63cda1208b568ad157096e2753e377\n\n Sun Sparc architecture:\n\n http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.4_sparc.deb\n Size/MD5 checksum: 409750 ebd452c72e27de0a97a89946b7f4e1f0\n http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.4_sparc.deb\n Size/MD5 checksum: 653942 8b58b5b637c927816b56717229426612\n http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.4_sparc.deb\n Size/MD5 checksum: 428552 29317f37a8506f5a968b4ceb545a0ff9\n\n\n These files will probably be moved into the stable distribution on\n its next revision.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n\n", "edition": 3, "modified": "2004-02-05T00:00:00", "published": "2004-02-05T00:00:00", "id": "DEBIAN:DSA-434-1:84ED5", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00029.html", "title": "[SECURITY] [DSA 434-1] New gaim packages fix several vulnerabilities", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:35:18", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "description": "\nStefan Esser of e-matters found almost a dozen remotely\n\t exploitable vulnerabilities in Gaim.\tFrom the e-matters\n\t advisory:\n\nWhile developing a custom add-on, an integer overflow\n\t in the handling of AIM DirectIM packets was revealed that\n\t could lead to a remote compromise of the IM client. After\n\t disclosing this bug to the vendor, they had to make a\n\t hurried release because of a change in the Yahoo connection\n\t procedure that rendered GAIM useless. Unfourtunately at the\n\t same time a closer look onto the sourcecode revealed 11 more\n\t vulnerabilities.\nThe 12 identified problems range from simple standard\n\t stack overflows, over heap overflows to an integer overflow\n\t that can be abused to cause a heap overflow. Due to the\n\t nature of instant messaging many of these bugs require\n\t man-in-the-middle attacks between client and server. But the\n\t underlying protocols are easy to implement and MIM attacks\n\t on ordinary TCP sessions is a fairly simple task.\nIn combination with the latest kernel vulnerabilities or\n\t the habit of users to work as root/administrator these bugs\n\t can result in remote root compromises.\n\n", "edition": 4, "modified": "2004-10-25T00:00:00", "published": "2004-01-26T00:00:00", "id": "6FD02439-5D70-11D8-80E3-0020ED76EF5A", "href": "https://vuxml.freebsd.org/freebsd/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html", "title": "Several remotely exploitable buffer overflows in gaim", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
