ID OSVDB:3733 Type osvdb Reporter e-matters() Modified 2004-01-27T02:50:42
Description
Vulnerability Description
A remote overflow exists in Gaim. The Extract Info Field Function combines data from two tokens into a fixed-length stack buffer without properly checking the size of the resulting string, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity.
Solution Description
Upgrade to version 0.76 or higher, as it has been reported to fix this vulnerability. The FreeBSD security team has released an unoffcial patch which also corrects this vulnerability.
Short Description
A remote overflow exists in Gaim. The Extract Info Field Function combines data from two tokens into a fixed-length stack buffer without properly checking the size of the resulting string, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity.
{"edition": 1, "title": "Gaim Extract Info Field Function Buffer Overflow", "bulletinFamily": "software", "published": "2004-01-27T02:50:42", "lastseen": "2017-04-28T13:19:58", "history": [], "modified": "2004-01-27T02:50:42", "reporter": "e-matters()", "hash": "601cfb0c759c0d86e181f16a76827086daf0939c8315fd27d2f162ebf6fccd9e", "viewCount": 1, "href": "https://vulners.com/osvdb/OSVDB:3733", "description": "## Vulnerability Description\nA remote overflow exists in Gaim. The Extract Info Field Function combines data from two tokens into a fixed-length stack buffer without properly checking the size of the resulting string, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 0.76 or higher, as it has been reported to fix this vulnerability. The FreeBSD security team has released an unoffcial patch which also corrects this vulnerability.\n## Short Description\nA remote overflow exists in Gaim. The Extract Info Field Function combines data from two tokens into a fixed-length stack buffer without properly checking the size of the resulting string, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://sourceforge.net/tracker/index.php?func=detail&aid=885370&group_id=235&atid=100235)\n[Secunia Advisory ID:10705](https://secuniaresearch.flexerasoftware.com/advisories/10705/)\n[Related OSVDB ID: 3731](https://vulners.com/osvdb/OSVDB:3731)\n[Related OSVDB ID: 3730](https://vulners.com/osvdb/OSVDB:3730)\n[Related OSVDB ID: 3732](https://vulners.com/osvdb/OSVDB:3732)\nOther Solution URL: http://security.e-matters.de/patches/gaim-0.75-fix.diff\nOther Advisory URL: http://security.e-matters.de/advisories/012004.html\nISS X-Force ID: 14946\n[CVE-2004-0007](https://vulners.com/cve/CVE-2004-0007)\n", "affectedSoftware": [{"name": "gaim", "version": "0.74", "operator": "eq"}], "type": "osvdb", "hashmap": [{"key": "affectedSoftware", "hash": "04d55b50e739417c82f57e24e9da526f"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "93fce7d867b60f9b38b9f6b33de20e15"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "cc2e21aaf8c7b8ffd71e65d91d372332"}, {"key": "href", "hash": "96a7d52737bddabca68a195bd23d2989"}, {"key": "modified", "hash": "cd2c4017d6c02c07bdc5c3219fd8241b"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "cd2c4017d6c02c07bdc5c3219fd8241b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "3b11405981da84cd0e93e9f83e99ba52"}, {"key": "title", "hash": "9805e4490dec7962c10b6d583b13c16a"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "cvelist": ["CVE-2004-0007"], "id": "OSVDB:3733"}
{"cve": [{"lastseen": "2017-10-11T11:05:54", "references": ["http://www.mandriva.com/security/advisories?name=MDKSA-2004:006", "http://security.gentoo.org/glsa/glsa-200401-04.xml", "http://www.redhat.com/support/errata/RHSA-2004-033.html", "http://archives.neohapsis.com/archives/fulldisclosure/2004-01/0994.html", "http://marc.info/?l=bugtraq&m=107522432613022&w=2", "http://ultramagnetic.sourceforge.net/advisories/001.html", "http://www.securitytracker.com/id?1008850", "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.361158", "http://www.securityfocus.com/advisories/6281", "http://security.e-matters.de/advisories/012004.html", "http://marc.info/?l=bugtraq&m=107513690306318&w=2", "http://www.redhat.com/support/errata/RHSA-2004-032.html", "http://www.kb.cert.org/vuls/id/197142", "https://exchange.xforce.ibmcloud.com/vulnerabilities/14946", "http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000813", "http://www.securityfocus.com/bid/9489", "http://www.debian.org/security/2004/dsa-434"], "description": "Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.", "edition": 4, "reporter": "NVD", "published": "2004-03-03T00:00:00", "title": "CVE-2004-0007", "type": "cve", "enchantments": {"score": {"modified": "2017-10-11T11:05:54", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:819", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A819"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2004-0007"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:819", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:819"}], "modified": "2017-10-10T21:29:19", "cpe": ["cpe:/a:ultramagnetic:ultramagnetic:0.81", "cpe:/a:rob_flynn:gaim:0.74"], "id": "CVE-2004-0007", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0007", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2018-08-31T02:37:36", "references": ["http://www.secunia.com/advisories/10705/", "http://gaim.sourceforge.net/downloads.php", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2004-0007", "http://security.e-matters.de/advisories/012004.html", "http://gaim.sourceforge.net/", "http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000813", "http://www.debian.org/security/2004/dsa-434"], "description": "### Overview\n\nThere is a buffer overflow vulnerability in the `gaim_markup_extract_info_field()` function, which could allow an unauthenticated, remote attacker to cause a denial of service or execute arbitrary code.\n\n### Description\n\n[Gaim](<http://gaim.sourceforge.net/>) is a multi-protocol instant messenger client available for a number of operating systems. There is a buffer overflow vulnerability in the `gaim_markup_extract_info_field()` function. This function is used by the Yahoo Messenger (YMSG) and MSN protocol handlers. Within this function, a buffer with a fixed size of 1024 bytes is allocated in memory. When copying data, the function fails to check the size of the data copied to the buffer. This could result in a buffer overflow. \n \n--- \n \n### Impact\n\nAn unauthenticated, remote attacker could cause a denial of service or potentially execute arbitrary code with the privileges of the vulnerable process. \n \n--- \n \n### Solution\n\n**Upgrade**\n\nUpgrade to Gaim version [0.75](<http://gaim.sourceforge.net/downloads.php>) or later. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nGaim| | -| 10 May 2004 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23197142 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://security.e-matters.de/advisories/012004.html>\n * <http://www.debian.org/security/2004/dsa-434>\n * [http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000813](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000813>)\n * <http://www.secunia.com/advisories/10705/>\n\n### Credit\n\nThis vulnerability was publicly reported by Stefan Esser of e-matters .\n\nThis document was written by Damon Morda.\n\n### Other Information\n\n * CVE IDs: [CAN-2004-0007](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2004-0007>)\n * Date Public: 26 Jan 2004\n * Date First Published: 10 May 2004\n * Date Last Updated: 10 May 2004\n * Severity Metric: 11.81\n * Document Revision: 10\n\n", "edition": 4, "reporter": "CERT", "published": "2004-05-10T00:00:00", "title": "Gaim contains a buffer overflow vulnerability in the Extract Info Field function", "type": "cert", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2004-0007", "CVE-2004-0007"], "modified": "2004-05-10T00:00:00", "id": "VU:197142", "href": "https://www.kb.cert.org/vuls/id/197142", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-09-01T23:35:30", "references": [], "pluginID": "14106", "description": "A number of vulnerabilities were discovered in the gaim instant messenger program by Steffan Esser, versions 0.75 and earlier. Thanks to Jacques A. Vidrine for providing initial patches.\n\nMultiple buffer overflows exist in gaim 0.75 and earlier: When parsing cookies in a Yahoo web connection; YMSG protocol overflows parsing the Yahoo login webpage; a YMSG packet overflow; flaws in the URL parser;\nand flaws in the HTTP Proxy connect (CAN-2004-006).\n\nA buffer overflow in gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers (CAN-2004-007).\n\nAn integer overflow in gaim 0.74 and earlier, when allocating memory for a directIM packet results in a heap overflow (CVE-2004-0008).\n\nUpdate :\n\nThe patch used to correct the problem was slightly malformed and could cause an infinite loop and crash with the Yahoo protocol. The new packages have a corrected patch that resolves the problem.", "edition": 5, "reporter": "Tenable", "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : gaim (MDKSA-2004:006-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0007"], "modified": "2018-07-19T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:gaim-encrypt", "p-cpe:/a:mandriva:linux:lib64gaim-remote0-devel", "cpe:/o:mandrakesoft:mandrake_linux:9.1", "p-cpe:/a:mandriva:linux:gaim", "p-cpe:/a:mandriva:linux:lib64gaim-remote0", "p-cpe:/a:mandriva:linux:libgaim-remote0-devel", "cpe:/o:mandrakesoft:mandrake_linux:9.2", "p-cpe:/a:mandriva:linux:libgaim-remote0", "p-cpe:/a:mandriva:linux:gaim-perl", "p-cpe:/a:mandriva:linux:gaim-festival"], "id": "MANDRAKE_MDKSA-2004-006.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=14106", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2004:006. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(14106);\n script_version (\"1.18\");\n script_cvs_date(\"Date: 2018/07/19 20:59:13\");\n\n script_cve_id(\"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n script_xref(name:\"MDKSA\", value:\"2004:006-1\");\n\n script_name(english:\"Mandrake Linux Security Advisory : gaim (MDKSA-2004:006-1)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A number of vulnerabilities were discovered in the gaim instant\nmessenger program by Steffan Esser, versions 0.75 and earlier. Thanks\nto Jacques A. Vidrine for providing initial patches.\n\nMultiple buffer overflows exist in gaim 0.75 and earlier: When parsing\ncookies in a Yahoo web connection; YMSG protocol overflows parsing the\nYahoo login webpage; a YMSG packet overflow; flaws in the URL parser;\nand flaws in the HTTP Proxy connect (CAN-2004-006).\n\nA buffer overflow in gaim 0.74 and earlier in the Extract Info Field\nFunction used for MSN and YMSG protocol handlers (CAN-2004-007).\n\nAn integer overflow in gaim 0.74 and earlier, when allocating memory\nfor a directIM packet results in a heap overflow (CVE-2004-0008).\n\nUpdate :\n\nThe patch used to correct the problem was slightly malformed and could\ncause an infinite loop and crash with the Yahoo protocol. The new\npackages have a corrected patch that resolves the problem.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gaim-encrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gaim-festival\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:gaim-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64gaim-remote0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64gaim-remote0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libgaim-remote0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libgaim-remote0-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"gaim-0.75-1.2.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"gaim-encrypt-0.75-1.2.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libgaim-remote0-0.75-1.2.91mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.1\", cpu:\"i386\", reference:\"libgaim-remote0-devel-0.75-1.2.91mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.2\", reference:\"gaim-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"gaim-encrypt-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"gaim-festival-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", reference:\"gaim-perl-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64gaim-remote0-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"amd64\", reference:\"lib64gaim-remote0-devel-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libgaim-remote0-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.2\", cpu:\"i386\", reference:\"libgaim-remote0-devel-0.75-1.2.92mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:46:31", "references": ["https://www.redhat.com/security/data/cve/CVE-2004-0006.html", "http://rhn.redhat.com/errata/RHSA-2004-033.html", "https://www.redhat.com/security/data/cve/CVE-2004-0007.html", "https://www.redhat.com/security/data/cve/CVE-2004-0008.html"], "pluginID": "12455", "description": "Updated Gaim packages that fix a number of serious vulnerabilities are now available.\n\nGaim is an instant messenger client that can handle multiple protocols.\n\nStefan Esser audited the Gaim source code and found a number of bugs that have security implications. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. However at least one of the buffer overflows could be exploited by an attacker sending a carefully-constructed malicious message through a server.\n\nThe issues include :\n\nMultiple buffer overflows that affect versions of Gaim 0.75 and earlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0006 to these issues.\n\nA buffer overflow in Gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0007 to this issue.\n\nAn integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0008 to this issue.\n\nAll users of Gaim should upgrade to these erratum packages, which contain backported security patches correcting these issues.\n\nRed Hat would like to thank Steffan Esser for finding and reporting these issues and Jacques A. Vidrine for providing initial patches.", "edition": 5, "reporter": "Tenable", "published": "2004-07-06T00:00:00", "title": "RHEL 3 : gaim (RHSA-2004:033)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0007"], "modified": "2016-12-28T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:3", "p-cpe:/a:redhat:enterprise_linux:gaim"], "id": "REDHAT-RHSA-2004-033.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12455", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2004:033. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(12455);\n script_version (\"$Revision: 1.19 $\");\n script_cvs_date(\"$Date: 2016/12/28 17:44:44 $\");\n\n script_cve_id(\"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n script_xref(name:\"RHSA\", value:\"2004:033\");\n\n script_name(english:\"RHEL 3 : gaim (RHSA-2004:033)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated Gaim packages that fix a number of serious vulnerabilities are\nnow available.\n\nGaim is an instant messenger client that can handle multiple\nprotocols.\n\nStefan Esser audited the Gaim source code and found a number of bugs\nthat have security implications. Due to the nature of instant\nmessaging many of these bugs require man-in-the-middle attacks between\nclient and server. However at least one of the buffer overflows could\nbe exploited by an attacker sending a carefully-constructed malicious\nmessage through a server.\n\nThe issues include :\n\nMultiple buffer overflows that affect versions of Gaim 0.75 and\nearlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG\nprotocol overflows parsing the Yahoo login webpage, 3) a YMSG packet\noverflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy\nconnect. The Common Vulnerabilities and Exposures project\n(cve.mitre.org) has assigned the name CVE-2004-0006 to these issues.\n\nA buffer overflow in Gaim 0.74 and earlier in the Extract Info Field\nFunction used for MSN and YMSG protocol handlers. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0007 to this issue.\n\nAn integer overflow in Gaim 0.74 and earlier, when allocating memory\nfor a directIM packet results in heap overflow. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the\nname CVE-2004-0008 to this issue.\n\nAll users of Gaim should upgrade to these erratum packages, which\ncontain backported security patches correcting these issues.\n\nRed Hat would like to thank Steffan Esser for finding and reporting\nthese issues and Jacques A. Vidrine for providing initial patches.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2004-0006.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2004-0007.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2004-0008.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2004-033.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected gaim package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/01/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^3([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 3.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2004:033\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL3\", reference:\"gaim-0.75-3.2.0\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gaim\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:39:16", "references": ["http://www.nessus.org/u?fdb6dd3c", "http://www.nessus.org/u?9f3bf97b"], "pluginID": "37025", "description": "Stefan Esser of e-matters found almost a dozen remotely exploitable vulnerabilities in Gaim. From the e-matters advisory :\n\nWhile developing a custom add-on, an integer overflow in the handling of AIM DirectIM packets was revealed that could lead to a remote compromise of the IM client. After disclosing this bug to the vendor, they had to make a hurried release because of a change in the Yahoo connection procedure that rendered GAIM useless. Unfourtunately at the same time a closer look onto the sourcecode revealed 11 more vulnerabilities.\n\nThe 12 identified problems range from simple standard stack overflows, over heap overflows to an integer overflow that can be abused to cause a heap overflow. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. But the underlying protocols are easy to implement and MIM attacks on ordinary TCP sessions is a fairly simple task.\n\nIn combination with the latest kernel vulnerabilities or the habit of users to work as root/administrator these bugs can result in remote root compromises.", "edition": 4, "reporter": "Tenable", "published": "2009-04-23T00:00:00", "title": "FreeBSD : Several remotely exploitable buffer overflows in gaim (6fd02439-5d70-11d8-80e3-0020ed76ef5a)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2013-08-09T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:ko-gaim", "p-cpe:/a:freebsd:freebsd:gaim", "p-cpe:/a:freebsd:freebsd:gaim", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ja-gaim", "p-cpe:/a:freebsd:freebsd:ru-gaim"], "id": "FREEBSD_PKG_6FD024395D7011D880E30020ED76EF5A.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=37025", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2013 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(37025);\n script_version(\"$Revision: 1.10 $\");\n script_cvs_date(\"$Date: 2013/08/09 10:50:38 $\");\n\n script_cve_id(\"CVE-2004-0005\", \"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n\n script_name(english:\"FreeBSD : Several remotely exploitable buffer overflows in gaim (6fd02439-5d70-11d8-80e3-0020ed76ef5a)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Esser of e-matters found almost a dozen remotely exploitable\nvulnerabilities in Gaim. From the e-matters advisory :\n\nWhile developing a custom add-on, an integer overflow in the handling\nof AIM DirectIM packets was revealed that could lead to a remote\ncompromise of the IM client. After disclosing this bug to the vendor,\nthey had to make a hurried release because of a change in the Yahoo\nconnection procedure that rendered GAIM useless. Unfourtunately at the\nsame time a closer look onto the sourcecode revealed 11 more\nvulnerabilities.\n\nThe 12 identified problems range from simple standard stack overflows,\nover heap overflows to an integer overflow that can be abused to cause\na heap overflow. Due to the nature of instant messaging many of these\nbugs require man-in-the-middle attacks between client and server. But\nthe underlying protocols are easy to implement and MIM attacks on\nordinary TCP sessions is a fairly simple task.\n\nIn combination with the latest kernel vulnerabilities or the habit of\nusers to work as root/administrator these bugs can result in remote\nroot compromises.\"\n );\n # http://security.e-matters.de/advisories/012004.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fdb6dd3c\"\n );\n # http://www.freebsd.org/ports/portaudit/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9f3bf97b\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ja-gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ko-gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ru-gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2004/01/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2013 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"gaim<0.75_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"gaim=0.75_5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"gaim=0.76\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ja-gaim<0.75_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ja-gaim=0.75_5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ja-gaim=0.76\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ko-gaim<0.75_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ko-gaim=0.75_5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ko-gaim=0.76\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-gaim<0.75_3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-gaim=0.75_5\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-gaim=0.76\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"gaim>=20030000\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:11:11", "references": ["http://www.debian.org/security/2004/dsa-434"], "pluginID": "15271", "description": "Stefan Esser discovered several security related problems in Gaim, a multi-protocol instant messaging client. Not all of them are applicable for the version in Debian stable, but affected the version in the unstable distribution at least. The problems were grouped for the Common Vulnerabilities and Exposures as follows :\n\n - CAN-2004-0005 When the Yahoo Messenger handler decodes an octal value for email notification functions two different kinds of overflows can be triggered. When the MIME decoder decoded a quoted printable encoded string for email notification two other different kinds of overflows can be triggered. These problems only affect the version in the unstable distribution.\n\n - CAN-2004-0006\n\n When parsing the cookies within the HTTP reply header of a Yahoo web connection a buffer overflow can happen.\n When parsing the Yahoo Login Webpage the YMSG protocol overflows stack buffers if the web page returns oversized values. When splitting a URL into its parts a stack overflow can be caused. These problems only affect the version in the unstable distribution.\n\n When an oversized keyname is read from a Yahoo Messenger packet a stack overflow can be triggered. When Gaim is setup to use an HTTP proxy for connecting to the server a malicious HTTP proxy can exploit it. These problems affect all versions Debian ships.\n However, the connection to Yahoo doesn't work in the version in Debian stable.\n\n - CAN-2004-0007\n\n Internally data is copied between two tokens into a fixed size stack buffer without a size check. This only affects the version of gaim in the unstable distribution.\n\n - CAN-2004-0008\n\n When allocating memory for AIM/Oscar DirectIM packets an integer overflow can happen, resulting in a heap overflow. This only affects the version of gaim in the unstable distribution.", "edition": 5, "reporter": "Tenable", "published": "2004-09-29T00:00:00", "title": "Debian DSA-434-1 : gaim - several vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2018-07-20T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:gaim", "cpe:/o:debian:debian_linux:3.0"], "id": "DEBIAN_DSA-434.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=15271", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-434. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(15271);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/07/20 2:17:11\");\n\n script_cve_id(\"CVE-2004-0005\", \"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n script_bugtraq_id(9489);\n script_xref(name:\"DSA\", value:\"434\");\n\n script_name(english:\"Debian DSA-434-1 : gaim - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Stefan Esser discovered several security related problems in Gaim, a\nmulti-protocol instant messaging client. Not all of them are\napplicable for the version in Debian stable, but affected the version\nin the unstable distribution at least. The problems were grouped for\nthe Common Vulnerabilities and Exposures as follows :\n\n - CAN-2004-0005\n When the Yahoo Messenger handler decodes an octal value\n for email notification functions two different kinds of\n overflows can be triggered. When the MIME decoder\n decoded a quoted printable encoded string for email\n notification two other different kinds of overflows can\n be triggered. These problems only affect the version in\n the unstable distribution.\n\n - CAN-2004-0006\n\n When parsing the cookies within the HTTP reply header of\n a Yahoo web connection a buffer overflow can happen.\n When parsing the Yahoo Login Webpage the YMSG protocol\n overflows stack buffers if the web page returns\n oversized values. When splitting a URL into its parts a\n stack overflow can be caused. These problems only affect\n the version in the unstable distribution.\n\n When an oversized keyname is read from a Yahoo Messenger packet a\n stack overflow can be triggered. When Gaim is setup to use an HTTP\n proxy for connecting to the server a malicious HTTP proxy can\n exploit it. These problems affect all versions Debian ships.\n However, the connection to Yahoo doesn't work in the version in\n Debian stable.\n\n - CAN-2004-0007\n\n Internally data is copied between two tokens into a\n fixed size stack buffer without a size check. This only\n affects the version of gaim in the unstable\n distribution.\n\n - CAN-2004-0008\n\n When allocating memory for AIM/Oscar DirectIM packets an\n integer overflow can happen, resulting in a heap\n overflow. This only affects the version of gaim in the\n unstable distribution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2004/dsa-434\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gaim packages.\n\nFor the stable distribution (woody) these problems has been fixed in\nversion 0.58-2.4.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"gaim\", reference:\"0.58-2.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"gaim-common\", reference:\"0.58-2.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"gaim-gnome\", reference:\"0.58-2.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:25:59", "references": ["http://bugs.libgd.org/?do=details&task_id=70", "http://www.mozilla.org/projects/security/known-vulnerabilities.html", "http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false", "http://bugs.libgd.org/?do=details&task_id=94", "http://www.mozilla.org/security/announce/mfsa2005-47.html", "http://www.frsirt.com/english/advisories/2007/2336", "http://bugs.libgd.org/?do=details&task_id=89", "http://www.FreeBSD.org/ports/portaudit/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html", "http://secunia.com/advisories/11804", "http://bugs.libgd.org/?do=details&task_id=87", "http://www.mozilla.org/security/announce/mfsa2005-46.html", "http://security.e-matters.de/advisories/012004.txt", "http://www.osvdb.org/6791", "http://www.libgd.org/ReleaseNote020035"], "pluginID": "12543", "description": "The following package needs to be updated: gaim", "edition": 1, "reporter": "Tenable", "published": "2004-07-06T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "nessus", "title": "FreeBSD : Several remotely exploitable buffer overflows in gaim (52)", "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2004-07-06T00:00:00", "id": "FREEBSD_GAIM_076.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=12543", "sourceData": "# @DEPRECATED@\n#\n# This script has been deprecated by freebsd_pkg_6fd024395d7011d880e30020ed76ef5a.nasl.\n#\n# Disabled on 2011/10/02.\n#\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# This script contains information extracted from VuXML :\n#\n# Copyright 2003-2006 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n#\n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n#\n#\n\ninclude('compat.inc');\n\nif ( description )\n{\n script_id(12543);\n script_version(\"$Revision: 1.8 $\");\n script_cve_id(\"CVE-2004-0008\");\n script_cve_id(\"CVE-2004-0007\");\n script_cve_id(\"CVE-2004-0006\");\n script_cve_id(\"CVE-2004-0005\");\n\n script_name(english:\"FreeBSD : Several remotely exploitable buffer overflows in gaim (52)\");\n\nscript_set_attribute(attribute:'synopsis', value: 'The remote host is missing a security update');\nscript_set_attribute(attribute:'description', value:'The following package needs to be updated: gaim');\nscript_set_attribute(attribute: 'cvss_vector', value: 'CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P');\nscript_set_attribute(attribute:'solution', value: 'Update the package on the remote host');\nscript_set_attribute(attribute: 'see_also', value: 'http://bugs.libgd.org/?do=details&task_id=70\nhttp://bugs.libgd.org/?do=details&task_id=87\nhttp://bugs.libgd.org/?do=details&task_id=89\nhttp://bugs.libgd.org/?do=details&task_id=94\nhttp://secunia.com/advisories/11804\nhttp://security.e-matters.de/advisories/012004.txt\nhttp://www.frsirt.com/english/advisories/2007/2336\nhttp://www.idefense.com/application/poi/display?id=107&type=vulnerabilities&flashstatus=false\nhttp://www.libgd.org/ReleaseNote020035\nhttp://www.mozilla.org/projects/security/known-vulnerabilities.html\nhttp://www.mozilla.org/security/announce/mfsa2005-46.html\nhttp://www.mozilla.org/security/announce/mfsa2005-47.html\nhttp://www.osvdb.org/6791');\nscript_set_attribute(attribute:'see_also', value: 'http://www.FreeBSD.org/ports/portaudit/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html');\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/07/06\");\n script_end_attributes();\n script_summary(english:\"Check for gaim\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2010 Tenable Network Security, Inc.\");\n family[\"english\"] = \"FreeBSD Local Security Checks\";\n script_family(english:family[\"english\"]);\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/FreeBSD/pkg_info\");\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Refer to plugin #37025 (freebsd_pkg_6fd024395d7011d880e30020ed76ef5a.nasl) instead.\");\n\nglobal_var cvss_score;\ncvss_score=7;\ninclude('freebsd_package.inc');\n\n\npkg_test(pkg:\"gaim<0.75_3\");\n\npkg_test(pkg:\"gaim=0.75_5\");\n\npkg_test(pkg:\"gaim=0.76\");\n\npkg_test(pkg:\"ja-gaim<0.75_3\");\n\npkg_test(pkg:\"ja-gaim=0.75_5\");\n\npkg_test(pkg:\"ja-gaim=0.76\");\n\npkg_test(pkg:\"ko-gaim<0.75_3\");\n\npkg_test(pkg:\"ko-gaim=0.75_5\");\n\npkg_test(pkg:\"ko-gaim=0.76\");\n\npkg_test(pkg:\"ru-gaim<0.75_3\");\n\npkg_test(pkg:\"ru-gaim=0.75_5\");\n\npkg_test(pkg:\"ru-gaim=0.76\");\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2017-08-02T22:58:18", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "any", "packageVersion": "0.75-3.2.0", "packageFilename": "gaim-0.75-3.2.0.ia64.rpm", "packageName": "gaim", "arch": "ia64", "operator": "lt"}], "description": "Gaim is an instant messenger client that can handle multiple protocols.\n\nStefan Esser audited the Gaim source code and found a number of bugs that\nhave security implications. Due to the nature of instant messaging many of\nthese bugs require man-in-the-middle attacks between client and server.\nHowever at least one of the buffer overflows could be exploited by an\nattacker sending a carefully-constructed malicious message through a server.\n\nThe issues include:\n\nMultiple buffer overflows that affect versions of Gaim 0.75 and earlier. \n1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol\noverflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4)\nflaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0006 to these issues.\n\nA buffer overflow in Gaim 0.74 and earlier in the Extract Info\nField Function used for MSN and YMSG protocol handlers. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0007 to this issue.\n\nAn integer overflow in Gaim 0.74 and earlier, when allocating\nmemory for a directIM packet results in heap overflow.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0008 to this issue.\n\nAll users of Gaim should upgrade to these erratum packages, which contain\nbackported security patches correcting these issues. \n\nRed Hat would like to thank Steffan Esser for finding and reporting these\nissues and Jacques A. Vidrine for providing initial patches.", "reporter": "RedHat", "published": "2004-01-26T05:00:00", "type": "redhat", "title": "(RHSA-2004:033) gaim security update", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2004-0006", "CVE-2004-0007", "CVE-2004-0008"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-07-29T20:32:39", "id": "RHSA-2004:033", "href": "https://access.redhat.com/errata/RHSA-2004:033", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T11:40:57", "references": [], "affectedPackage": [{"OS": "openSUSE", "OSVersion": "8.1", "packageVersion": "0.59-158", "packageFilename": "gaim-0.59-158.i586.rpm", "packageName": "gaim", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.2", "packageVersion": "0.59.8-60", "packageFilename": "gaim-0.59.8-60.i586.rpm", "packageName": "gaim", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "9.0", "packageVersion": "0.67-65", "packageFilename": "gaim-0.67-65.i586.rpm", "packageName": "gaim", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE", "OSVersion": "8.0", "packageVersion": "0.50-187", "packageFilename": "gaim-0.50-187.i386.rpm", "packageName": "gaim", "arch": "i386", "operator": "lt"}], "description": "Gaim is a multi-protocol instant-messaging client. Stefan Esser found 12 vulnerabilities in gaim that can lead to a remote system compromise with the privileges of the user running GAIM. The GAIM package that SUSE LINUX ships is affected by just two of these bug: - Yahoo Packet Parser Overflow - HTTP Proxy Connect Overflow", "edition": 1, "reporter": "Suse", "published": "2004-01-29T12:56:32", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "remote system compromise in gaim", "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0006", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2004-01-29T12:56:32", "id": "SUSE-SA:2004:004", "href": "http://lists.opensuse.org/opensuse-security-announce/2004-01/msg00007.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:16", "references": [], "pluginID": "53132", "description": "The remote host is missing an update to gaim\nannounced via advisory DSA 434-1.", "edition": 2, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-01-17T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Debian Security Advisory DSA 434-1 (gaim)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=53132", "id": "OPENVAS:53132", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_434_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 434-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Stefan Esser discovered several security related problems in Gaim, a\nmulti-protocol instant messaging client. Not all of them are\napplicable for the version in Debian stable, but affected the version\nin the unstable distribution at least. The problems were grouped for\nthe Common Vulnerabilities and Exposures as follows:\n\nCVE-2004-0005\n\nWhen the Yahoo Messenger handler decodes an octal value for email\nnotification functions two different kinds of overflows can be\ntriggered. When the MIME decoder decoded a quoted printable\nencoded string for email notification two other different kinds of\noverflows can be triggered. These problems only affect the\nversion in the unstable distribution.\n\nCVE-2004-0006\n\nWhen parsing the cookies within the HTTP reply header of a Yahoo\nweb connection a buffer overflow can happen. When parsing the\nYahoo Login Webpage the YMSG protocol overflows stack buffers if\nthe web page returns oversized values. When splitting an URL into\nits parts a stack overflow can be caused. These problems only\naffect the version in the unstable distribution\n\nWhen an oversized keyname is read from a Yahoo Messenger packet a\nstack overflow can be triggered. When Gaim is setup to use a HTTP\nproxy for connecting to the server a malicious HTTP proxy can\nexploit it. These problems affect all versions Debian ships.\nHowever, the connection to Yahoo doesn't work in the version in\nDebian stable.\n\nCVE-2004-0007\n\nInternally data is copied between two tokens into a fixed size\nstack buffer without a size check. This only affects the version\nof gaim in the unstable distribution\n\nCVE-2004-0008\n\nWhen allocating memory for AIM/Oscar DirectIM packets an integer\noverflow can happen, resulting in a heap overflow. This only\naffects the version of gaim in the unstable distribution\n\nFor the stable distribution (woody) this problem has been fixed in\nversion 0.58-2.4.\n\nFor the unstable distribution (sid) this problem has been fixed in\nversion 0.75-2.\n\nWe recommend that you upgrade your gaim packages.\";\ntag_summary = \"The remote host is missing an update to gaim\nannounced via advisory DSA 434-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20434-1\";\n\nif(description)\n{\n script_id(53132);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:41:51 +0100 (Thu, 17 Jan 2008)\");\n script_cve_id(\"CVE-2004-0005\", \"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 434-1 (gaim)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"gaim\", ver:\"0.58-2.4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gaim-common\", ver:\"0.58-2.4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"gaim-gnome\", ver:\"0.58-2.4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-02T21:10:27", "references": [], "pluginID": "52486", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "edition": 1, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-09-04T00:00:00", "title": "FreeBSD Ports: gaim, ja-gaim, ko-gaim, ru-gaim", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2016-09-20T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=52486", "id": "OPENVAS:52486", "sourceData": "#\n#VID 6fd02439-5d70-11d8-80e3-0020ed76ef5a\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from vuxml or freebsd advisories\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n gaim\n ja-gaim\n ko-gaim\n ru-gaim\n\nThe installed versions suffer from numerous buffer\noverflows that allow attackers to execute arbitrary\ncode on the system.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://security.e-matters.de/advisories/012004.txt\nhttp://www.vuxml.org/freebsd/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\nif(description)\n{\n script_id(52486);\n script_version(\"$Revision: 4118 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2016-09-20 07:32:38 +0200 (Tue, 20 Sep 2016) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-04 20:41:11 +0200 (Thu, 04 Sep 2008)\");\n script_cve_id(\"CVE-2004-0005\", \"CVE-2004-0006\", \"CVE-2004-0007\", \"CVE-2004-0008\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"FreeBSD Ports: gaim, ja-gaim, ko-gaim, ru-gaim\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"gaim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_3\")<0) {\n txt += 'Package gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_5\")==0) {\n txt += 'Package gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.76\")==0) {\n txt += 'Package gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ja-gaim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_3\")<0) {\n txt += 'Package ja-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_5\")==0) {\n txt += 'Package ja-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.76\")==0) {\n txt += 'Package ja-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ko-gaim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_3\")<0) {\n txt += 'Package ko-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_5\")==0) {\n txt += 'Package ko-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.76\")==0) {\n txt += 'Package ko-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"ru-gaim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_3\")<0) {\n txt += 'Package ru-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.75_5\")==0) {\n txt += 'Package ru-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nif(!isnull(bver) && revcomp(a:bver, b:\"0.76\")==0) {\n txt += 'Package ru-gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"gaim\");\nif(!isnull(bver) && revcomp(a:bver, b:\"20030000\")>=0) {\n txt += 'Package gaim version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:53", "references": [], "pluginID": "54518", "description": "The remote host is missing updates announced in\nadvisory GLSA 200401-04.", "edition": 2, "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "published": "2008-09-24T00:00:00", "title": "Gentoo Security Advisory GLSA 200401-04 (GAIM)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Gentoo Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=54518", "id": "OPENVAS:54518", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Various overflows in the handling of AIM DirectIM packets was revealed in\nGAIM that could lead to a remote compromise of the IM client.\";\ntag_solution = \"All users are recommended to upgrade GAIM to 0.75-r7.\n\n $> emerge sync\n $> emerge -pv '>=net-im/gaim-0.75-r7'\n $> emerge '>=net-im/gaim-0.75-r7'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200401-04\nhttp://bugs.gentoo.org/show_bug.cgi?id=39470\nhttp://www.securityfocus.com/archive/1/351235/2004-01-23/2004-01-29/0\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200401-04.\";\n\n \n\nif(description)\n{\n script_id(54518);\n script_cve_id(\"CVE-2004-0005\",\"CVE-2004-0006\",\"CVE-2004-0007\",\"CVE-2004-0008\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_name(\"Gentoo Security Advisory GLSA 200401-04 (GAIM)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"net-im/gaim\", unaffected: make_list(\"ge 0.75-r7\"), vulnerable: make_list(\"lt 0.75-r7\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2016-09-02T18:37:07", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_powerpc.deb", "packageName": "gaim-gnome", "arch": "ppc", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_hppa.deb", "packageName": "gaim-common", "arch": "hppa", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_mips.deb", "packageName": "gaim-common", "arch": "mips", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_ia64.deb", "packageName": "gaim-gnome", "arch": "ia64", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4.dsc", "packageName": "gaim", "arch": "src", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_mipsel.deb", "packageName": "gaim-gnome", "arch": "mipsel", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_arm.deb", "packageName": "gaim", "arch": "arm", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_powerpc.deb", "packageName": "gaim-common", "arch": "ppc", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4.diff", "packageFilename": "gaim_0.58-2.4.diff.gz", "packageName": "gaim", "arch": "src", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_ia64.deb", "packageName": "gaim-common", "arch": "ia64", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_powerpc.deb", "packageName": "gaim", "arch": "ppc", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_s390.deb", "packageName": "gaim-common", "arch": "s390x", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_hppa.deb", "packageName": "gaim-gnome", "arch": "hppa", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_i386.deb", "packageName": "gaim", "arch": "i686", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_mips.deb", "packageName": "gaim-gnome", "arch": "mips", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_alpha.deb", "packageName": "gaim", "arch": "alpha", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_m68k.deb", "packageName": "gaim-gnome", "arch": "m68k", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_hppa.deb", "packageName": "gaim", "arch": "hppa", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_ia64.deb", "packageName": "gaim", "arch": "ia64", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_sparc.deb", "packageName": "gaim-gnome", "arch": "sparc", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_sparc.deb", "packageName": "gaim", "arch": "sparc", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_i386.deb", "packageName": "gaim-gnome", "arch": "i686", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_i386.deb", "packageName": "gaim-common", "arch": "i686", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_alpha.deb", "packageName": "gaim-common", "arch": "alpha", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_alpha.deb", "packageName": "gaim-gnome", "arch": "alpha", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_mipsel.deb", "packageName": "gaim-common", "arch": "mipsel", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_arm.deb", "packageName": "gaim-gnome", "arch": "arm", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-gnome_0.58-2.4_s390.deb", "packageName": "gaim-gnome", "arch": "s390x", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_m68k.deb", "packageName": "gaim-common", "arch": "m68k", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_sparc.deb", "packageName": "gaim-common", "arch": "sparc", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_m68k.deb", "packageName": "gaim", "arch": "m68k", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_mipsel.deb", "packageName": "gaim", "arch": "mipsel", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58.orig", "packageFilename": "gaim_0.58.orig.tar.gz", "packageName": "gaim", "arch": "src", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim-common_0.58-2.4_arm.deb", "packageName": "gaim-common", "arch": "arm", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_mips.deb", "packageName": "gaim", "arch": "mips", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "3.0", "packageVersion": "0.58-2.4", "packageFilename": "gaim_0.58-2.4_s390.deb", "packageName": "gaim", "arch": "s390x", "operator": "lt"}], "description": "Stefan Esser discovered several security related problems in Gaim, a multi-protocol instant messaging client. Not all of them are applicable for the version in Debian stable, but affected the version in the unstable distribution at least. The problems were grouped for the Common Vulnerabilities and Exposures as follows:\n\n * [CAN-2004-0005](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0005>)\n\nWhen the Yahoo Messenger handler decodes an octal value for email notification functions two different kinds of overflows can be triggered. When the MIME decoder decoded a quoted printable encoded string for email notification two other different kinds of overflows can be triggered. These problems only affect the version in the unstable distribution.\n\n * [CAN-2004-0006](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0006>)\n\nWhen parsing the cookies within the HTTP reply header of a Yahoo web connection a buffer overflow can happen. When parsing the Yahoo Login Webpage the YMSG protocol overflows stack buffers if the web page returns oversized values. When splitting a URL into its parts a stack overflow can be caused. These problems only affect the version in the unstable distribution.\n\nWhen an oversized keyname is read from a Yahoo Messenger packet a stack overflow can be triggered. When Gaim is setup to use an HTTP proxy for connecting to the server a malicious HTTP proxy can exploit it. These problems affect all versions Debian ships. However, the connection to Yahoo doesn't work in the version in Debian stable.\n\n * [CAN-2004-0007](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0007>)\n\nInternally data is copied between two tokens into a fixed size stack buffer without a size check. This only affects the version of gaim in the unstable distribution.\n\n * [CAN-2004-0008](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0008>)\n\nWhen allocating memory for AIM/Oscar DirectIM packets an integer overflow can happen, resulting in a heap overflow. This only affects the version of gaim in the unstable distribution.\n\nFor the stable distribution (woody) these problems has been fixed in version 0.58-2.4.\n\nFor the unstable distribution (sid) these problems has been fixed in version 0.75-2.\n\nWe recommend that you upgrade your gaim packages.", "edition": 1, "reporter": "Debian", "published": "2004-02-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "gaim -- several vulnerabilities", "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2004-02-05T00:00:00", "id": "DSA-434", "href": "http://www.debian.org/security/dsa-434", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:09", "references": [], "description": " e-matters GmbH\r\n www.e-matters.de\r\n\r\n -= Security Advisory =-\r\n\r\n\r\n\r\n Advisory: 12 x Gaim remote overflows\r\n Release Date: 2004/01/26\r\nLast Modified: 2004/01/26\r\n Author: Stefan Esser [s.esser@e-matters.de]\r\n\r\n Application: Gaim <= 0.75\r\n Severity: 12 vulnerabilities were found in the instant \r\n messenger GAIM that allow remote compromise\r\n Risk: Critical\r\nVendor Status: Vendor has fixed in CVS, but feels not ready for\r\n release because of problems with HEAD\r\n Reference: http://security.e-matters.de/advisories/012004.html\r\n\r\n\r\nOverview:\r\n\r\n Gaim is a multi-protocol instant messaging client for Linux, BSD, \r\n MacOS X, and Windows. It is compatible with AIM (Oscar and TOC \r\n protocols), ICQ, MSN Messenger, Yahoo, IRC, Jabber, Gadu-Gadu, \r\n and Zephyr networks. It is a very popular choice among the users\r\n of instant messaging networks and especially in the community of\r\n migrated windows users. \r\n \r\n While developing a custom add-on, an integer overflow in the \r\n handling of AIM DirectIM packets was revealed that could lead \r\n to a remote compromise of the IM client. After disclosing this\r\n bug to the vendor, they had to make a hurried release because\r\n of a change in the Yahoo connection procedure that rendered\r\n GAIM useless. Unfourtunately at the same time a closer look\r\n onto the sourcecode revealed 11 more vulnerabilities.\r\n \r\n The 12 identified problems range from simple standard stack\r\n overflows, over heap overflows to an integer overflow that can\r\n be abused to cause a heap overflow. Due to the nature of instant\r\n messaging many of these bugs require man-in-the-middle attacks\r\n between client and server. But the underlying protocols are\r\n easy to implement and MIM attacks on ordinary TCP sessions is\r\n a fairly simple task.\r\n \r\n In combination with the latest kernel vulnerabilities or the \r\n habit of users to work as root/administrator these bugs can \r\n result in remote root compromises.\r\n \r\n \r\nDetails:\r\n \r\n While auditing the Gaim source code the following 12 \r\n vulnerabilities were discovered:\r\n \r\n Overflows in YMSG protocol (yahoo messenger) handler\r\n ----------------------------------------------------\r\n \r\n 01) Yahoo Octal-Encoding Decoder Overflow\r\n 02) Yahoo Octal-Encoding Decoder Out-Of-Bounds Overflow\r\n 03) Yahoo Web Cookie Parser Overflow\r\n 04) Yahoo Login Page Name Parser Overflow \r\n 05) Yahoo Login Page Value Parser Overflow \r\n 06) Yahoo Packet Parser Overflow\r\n \r\n Overflows in oscar protocol (AIM) handler\r\n -----------------------------------------\r\n \r\n 07) AIM/Oscar DirectIM Integer Overflow\r\n \r\n Overflows in utility functions\r\n (called in various protocols)\r\n ------------------------------\r\n \r\n 08) Quoted Printable Decoder Overflow\r\n 09) Quoted Printable Decoder Out-Of-Bounds Overflow\r\n 10) URL Parser Function Overflow \r\n 11) Extract Info Field Function Overflow\r\n \r\n Overflows that do not fit into\r\n the other categories\r\n ------------------------------\r\n \r\n 12) HTTP Proxy Connect Overflow\r\n \r\n\r\n Detailed Bug Description \r\n ------------------------\r\n \r\n [01 - Yahoo Octal-Encoding Decoder Overflow]\r\n [02 - Yahoo Octal-Encoding Decoder Out-Of-Bounds Overflow]\r\n \r\n When the Yahoo Messenger handler decodes an octal value for\r\n email notification functions 2 different kind of overflows\r\n can be triggered\r\n \r\n Affected version: 0.75 (only)\r\n File: gaim/src/protocols/yahoo/yahoo.c\r\n Function: yahoo_decode()\r\n Code:\r\n \r\n static char *yahoo_decode(const char *text)\r\n {\r\n char *converted;\r\n char *p, *n, *new;\r\n \r\n n = new = g_malloc(strlen (text) + 1);\r\n \r\n for (p = (char *)text; *p; p++, n++) {\r\n if (*p == '\\') {\r\n sscanf(p + 1, "%3o\n", (int *)n); <-------- [01]\r\n p += 3; <--------------------------------- [02]\r\n }\r\n else\r\n *n = *p;\r\n }\r\n \r\n *n = '\0';\r\n ...\r\n \r\n The way sscanf is used, it will always write 4 bytes to the \r\n allocated buffer. The author did not see the possibility of \r\n malformed input like "\1" (the backslash is only a backslash) it\r\n is possible to write 1-2 zero bytes over the buffer boundaries.\r\n On linux this is exploitable like any heap off by one into the\r\n malloc() chunks. The second vulnerability is that no matter how\r\n many bytes sscanf() consumes it always increases the pointer\r\n with assumed 4 bytes. This can result in overjumping the\r\n terminating zero byte and with special prepared memory after\r\n the string it is possible to overwrite the heap with an \r\n arbitrary amount of bytes.\r\n \r\n These bugs are counted as 2 because for most people [02] is not\r\n obvious. As an example the vendor fixed only [01] first, because\r\n my description was not good enough. Additionally the misuse of \r\n sscanf() caused an incompatibility to all big endian platforms.\r\n \r\n \r\n [03 - Yahoo Web Cookie Parser Overflow]\r\n \r\n When parsing the cookies within the HTTP reply header of a\r\n yahoo web connection a bufferoverflow can happen.\r\n \r\n Affected version: <= 0.75\r\n File: gaim/src/protocols/yahoo/yahoo.c\r\n Function: yahoo_web_pending()\r\n Code:\r\n \r\n void yahoo_web_pending(gpointer data, gint source, ...\r\n { \r\n GaimConnection *gc = data;\r\n GaimAccount *account = gaim_connection_get_account(gc);\r\n struct yahoo_data *yd = gc->proto_data;\r\n char buf[1024], buf2[256], *i = buf, *r = buf2;\r\n int len, o = 0;\r\n \r\n len = read(source, buf, sizeof(buf));\r\n ...\r\n while ((i = strstr(i, "Set-Cookie: ")) && 0 < 2) {\r\n i += strlen("Set-Cookie: ");\r\n for (;*i != ';'; r++, i++) {\r\n *r = *i;\r\n }\r\n *r=';';\r\n r++;\r\n ...\r\n }\r\n ...\r\n \r\n Here all cookie data contained in the first 1024 byte of a\r\n HTTP reply header is copied into a 256 byte buffer without\r\n a size check. Because source and destination buffer are\r\n both on the stack and stack layout will most probably\r\n result in the smaller buffer overflowing into the smaller\r\n one this bug is believed to be not exploitable with the\r\n normal stack layout. Note also the typo in the while()\r\n condition 0 < 2 which should be o < 2\r\n \r\n \r\n [04 - Yahoo Login Page Name Parser Overflow]\r\n [05 - Yahoo Login Page Value Parser Overflow]\r\n \r\n When parsing the Yahoo Login Webpage the YMSG protocol overflows\r\n stachbuffers if the webpage returns oversized values.\r\n\r\n Affected version: <= 0.75\r\n File: gaim/src/protocols/yahoo/yahoo.c\r\n Function: yahoo_login_page_hash()\r\n Code:\r\n \r\n static \r\n GHashTable *yahoo_login_page_hash(const char *buf,size_t len)\r\n {\r\n GHashTable *hash = g_hash_table_new_full(g_str_hash, g_s...\r\n const char *c = buf;\r\n char *d;\r\n char name[64], value[64];\r\n while ((c < (buf + len)) && (c = strstr(c, "<input "))) {\r\n c = strstr(c, "name=\"") + strlen("name=\"");\r\n for (d = name; *c!='"'; c++, d++) <----------- [04]\r\n *d = *c; <---------/\r\n *d = '\0';\r\n d = strstr(c, "value=\"") + strlen("value=\"");\r\n if (strchr(c, '>') < d)\r\n break;\r\n for (c = d, d = value; *c!='"'; c++, d++) <--- [05]\r\n *d = *c; <-----------------------------/\r\n *d = '\0';\r\n g_hash_table_insert(hash, g_strdup(name), g_strdup(value));\r\n }\r\n return hash;\r\n }\r\n\r\n The content of the yahoo login webpage is trusted although it\r\n could be changed with a simple man-in-the-middle attack on the\r\n HTTP session. name and value are filled directly from the page\r\n without any kind of size check. This results in two independent\r\n ways to overflow the stack.\r\n\r\n \r\n [06 - Yahoo Packet Parser Overflow]\r\n \r\n A Yahoo Messenger packet consist of a header and a list of keys\r\n with their associated values. When reading an oversized keyname\r\n a standard stackoverflow can be triggered. This is nost probably \r\n the most dangerous discovered vulnerability because the nature \r\n of the bug makes it very easy to exploit and additonally a TCP \r\n man-in-the-middle attack is NOT needed. It is possible to send \r\n a malicious YMSG packet to the yahoo server so that it will\r\n be forwarded like any normal message.\r\n\r\n Affected version: <= 0.75\r\n File: gaim/src/protocols/yahoo/yahoo.c\r\n Function: yahoo_packet_read()\r\n Code:\r\n \r\n static void yahoo_packet_read(struct yahoo_packet *pkt, \r\n guchar *data, int len)\r\n {\r\n int pos = 0;\r\n \r\n while (pos + 1 < len) {\r\n char key[64], *value = NULL, *esc;\r\n int accept;\r\n int x;\r\n \r\n struct yahoo_pair *pair = g_new0(struct yahoo_pair, 1);\r\n \r\n x = 0;\r\n while (pos + 1 < len) {\r\n if (data[pos] == 0xc0 && data[pos + 1] == 0x80)\r\n break;\r\n key[x++] = data[pos++]; <----------------- [06]\r\n }\r\n key[x] = 0;\r\n pos += 2;\r\n ...\r\n\r\n Everytime the YMSG handler receives a complete packet it will\r\n give it this function to split it into its keys and values.\r\n Because the keyname is copied without any kind of size check\r\n into the key variable which is a 64 byte stackbuffer it is very\r\n easy to exploit.\r\n NOTE: This bug is also exploitable on systems with non executable\r\n stacks, or stack overflow detections as long free() exploits are\r\n possible on that platform,\r\n \r\n \r\n [07 - AIM/Oscar DirectIM Integer Overflow]\r\n \r\n Integer Overflow when allocating memory for a directIM packet\r\n results in heap overflow. directIM is a client 2 client protocol\r\n and therefore does not require a mim.\r\n \r\n Affected version: <= 0.74\r\n File: gaim/src/protocols/oscar/ft.c\r\n Function: handlehdr_odc()\r\n Code:\r\n \r\n static int handlehdr_odc(aim_session_t *sess, aim_...\r\n {\r\n aim_frame_t fr;\r\n int ret = 0;\r\n aim_rxcallback_t userfunc;\r\n fu32_t payloadlength;\r\n fu16_t flags, encoding;\r\n char *snptr = NULL;\r\n \r\n fr.conn = conn;\r\n \r\n /* AAA - ugly */\r\n aim_bstream_setpos(bs, 20);\r\n payloadlength = aimbs_get32(bs);\r\n \r\n ...\r\n \r\n if (payloadlength) {\r\n char *msg;\r\n ...\r\n\r\n if (!(msg = calloc(1, payloadlength+1))) { <--- [07]\r\n free(snptr);\r\n return -ENOMEM;\r\n }\r\n\r\n while (payloadlength - recvd) {\r\n if (payloadlength - recvd >= 1024)\r\n i = aim_recv(conn->fd, &msg[recvd], 1024);\r\n else\r\n ...\r\n \r\n Within this code snipset payloadlength is taken directly from the\r\n network and passed to the calloc() function in an unsafe manner.\r\n \r\n A user supplied payloadlength of UINT_MAX (0xffffffff) will cause\r\n an integer overflow within the second parameter of calloc() and\r\n therefore only allocate a 0 byte buffer. Please notice that this\r\n bug is not an integer overflow due to the multiplication within \r\n calloc() and therefore it is not catched by the recent security\r\n patches to calloc() on different platforms. Please also note that\r\n calloc(1, 0) will not return a NULL pointer but a pointer into\r\n the legal heap on at least all tested platforms (f.e. linux, bsd)\r\n On BSD systems this is configureable but it defaults to this\r\n behaviour. After allocating the 0 byte buffer aim_recv() is called\r\n repeatedly by the while loop to read and overwrite with up to 4GB\r\n of data.\r\n\r\n\r\n [08 - Quoted Printable Decoder Overflow]\r\n [09 - Quoted Printable Decoder Out-Of-Bounds Overflow]\r\n \r\n When the MIME decoder decosed a quoted printable encoded string\r\n for email notification 2 different kind of overflows can be\r\n triggered.\r\n \r\n Affected version: 0.75 (only)\r\n File: gaim/src/util.c\r\n Function: quotedp_decode()\r\n Code:\r\n \r\n void\r\n gaim_quotedp_decode(const char *str, char **ret_str, int ...\r\n {\r\n char *p, *n, *new;\r\n \r\n n = new = g_malloc(strlen (str) + 1);\r\n \r\n for (p = (char *)str; *p; p++, n++) {\r\n if (*p == '=') {\r\n sscanf(p + 1, "%2x\n", (int *)n); <-------- [08]\r\n p += 2; <--------------------------------- [09]\r\n }\r\n else if (*p == '_')\r\n *n = ' ';\r\n else\r\n *n = *p;\r\n }\r\n \r\n *n = '\0';\r\n ...\r\n \r\n Because these bugs are very similar to [01] and [02] only the\r\n vulnerable code snipset is shown here. For an explanation read\r\n the yahoo_decode() vulnerability description.\r\n \r\n \r\n [10 - URL Parser Function Overflow]\r\n \r\n At various placed this utility function is used to split an\r\n url into its parts. Because temporary fixed size stackbuffers\r\n are used in an unsafe way a standard stackoverflow can be\r\n caused.\r\n \r\n Affected version: <= 0.75\r\n File: gaim/src/util.c\r\n Function: gaim_url_parse()\r\n Code:\r\n \r\n gboolean\r\n gaim_url_parse(const char *url, char **ret_host,\r\n int *ret_port, char **ret_path)\r\n {\r\n char scan_info[255];\r\n char port_str[5];\r\n int f;\r\n const char *turl;\r\n char host[256], path[256];\r\n int port = 0;\r\n /* hyphen at end includes it in control set */\r\n static char addr_ctrl[] = "A-Za-z0-9.-";\r\n static char port_ctrl[] = "0-9";\r\n static char page_ctrl[] = "A-Za-z0-9.~_/:*!@&%%?=+^-";\r\n \r\n ...\r\n g_snprintf(scan_info, sizeof(scan_info),\r\n "%%[%s]:%%[%s]/%%[%s]", addr_ctrl, \r\n port_ctrl, page_ct\r\n\r\n f = sscanf(url, scan_info, host, port_str, path); <-- [10]\r\n ...\r\n\r\n Here sscanf() is again used in an unsafe manner. When this\r\n function is called with an oversized url, which can be triggered\r\n from several protocol handlers in different ways sscanf() will\r\n overwrite the stackbuffers host and path. The problem at this\r\n point is, that it is only possible to overwrite the buffers with\r\n a limited characterset which makes exploitation tricky.\r\n \r\n \r\n [11 - Extract Info Field Function Overflow]\r\n \r\n At various places this utility function is called to copy the\r\n data between 2 tokens into a fixed size stackbuffer without a\r\n size check.\r\n\r\n Affected version: <= 0.74\r\n File: gaim/src/util.c\r\n Function: gaim_markup_extract_info_field()\r\n Code:\r\n \r\n ...\r\n const char *p, *q;\r\n char buf[1024];\r\n \r\n ...\r\n p = strstr(str, start_token);\r\n ...\r\n p += strlen(start_token) + skip;\r\n ...\r\n q = strstr(p, end_token);\r\n \r\n if (q != NULL && (!no_value_token ||\r\n (no_value_token && strncmp(p, no_value\r\n\r\n {\r\n ...\r\n if (is_link)\r\n {\r\n strcat(dest_buffer, "<br><a href=\"");\r\n memcpy(buf, p, q - p); <---------------------- [11]\r\n buf[q - p] = '\0';\r\n ...\r\n \r\n Here it is obvious that if q - p is bigger than 1024 bytes\r\n memcpy() will overwrite the stack which will result in a\r\n standard stack overflow. At the moment this routine is\r\n called from within the get_user_info functions of the MSN\r\n and YMSG protocol handlers.\r\n\r\n\r\n [12 - HTTP Proxy Connect Overflow]\r\n \r\n When Gaim is setup to use a HTTP proxy for connecting to the\r\n server a malicious HTTP proxy can exploit it.\r\n \r\n Affected version: <= 0.75\r\n File: gaim/src/proxy.c\r\n Function: http_canread()\r\n Code:\r\n \r\n static void\r\n http_canread(gpointer data, gint source, GaimInputCondit...\r\n {\r\n int nlc = 0;\r\n int pos = 0;\r\n int minor, major, status, error=0;\r\n struct PHB *phb = data;\r\n char inputline[8192], *p;\r\n \r\n gaim_input_remove(phb->inpa);\r\n \r\n while ((nlc != 2) && \r\n (read(source, &inputline[pos++], 1) == 1)) {\r\n if (inputline[pos - 1] == '\n')\r\n nlc++;\r\n else if (inputline[pos - 1] != '\r')\r\n nlc = 0;\r\n }\r\n inputline[pos] = '\0';\r\n ...\r\n \r\n Here the author never thought about the possibility that a\r\n proxy server could be malicious. The inputline is read into\r\n the 8192 byte buffer byte after byte until a double \r\n is\r\n found. Because there is no size check at all the buffer will\r\n overflow as soon the proxy sends more than 8192 bytes in a\r\n line. This bug is exploitable even if stack overwrite\r\n protections are in place because it is possible to overwrite\r\n the pointer phb which points to a struct that contains a\r\n callback function which is later called in the function.\r\n By overwriting the pointer and so controlling the callback\r\n function pointer it is possible to gain control over the\r\n instruction pointer before the function is left.\r\n\r\n\r\nProof of Concept:\r\n\r\n e-matters is not going to release exploit for any of the these \r\n vulnerability to the public. \r\n \r\n\r\nCVE Information:\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org) \r\n has assigned the following names to these issues. \r\n \r\n CAN-2004-0005: version 0.75 only, buffer overflows:\r\n\r\n [01 - Yahoo Octal-Encoding Decoder Overflow]\r\n [02 - Yahoo Octal-Encoding Decoder Out-Of-Bounds Overflow]\r\n [08 - Quoted Printable Decoder Overflow]\r\n [09 - Quoted Printable Decoder Out-Of-Bounds Overflow]\r\n\r\n CAN-2004-0006: 0.75 and earlier, buffer overflows:\r\n\r\n [03 - Yahoo Web Cookie Parser Overflow]\r\n [04 - Yahoo Login Page Name Parser Overflow]\r\n [05 - Yahoo Login Page Value Parser Overflow]\r\n [06 - Yahoo Packet Parser Overflow]\r\n [10 - URL Parser Function Overflow]\r\n [12 - HTTP Proxy Connect Overflow]\r\n\r\n CAN-2004-0007: 0.74 and earlier, buffer overflows:\r\n\r\n [11 - Extract Info Field Function Overflow]\r\n\r\n CAN-2004-0008: 0.74 and earlier, integer overflow:\r\n\r\n [07 - AIM/Oscar DirectIM Integer Overflow]\r\n\r\n\r\nDisclosure Timeline:\r\n\r\n 04. January 2004 - The Oscar filetransfer bug was sent to the \r\n Gaim vendor by email. Within an hour the bug\r\n was fixed within the CVS\r\n 10. January 2004 - Gaim vendor released version 0.75 because of\r\n a Yahoo protocol change problem(?)\r\n Some freetime allowed deeper analysis of the\r\n new version. This revealed more bugs: 1 fixed\r\n in 0.75, some new in 0.75 and some old which \r\n are still in 0.75. All these bugs were again\r\n mailed to the vendor\r\n 15. January 2004 - Vendor was contacted with a patch because\r\n they had not fixed the bugs yet. Our Patch \r\n was applied in the same night\r\n 16. January 2004 - Vendor-sec was contacted to coordinate the \r\n disclosure process. Vendor was asked by email\r\n when 0.76 is about to come out and that this\r\n should be as soon as possible because the\r\n bugfixes were visible in their CVS with\r\n explicit commit messaged. No response to this\r\n mail until today\r\n 23. January 2004 - Vendor was notified about public disclosure\r\n at the 26th.\r\n 25. January 2004 - Notification by the vendor that gaim 0.76 \r\n releasedate is not planned yet.\r\n 26. January 2004 - Public Disclosure\r\n\r\n\r\nRecommendation:\r\n\r\n Because there is no official new version out yet, you can download\r\n a diff against version 0.75 from\r\n \r\n http://security.e-matters.de/patches/gaim-0.75-fix.diff\r\n \r\n This patch was done by the FreeBSD security team. It is different\r\n from the official patches in the Gaim CVS. We suggest that you\r\n upgrade as soon as possible, because the explicit commit message\r\n into the official CVS tree seems to have leaked. At least it was\r\n reported to us that a link to the message on the sourceforge \r\n WebCVS was pasted into an IRC channel.\r\n \r\n \r\nGPG-Key:\r\n\r\n http://security.e-matters.de/gpg_key.asc\r\n \r\n pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam\r\n Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6\r\n\r\n\r\nCopyright 2004 Stefan Esser. All rights reserved.\r\n\r\n\r\n\r\n\r\n-- \r\n\r\n--------------------------------------------------------------------------\r\n Stefan Esser s.esser@e-matters.de\r\n e-matters Security http://security.e-matters.de/\r\n\r\n GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0xCF6CAE69 \r\n Key fingerprint B418 B290 ACC0 C8E5 8292 8B72 D6B0 7704 CF6C AE69\r\n--------------------------------------------------------------------------\r\n Did I help you? Consider a gift: http://wishlist.suspekt.org/\r\n--------------------------------------------------------------------------\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2004-01-26T00:00:00", "title": "Advisory 01/2004: 12 x Gaim remote overflows", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:09", "vector": "NONE", "value": 10.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2004-01-26T00:00:00", "id": "SECURITYVULNS:DOC:5678", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5678", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2018-08-31T01:16:14", "references": ["http://security.e-matters.de/advisories/012004.txt"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "20030000", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gaim", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "0.75_3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "ko-gaim", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "0.75_3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "ja-gaim", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "0.75_3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "gaim", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "0.75_3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "ru-gaim", "operator": "lt"}], "description": "\nStefan Esser of e-matters found almost a dozen remotely\n\t exploitable vulnerabilities in Gaim.\tFrom the e-matters\n\t advisory:\n\nWhile developing a custom add-on, an integer overflow\n\t in the handling of AIM DirectIM packets was revealed that\n\t could lead to a remote compromise of the IM client. After\n\t disclosing this bug to the vendor, they had to make a\n\t hurried release because of a change in the Yahoo connection\n\t procedure that rendered GAIM useless. Unfourtunately at the\n\t same time a closer look onto the sourcecode revealed 11 more\n\t vulnerabilities.\nThe 12 identified problems range from simple standard\n\t stack overflows, over heap overflows to an integer overflow\n\t that can be abused to cause a heap overflow. Due to the\n\t nature of instant messaging many of these bugs require\n\t man-in-the-middle attacks between client and server. But the\n\t underlying protocols are easy to implement and MIM attacks\n\t on ordinary TCP sessions is a fairly simple task.\nIn combination with the latest kernel vulnerabilities or\n\t the habit of users to work as root/administrator these bugs\n\t can result in remote root compromises.\n\n", "edition": 3, "reporter": "FreeBSD", "published": "2004-01-26T00:00:00", "title": "Several remotely exploitable buffer overflows in gaim", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "modified": "2004-10-25T00:00:00", "id": "6FD02439-5D70-11D8-80E3-0020ED76EF5A", "href": "https://vuxml.freebsd.org/freebsd/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
