Gaim Extract Info Field Function Buffer Overflow

{"result": {"cve": [{"id": "CVE-2004-0007", "type": "cve", "title": "CVE-2004-0007", "description": "Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.", "published": "2004-03-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0007", "cvelist": ["CVE-2004-0007"], "lastseen": "2017-07-11T11:14:22"}], "cert": [{"id": "VU:197142", "type": "cert", "title": "Gaim contains a buffer overflow vulnerability in the Extract Info Field function", "description": "### Overview\n\nThere is a buffer overflow vulnerability in the `gaim_markup_extract_info_field()` function, which could allow an unauthenticated, remote attacker to cause a denial of service or execute arbitrary code.\n\n### Description\n\n[Gaim](<http://gaim.sourceforge.net/>) is a multi-protocol instant messenger client available for a number of operating systems. There is a buffer overflow vulnerability in the `gaim_markup_extract_info_field()` function. This function is used by the Yahoo Messenger (YMSG) and MSN protocol handlers. Within this function, a buffer with a fixed size of 1024 bytes is allocated in memory. When copying data, the function fails to check the size of the data copied to the buffer. This could result in a buffer overflow. \n \n--- \n \n### Impact\n\nAn unauthenticated, remote attacker could cause a denial of service or potentially execute arbitrary code with the privileges of the vulnerable process. \n \n--- \n \n### Solution\n\n**Upgrade**\n\nUpgrade to Gaim version [0.75](<http://gaim.sourceforge.net/downloads.php>) or later. \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nGaim| | -| 10 May 2004 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23197142 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://security.e-matters.de/advisories/012004.html>\n * <http://www.debian.org/security/2004/dsa-434>\n * [http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000813](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000813>)\n * <http://www.secunia.com/advisories/10705/>\n\n### Credit\n\nThis vulnerability was publicly [reported](<http://security.e-matters.de/advisories/012004.html>) by Stefan Esser of [e-matters](<http://security.e-matters.de/>).\n\nThis document was written by Damon Morda.\n\n### Other Information\n\n * CVE IDs: [CAN-2004-0007](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CAN-2004-0007>)\n * Date Public: 26 Jan 2004\n * Date First Published: 10 May 2004\n * Date Last Updated: 10 May 2004\n * Severity Metric: 11.81\n * Document Revision: 10\n\n", "published": "2004-05-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/197142", "cvelist": ["CVE-2004-0007", "CVE-2004-0007"], "lastseen": "2016-02-03T09:13:19"}], "nessus": [{"id": "MANDRAKE_MDKSA-2004-006.NASL", "type": "nessus", "title": "Mandrake Linux Security Advisory : gaim (MDKSA-2004:006-1)", "description": "A number of vulnerabilities were discovered in the gaim instant messenger program by Steffan Esser, versions 0.75 and earlier. Thanks to Jacques A. Vidrine for providing initial patches.\n\nMultiple buffer overflows exist in gaim 0.75 and earlier: When parsing cookies in a Yahoo web connection; YMSG protocol overflows parsing the Yahoo login webpage; a YMSG packet overflow; flaws in the URL parser;\nand flaws in the HTTP Proxy connect (CAN-2004-006).\n\nA buffer overflow in gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers (CAN-2004-007).\n\nAn integer overflow in gaim 0.74 and earlier, when allocating memory for a directIM packet results in a heap overflow (CVE-2004-0008).\n\nUpdate :\n\nThe patch used to correct the problem was slightly malformed and could cause an infinite loop and crash with the Yahoo protocol. The new packages have a corrected patch that resolves the problem.", "published": "2004-07-31T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14106", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0007"], "lastseen": "2016-09-26T17:23:32"}, {"id": "REDHAT-RHSA-2004-033.NASL", "type": "nessus", "title": "RHEL 3 : gaim (RHSA-2004:033)", "description": "Updated Gaim packages that fix a number of serious vulnerabilities are now available.\n\nGaim is an instant messenger client that can handle multiple protocols.\n\nStefan Esser audited the Gaim source code and found a number of bugs that have security implications. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. However at least one of the buffer overflows could be exploited by an attacker sending a carefully-constructed malicious message through a server.\n\nThe issues include :\n\nMultiple buffer overflows that affect versions of Gaim 0.75 and earlier. 1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4) flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0006 to these issues.\n\nA buffer overflow in Gaim 0.74 and earlier in the Extract Info Field Function used for MSN and YMSG protocol handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0007 to this issue.\n\nAn integer overflow in Gaim 0.74 and earlier, when allocating memory for a directIM packet results in heap overflow. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0008 to this issue.\n\nAll users of Gaim should upgrade to these erratum packages, which contain backported security patches correcting these issues.\n\nRed Hat would like to thank Steffan Esser for finding and reporting these issues and Jacques A. Vidrine for providing initial patches.", "published": "2004-07-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=12455", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0007"], "lastseen": "2016-12-29T02:14:37"}, {"id": "FREEBSD_PKG_6FD024395D7011D880E30020ED76EF5A.NASL", "type": "nessus", "title": "FreeBSD : Several remotely exploitable buffer overflows in gaim (6fd02439-5d70-11d8-80e3-0020ed76ef5a)", "description": "Stefan Esser of e-matters found almost a dozen remotely exploitable vulnerabilities in Gaim. From the e-matters advisory :\n\nWhile developing a custom add-on, an integer overflow in the handling of AIM DirectIM packets was revealed that could lead to a remote compromise of the IM client. After disclosing this bug to the vendor, they had to make a hurried release because of a change in the Yahoo connection procedure that rendered GAIM useless. Unfourtunately at the same time a closer look onto the sourcecode revealed 11 more vulnerabilities.\n\nThe 12 identified problems range from simple standard stack overflows, over heap overflows to an integer overflow that can be abused to cause a heap overflow. Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between client and server. But the underlying protocols are easy to implement and MIM attacks on ordinary TCP sessions is a fairly simple task.\n\nIn combination with the latest kernel vulnerabilities or the habit of users to work as root/administrator these bugs can result in remote root compromises.", "published": "2009-04-23T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=37025", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "lastseen": "2016-09-26T17:23:53"}, {"id": "FREEBSD_GAIM_076.NASL", "type": "nessus", "title": "FreeBSD : Several remotely exploitable buffer overflows in gaim (52)", "description": "The following package needs to be updated: gaim", "published": "2004-07-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=12543", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "lastseen": "2016-09-26T17:25:59"}, {"id": "DEBIAN_DSA-434.NASL", "type": "nessus", "title": "Debian DSA-434-1 : gaim - several vulnerabilities", "description": "Stefan Esser discovered several security related problems in Gaim, a multi-protocol instant messaging client. Not all of them are applicable for the version in Debian stable, but affected the version in the unstable distribution at least. The problems were grouped for the Common Vulnerabilities and Exposures as follows :\n\n - CAN-2004-0005 When the Yahoo Messenger handler decodes an octal value for email notification functions two different kinds of overflows can be triggered. When the MIME decoder decoded a quoted printable encoded string for email notification two other different kinds of overflows can be triggered. These problems only affect the version in the unstable distribution.\n\n - CAN-2004-0006\n\n When parsing the cookies within the HTTP reply header of a Yahoo web connection a buffer overflow can happen.\n When parsing the Yahoo Login Webpage the YMSG protocol overflows stack buffers if the web page returns oversized values. When splitting a URL into its parts a stack overflow can be caused. These problems only affect the version in the unstable distribution.\n\n When an oversized keyname is read from a Yahoo Messenger packet a stack overflow can be triggered. When Gaim is setup to use an HTTP proxy for connecting to the server a malicious HTTP proxy can exploit it. These problems affect all versions Debian ships.\n However, the connection to Yahoo doesn't work in the version in Debian stable.\n\n - CAN-2004-0007\n\n Internally data is copied between two tokens into a fixed size stack buffer without a size check. This only affects the version of gaim in the unstable distribution.\n\n - CAN-2004-0008\n\n When allocating memory for AIM/Oscar DirectIM packets an integer overflow can happen, resulting in a heap overflow. This only affects the version of gaim in the unstable distribution.", "published": "2004-09-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=15271", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "lastseen": "2016-09-26T17:26:47"}], "redhat": [{"id": "RHSA-2004:033", "type": "redhat", "title": "(RHSA-2004:033) gaim security update", "description": "Gaim is an instant messenger client that can handle multiple protocols.\n\nStefan Esser audited the Gaim source code and found a number of bugs that\nhave security implications. Due to the nature of instant messaging many of\nthese bugs require man-in-the-middle attacks between client and server.\nHowever at least one of the buffer overflows could be exploited by an\nattacker sending a carefully-constructed malicious message through a server.\n\nThe issues include:\n\nMultiple buffer overflows that affect versions of Gaim 0.75 and earlier. \n1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol\noverflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4)\nflaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has assigned the name\nCAN-2004-0006 to these issues.\n\nA buffer overflow in Gaim 0.74 and earlier in the Extract Info\nField Function used for MSN and YMSG protocol handlers. The Common\nVulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0007 to this issue.\n\nAn integer overflow in Gaim 0.74 and earlier, when allocating\nmemory for a directIM packet results in heap overflow.\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has\nassigned the name CAN-2004-0008 to this issue.\n\nAll users of Gaim should upgrade to these erratum packages, which contain\nbackported security patches correcting these issues. \n\nRed Hat would like to thank Steffan Esser for finding and reporting these\nissues and Jacques A. Vidrine for providing initial patches.", "published": "2004-01-26T05:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2004:033", "cvelist": ["CVE-2004-0006", "CVE-2004-0007", "CVE-2004-0008"], "lastseen": "2017-08-02T22:58:18"}], "suse": [{"id": "SUSE-SA:2004:004", "type": "suse", "title": "remote system compromise in gaim", "description": "Gaim is a multi-protocol instant-messaging client. Stefan Esser found 12 vulnerabilities in gaim that can lead to a remote system compromise with the privileges of the user running GAIM. The GAIM package that SUSE LINUX ships is affected by just two of these bug: - Yahoo Packet Parser Overflow - HTTP Proxy Connect Overflow", "published": "2004-01-29T12:56:32", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2004-01/msg00007.html", "cvelist": ["CVE-2004-0006", "CVE-2004-0005", "CVE-2004-0007"], "lastseen": "2016-09-04T11:40:57"}], "openvas": [{"id": "OPENVAS:53132", "type": "openvas", "title": "Debian Security Advisory DSA 434-1 (gaim)", "description": "The remote host is missing an update to gaim\nannounced via advisory DSA 434-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53132", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "lastseen": "2017-07-24T12:50:16"}, {"id": "OPENVAS:54518", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200401-04 (GAIM)", "description": "The remote host is missing updates announced in\nadvisory GLSA 200401-04.", "published": "2008-09-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=54518", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "lastseen": "2017-07-24T12:49:53"}, {"id": "OPENVAS:52486", "type": "openvas", "title": "FreeBSD Ports: gaim, ja-gaim, ko-gaim, ru-gaim", "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "published": "2008-09-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=52486", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "lastseen": "2017-07-02T21:10:27"}], "freebsd": [{"id": "6FD02439-5D70-11D8-80E3-0020ED76EF5A", "type": "freebsd", "title": "Several remotely exploitable buffer overflows in gaim", "description": "\nStefan Esser of e-matters found almost a dozen remotely\n\t exploitable vulnerabilities in Gaim.\tFrom the e-matters\n\t advisory:\n\nWhile developing a custom add-on, an integer overflow\n\t in the handling of AIM DirectIM packets was revealed that\n\t could lead to a remote compromise of the IM client. After\n\t disclosing this bug to the vendor, they had to make a\n\t hurried release because of a change in the Yahoo connection\n\t procedure that rendered GAIM useless. Unfourtunately at the\n\t same time a closer look onto the sourcecode revealed 11 more\n\t vulnerabilities.\nThe 12 identified problems range from simple standard\n\t stack overflows, over heap overflows to an integer overflow\n\t that can be abused to cause a heap overflow. Due to the\n\t nature of instant messaging many of these bugs require\n\t man-in-the-middle attacks between client and server. But the\n\t underlying protocols are easy to implement and MIM attacks\n\t on ordinary TCP sessions is a fairly simple task.\nIn combination with the latest kernel vulnerabilities or\n\t the habit of users to work as root/administrator these bugs\n\t can result in remote root compromises.\n\n", "published": "2004-01-26T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/6fd02439-5d70-11d8-80e3-0020ed76ef5a.html", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "lastseen": "2016-09-26T17:25:23"}], "debian": [{"id": "DSA-434", "type": "debian", "title": "gaim -- several vulnerabilities", "description": "Stefan Esser discovered several security related problems in Gaim, a multi-protocol instant messaging client. Not all of them are applicable for the version in Debian stable, but affected the version in the unstable distribution at least. The problems were grouped for the Common Vulnerabilities and Exposures as follows:\n\n * [CAN-2004-0005](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0005>)\n\nWhen the Yahoo Messenger handler decodes an octal value for email notification functions two different kinds of overflows can be triggered. When the MIME decoder decoded a quoted printable encoded string for email notification two other different kinds of overflows can be triggered. These problems only affect the version in the unstable distribution.\n\n * [CAN-2004-0006](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0006>)\n\nWhen parsing the cookies within the HTTP reply header of a Yahoo web connection a buffer overflow can happen. When parsing the Yahoo Login Webpage the YMSG protocol overflows stack buffers if the web page returns oversized values. When splitting a URL into its parts a stack overflow can be caused. These problems only affect the version in the unstable distribution.\n\nWhen an oversized keyname is read from a Yahoo Messenger packet a stack overflow can be triggered. When Gaim is setup to use an HTTP proxy for connecting to the server a malicious HTTP proxy can exploit it. These problems affect all versions Debian ships. However, the connection to Yahoo doesn't work in the version in Debian stable.\n\n * [CAN-2004-0007](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0007>)\n\nInternally data is copied between two tokens into a fixed size stack buffer without a size check. This only affects the version of gaim in the unstable distribution.\n\n * [CAN-2004-0008](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0008>)\n\nWhen allocating memory for AIM/Oscar DirectIM packets an integer overflow can happen, resulting in a heap overflow. This only affects the version of gaim in the unstable distribution.\n\nFor the stable distribution (woody) these problems has been fixed in version 0.58-2.4.\n\nFor the unstable distribution (sid) these problems has been fixed in version 0.75-2.\n\nWe recommend that you upgrade your gaim packages.", "published": "2004-02-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-434", "cvelist": ["CVE-2004-0006", "CVE-2004-0008", "CVE-2004-0005", "CVE-2004-0007"], "lastseen": "2016-09-02T18:37:07"}]}}