From: Matthew K. <kel...@po...> - 2004-08-28 14:43:30
|
Yeah, I cited it, as did they. :) On Sat, 2004-08-28 at 10:40, Luke Schierer wrote: > see gaim.sf.net/security > > luke > > On Sat, Aug 28, 2004 at 10:25:19AM -0400, Matthew Keller wrote: > > >>From Bugtraq: Versions >=0.82 are fixed... Not that anyone hesitates to > > upgrade. Kudos to the new (to me at least) Gaim security site referenced > > at http://gaim.sourceforge.net/security/ > > > > -----Forwarded Message----- > > From: Sune Kloppenborg Jeppesen <jae...@ge...> > > To: gen...@ge... > > Cc: bu...@se..., ful...@li..., sec...@li... > > Subject: [ GLSA 200408-27 ] Gaim: New vulnerabilities > > Date: Fri, 27 Aug 2004 20:52:43 +0200 > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Gentoo Linux Security Advisory GLSA 200408-27 > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > http://security.gentoo.org/ > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > Severity: Normal > > Title: Gaim: New vulnerabilities > > Date: August 27, 2004 > > Bugs: #61457 > > ID: 200408-27 > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > Synopsis > > ======== > > > > Gaim contains several security issues that might allow an attacker to > > execute arbitrary code or commands. > > > > Background > > ========== > > > > Gaim is a multi-protocol instant messaging client for Linux which > > supports many instant messaging protocols. > > > > Affected packages > > ================= > > > > ------------------------------------------------------------------- > > Package / Vulnerable / Unaffected > > ------------------------------------------------------------------- > > 1 net-im/gaim < 0.81-r5 >= 0.81-r5 > > > > Description > > =========== > > > > Gaim fails to do proper bounds checking when: > > > > * Handling MSN messages (partially fixed with GLSA 200408-12). > > > > * Handling rich text format messages. > > > > * Resolving local hostname. > > > > * Receiving long URLs. > > > > * Handling groupware messages. > > > > * Allocating memory for webpages with fake content-length header. > > > > Furthermore Gaim fails to escape filenames when using drag and drop > > installation of smiley themes. > > > > Impact > > ====== > > > > These vulnerabilites could allow an attacker to crash Gaim or execute > > arbitrary code or commands with the permissions of the user running > > Gaim. > > > > Workaround > > ========== > > > > There is no known workaround at this time. All users are encouraged to > > upgrade to the latest available version of Gaim. > > > > Resolution > > ========== > > > > All gaim users should upgrade to the latest version: > > > > # emerge sync > > > > # emerge -pv ">=net-im/gaim-0.81-r5" > > # emerge ">=net-im/gaim-0.81-r5" > > > > References > > ========== > > > > [ 1 ] Gaim security issues > > http://gaim.sourceforge.net/security/index.php > > > > Availability > > ============ > > > > This GLSA and any updates to it are available for viewing at > > the Gentoo Security Website: > > > > http://security.gentoo.org/glsa/glsa-200408-27.xml > > > > Concerns? > > ========= > > > > Security is a primary focus of Gentoo Linux and ensuring the > > confidentiality and security of our users machines is of utmost > > importance to us. Any security concerns should be addressed to > > sec...@ge... or alternatively, you may file a bug at > > http://bugs.gentoo.org. > > > > License > > ======= > > > > Copyright 2004 Gentoo Foundation, Inc; referenced text > > belongs to its owner(s). > > > > The contents of this document are licensed under the > > Creative Commons - Attribution / Share Alike license. > > > > http://creativecommons.org/licenses/by-sa/1.0 > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.4 (GNU/Linux) > > > > iD8DBQFBL4L7zKC5hMHO6rkRAiTcAJ9qjmLs0yaTCLN2WvTv59oVJwDTagCgjJdC > > fgR31dIfTwjGmgwD6PFQ8bk= > > =TkqR > > -----END PGP SIGNATURE----- > > -- > > Matthew Keller > > signat-url: http://mattwork.potsdam.edu/signat-url/ > > "No one ever says, 'I can't read that ASCII E-mail you sent me.'" > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by BEA Weblogic Workshop > > FREE Java Enterprise J2EE developer tools! > > Get your free copy of BEA WebLogic Workshop 8.1 today. > > http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click > > _______________________________________________ > > Gaim-devel mailing list > > Gai...@li... > > https://lists.sourceforge.net/lists/listinfo/gaim-devel -- Matthew Keller signat-url: http://mattwork.potsdam.edu/signat-url/ "No one ever says, 'I can't read that ASCII E-mail you sent me.'" |