Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user-es

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-security@g.o
Cc: gentoo-user@g.o, gentoo-dev@g.o, gentoo-desktop@g.o, gentooppc-user@g.o, gentooppc-dev@g.o, gentoo-sparc@g.o, gentoo-announce@g.o
Subject: [gentoo-user-es] [gentoo-announce] GLSA: gaim
Date: Tue, 27 Aug 2002 09:19:02
Message-Id: 200208271529.21275.aliz@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT
6 - - --------------------------------------------------------------------
7
8 PACKAGE :gaim
9 SUMMARY :arbitrary program execution
10 DATE :2002-08-27 13:30 UTC
11
12 - - --------------------------------------------------------------------
13
14 OVERVIEW
15
16 The 'Manual' browser command passes an untrusted string to the shell
17 without escaping or reliable quoting, permitting an attacker to execute
18 arbitrary commands on the users machine.
19
20 DETAIL
21
22 The developers of Gaim, an instant messenger client that combines
23 several different networks, found a vulnerability in the hyperlink
24 handling code. The 'Manual' browser command passes an untrusted
25 string to the shell without escaping or reliable quoting, permitting
26 an attacker to execute arbitrary commands on the users machine.
27 Unfortunately, Gaim doesn't display the hyperlink before the user
28 clicks on it. Users who use other inbuilt browser commands aren't
29 vulnerable.
30
31 SOLUTION
32
33 It is recommended that all Gentoo Linux users who are running
34 net-im/gaim-0.59 and earlier update their systems
35 as follows:
36
37 emerge rsync
38 emerge gaim
39 emerge clean
40
41 - - --------------------------------------------------------------------
42 aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
43 m0rpheus@g.o
44 - - --------------------------------------------------------------------
45 -----BEGIN PGP SIGNATURE-----
46 Version: GnuPG v1.0.7 (GNU/Linux)
47
48 iD8DBQE9a36nfT7nyhUpoZMRAuKvAKCy2oLjg2rMA1wmyJTv3b8vU5SdegCfVC9t
49 MFAp7ZtJzFxiZbXAh+V2izU=
50 =DPLe
51 -----END PGP SIGNATURE-----
52
53 _______________________________________________
54 gentoo-announce mailing list
55 gentoo-announce@g.o
56 http://lists.gentoo.org/mailman/listinfo/gentoo-announce
Report Message
Find on MARC Find on Google Groups