1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
5 |
Gentoo Linux Security Advisory GLSA 200401-04 |
6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
7 |
~ http://security.gentoo.org |
8 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
9 |
|
10 |
~ Severity: Normal |
11 |
~ Title: GAIM 0.75 Remote overflows |
12 |
~ Date: January 27, 2004 |
13 |
~ Bugs: #39470 |
14 |
~ ID: 200401-04 |
15 |
|
16 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
17 |
|
18 |
Synopsis |
19 |
======== |
20 |
|
21 |
Various overflows in the handling of AIM DirectIM packets was revealed |
22 |
in GAIM that could lead to a remote compromise of the IM client. |
23 |
|
24 |
Background |
25 |
========== |
26 |
|
27 |
Gaim is a multi-platform and multi-protocol instant messaging client. It |
28 |
is compatible with AIM , ICQ, MSN Messenger, Yahoo, IRC, Jabber, |
29 |
Gadu-Gadu, and the Zephyr networks. |
30 |
|
31 |
Description |
32 |
=========== |
33 |
|
34 |
Yahoo changed the authentication methods to their IM servers, rendering |
35 |
GAIM useless. The GAIM team released a rushed release solving this |
36 |
issue, however, at the same time a code audit revealed 12 |
37 |
vulnerabilities [ 1 ]. |
38 |
|
39 |
Impact |
40 |
====== |
41 |
|
42 |
Due to the nature of instant messaging many of these bugs require |
43 |
man-in-the-middle attacks between the client and the server. But the |
44 |
underlying protocols are easy to implement and attacking ordinary TCP |
45 |
sessions is a fairly simple task. As a result, all users are advised to |
46 |
upgrade their GAIM installation. |
47 |
|
48 |
[ * ] Users of GAIM 0.74 or below are affected by 7 of the |
49 |
~ vulnerabilities and are encouraged to upgrade. |
50 |
|
51 |
[ * ] Users of GAIM 0.75 are affected by 11 of the vulnerabilities |
52 |
~ and are encouraged to upgrade to the patched version of GAIM |
53 |
~ offered by Gentoo. |
54 |
|
55 |
[ * ] Users of GAIM 0.75-r6 are only affected by 4 of the |
56 |
~ vulnerabilities, but are still urged to upgrade to maintain |
57 |
~ security. |
58 |
|
59 |
Workaround |
60 |
========== |
61 |
|
62 |
There is no immediate workaround; a software upgrade is required. |
63 |
|
64 |
Resolution |
65 |
========== |
66 |
|
67 |
All users are recommended to upgrade GAIM to 0.75-r7. |
68 |
|
69 |
~ $> emerge sync |
70 |
~ $> emerge -pv ">=net-im/gaim-0.75-r7" |
71 |
~ $> emerge ">=net-im/gaim-0.75-r7" |
72 |
|
73 |
References |
74 |
========== |
75 |
|
76 |
~ [ 1 ] : http://www.securityfocus.com/archive/1/351235 |
77 |
|
78 |
Concerns? |
79 |
========= |
80 |
|
81 |
Security is a primary focus of Gentoo Linux and ensuring the |
82 |
confidentiality and security of our users machines is of utmost |
83 |
importance to us. Any security concerns should be addressed to |
84 |
security@g.o or alternatively, you may file a bug at |
85 |
http://bugs.gentoo.org. |
86 |
-----BEGIN PGP SIGNATURE----- |
87 |
Version: GnuPG v1.2.1 (GNU/Linux) |
88 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org |
89 |
|
90 |
iD8DBQFAFrwkMMXbAy2b2EIRAgXNAKDv5xVitt263W3Zuhbr0XbYFFn60ACdGdKO |
91 |
7ltFFxnxeXHJbOmb3BkQLOM= |
92 |
=shTi |
93 |
-----END PGP SIGNATURE----- |