Gentoo Archives: gentoo-announce

From: Tim Yamin <plasmaroo@g.o>
To: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com, gentoo-core@l.g.o, gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 200401-04 ] GAIM 0.75 Remote overflows
Date: Tue, 27 Jan 2004 23:09:49
Message-Id: 4016BC25.90102@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200401-04
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 ~ http://security.gentoo.org
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 ~ Severity: Normal
11 ~ Title: GAIM 0.75 Remote overflows
12 ~ Date: January 27, 2004
13 ~ Bugs: #39470
14 ~ ID: 200401-04
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 Various overflows in the handling of AIM DirectIM packets was revealed
22 in GAIM that could lead to a remote compromise of the IM client.
23
24 Background
25 ==========
26
27 Gaim is a multi-platform and multi-protocol instant messaging client. It
28 is compatible with AIM , ICQ, MSN Messenger, Yahoo, IRC, Jabber,
29 Gadu-Gadu, and the Zephyr networks.
30
31 Description
32 ===========
33
34 Yahoo changed the authentication methods to their IM servers, rendering
35 GAIM useless. The GAIM team released a rushed release solving this
36 issue, however, at the same time a code audit revealed 12
37 vulnerabilities [ 1 ].
38
39 Impact
40 ======
41
42 Due to the nature of instant messaging many of these bugs require
43 man-in-the-middle attacks between the client and the server. But the
44 underlying protocols are easy to implement and attacking ordinary TCP
45 sessions is a fairly simple task. As a result, all users are advised to
46 upgrade their GAIM installation.
47
48 [ * ] Users of GAIM 0.74 or below are affected by 7 of the
49 ~ vulnerabilities and are encouraged to upgrade.
50
51 [ * ] Users of GAIM 0.75 are affected by 11 of the vulnerabilities
52 ~ and are encouraged to upgrade to the patched version of GAIM
53 ~ offered by Gentoo.
54
55 [ * ] Users of GAIM 0.75-r6 are only affected by 4 of the
56 ~ vulnerabilities, but are still urged to upgrade to maintain
57 ~ security.
58
59 Workaround
60 ==========
61
62 There is no immediate workaround; a software upgrade is required.
63
64 Resolution
65 ==========
66
67 All users are recommended to upgrade GAIM to 0.75-r7.
68
69 ~ $> emerge sync
70 ~ $> emerge -pv ">=net-im/gaim-0.75-r7"
71 ~ $> emerge ">=net-im/gaim-0.75-r7"
72
73 References
74 ==========
75
76 ~ [ 1 ] : http://www.securityfocus.com/archive/1/351235
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 http://bugs.gentoo.org.
86 -----BEGIN PGP SIGNATURE-----
87 Version: GnuPG v1.2.1 (GNU/Linux)
88 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
89
90 iD8DBQFAFrwkMMXbAy2b2EIRAgXNAKDv5xVitt263W3Zuhbr0XbYFFn60ACdGdKO
91 7ltFFxnxeXHJbOmb3BkQLOM=
92 =shTi
93 -----END PGP SIGNATURE-----