if anyone else was looking for some of the overflows mentioned in the rather cryptic advisory, i found one of them in: /gaim-0.81/src/protocols/msn/slp.c :648 in the function msn_slp_sip_recv(). an improper use of strncpy(). [---------------------------------------------] not very interesting for us, but there is a local overflow. it's not stack based- the buffer is a global so it's somewhere in .bss. that is in: /gaim-0.81/src/protocols/msn/utils.c :134 in the function encode_spaces(). it doesn't check the length of the buffer it copies into. unless there is some max bounds way higher up in the gtk functions that i missed. [---------------------------------------------] another local (stack based) overflow in: /gaim-0.81/src/protocols/msn/utils.c :198 in the function msn_import_html(). it is not exploitable though. multiple calls to strcat() to a small buffer, but no control over the data being appended. [---------------------------------------------] and there are many many places where the return value of dynamic memory allocation routines is not tested. actually, to rephrase that, i don't think there are many places where the return value IS checked. or in some cases the check is only after the possibly NULL pointer has already been used. on a similar note, there is little to no checking the return value of all sorts of other library functions. -- -sean
