-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : gaim SUMMARY : Fixes for gaim's vulnerabilities DATE : 2004-11-04 12:51:00 ID : CLA-2004:884 RELEVANT RELEASES : 9, 10 - ------------------------------------------------------------------------- DESCRIPTION Gaim[1] is a multi-protocol instant messaging (IM) client. This announcement fixes several denial of service and buffer overflow vulnerabilities that were encountered in Gaim. The fixed vulnerabilities are: CAN-2004-0500[2]: Buffer overflow in the MSN protocol plugins object.c and slp.c allows remote attackers to cause a denial of service and possibly execute arbitrary code via MSNSLP protocol messages that are not properly handled in a strncpy call. CAN-2004-0754[3]: Integer overflow in Gaim allows remote attackers to cause a denial of service and possibly execute arbitrary code via the size variable in Groupware server messages. CAN-2004-0784[4]: The smiley theme functionality in Gaim allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector. CAN-2004-0785[5]: Multiple buffer overflows in Gaim allow remote attackers to cause a denial of service and possibly execute arbitrary code via Rich Text Format (RTF) messages, a long hostname for the local system as obtained from DNS, or a long URL that is not properly handled by the URL decoder. For further informations on Gaim's vulnerabilities, please refer to the project's security page[6]. SOLUTION It is recommended that all Gaim users upgrade their packages. IMPORTANT: Gaim must be restarted after the upgrade in order to close the vulnerabilities. REFERENCES 1.http://gaim.sourceforge.net/ 2.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0500 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0754 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0784 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0785 6.http://gaim.sourceforge.net/security/ UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/10/SRPMS/gaim-1.0.2-69982U10_1cl.src.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-am-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-bg-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-ca-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-cs-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-da-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-de-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-en_AU-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-en_CA-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-en_GB-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-es-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-fi-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-fr-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-he-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-hi-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-hu-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-it-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-ja-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-ko-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-lt-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-mk-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-nl-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-no-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-pl-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-pt-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-pt_BR-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-ro-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-ru-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-sk-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-sl-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-sr-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-sv-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-vi-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-zh_CN-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/gaim-i18n-zh_TW-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/libgaim-remote-devel-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/10/RPMS/libgaim-remote0-1.0.2-69982U10_1cl.i386.rpm ftp://atualizacoes.conectiva.com.br/9/SRPMS/gaim-1.0.2-27683U90_2cl.src.rpm ftp://atualizacoes.conectiva.com.br/9/RPMS/gaim-1.0.2-27683U90_2cl.i386.rpm ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions regarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en - ------------------------------------------------------------------------- Copyright (c) 2004 Conectiva Inc. http://www.conectiva.com - ------------------------------------------------------------------------- subscribe: conectiva-updates-subscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx unsubscribe: conectiva-updates-unsubscribe@xxxxxxxxxxxxxxxxxxxxxxxxxxx -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQFBikR342jd0JmAcZARAhnlAKDd+XbZWxNs4gUSJDBEo4lcvyneQQCfSFWT E4gDh1wwCcWxorLENN8wLn8= =qlfL -----END PGP SIGNATURE-----
