GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Thu Aug 18, 2005 9:47 am Post subject: [ GLSA 200508-06 ] Gaim: Remote execution of arbitrary code |
|
|
Gentoo Linux Security Advisory
Title: Gaim: Remote execution of arbitrary code (GLSA 200508-06)
Severity: high
Exploitable: remote
Date: August 15, 2005
Bug(s): #102000
ID: 200508-06
Synopsis
Gaim is vulnerable to a buffer overflow which could lead to the execution
of arbitrary code or to a Denial of Service.
Background
Gaim is a full featured instant messaging client which handles a
variety of instant messaging protocols.
Affected Packages
Package: net-im/gaim
Vulnerable: < 1.5.0
Unaffected: >= 1.5.0
Architectures: All supported architectures
Description
Brandon Perry discovered that Gaim is vulnerable to a heap-based
buffer overflow when handling away messages (CAN-2005-2103).
Furthermore, Daniel Atallah discovered a vulnerability in the handling
of file transfers (CAN-2005-2102).
Impact
A remote attacker could create a specially crafted away message
which, when viewed by the target user, could lead to the execution of
arbitrary code. Also, an attacker could send a file with a non-UTF8
filename to a user, which would result in a Denial of Service.
Workaround
There is no known workaround at this time.
Resolution
All Gaim users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-im/gaim-1.5.0" |
References
CAN-2005-2102
CAN-2005-2103
Last edited by GLSA on Sun May 12, 2013 4:20 am; edited 5 times in total |
|