Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 153311

Summary: CAN-2005-0965 Gaim remote DoS issues (CAN-2005-0966)
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: gaimAssignee: Warren Togami <wtogami>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20050401,reported=bugtraq,reported=20050401
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-12 13:56:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Josh Bressers 2005-04-04 18:28:35 UTC
Two Gaim DoS issues were reported to bugtraq:
http://www.securityfocus.com/archive/1/394806/2005-04-01/2005-04-07/0

1. Buffer overread in gaim_markup_strip_html()

A programming error in gaim_markup_strip_html() causes a buffer
overread when stripping a string containing malformed HTML.

2. Lack of escaping in the IRC protocol plugin

In several places, the IRC protocol plugin handles user messages
without escaping markup

Comment 1 Josh Bressers 2005-04-04 18:31:43 UTC
This issue should also affect RHEL3

I'm not sure if this will affect RHEL2.1 (Warren can you take a look)

Comment 2 Josh Bressers 2005-04-04 19:43:06 UTC
This issue does not affects RHEL2.1

Comment 3 Josh Bressers 2005-04-04 19:44:32 UTC
======================================================
Candidate: CAN-2005-0965
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0965
Reference: BUGTRAQ:20050401 multiple remote denial of service vulnerabilities in
Gaim
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111238715307356&w=2

The gaim_markup_strip_html function in Gaim 1.2.0, and possibly
earlier versions, allows remote attackers to cause a denial of service
(application crash) via a string that contains malformed HTML, which
causes an out-of-bounds read.


======================================================
Candidate: CAN-2005-0966
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0966
Reference: BUGTRAQ:20050401 multiple remote denial of service vulnerabilities in
Gaim
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111238715307356&w=2
Reference:
CONFIRM:http://sourceforge.net/project/shownotes.php?group_id=235&release_id=317750
Reference: XF:gaim-irc-plugin-bo(19937)
Reference: URL:http://xforce.iss.net/xforce/xfdb/19937
Reference: XF:gaim-ircmsginvite-dos(19939)
Reference: URL:http://xforce.iss.net/xforce/xfdb/19939

The IRC protocol plugin in Gaim 1.2.0, and possibly earlier versions,
allows (1) remote attackers to inject arbitrary Gaim markup via
irc_msg_kick, irc_msg_mode, irc_msg_part, irc_msg_quit, (2) remote
attackers to inject arbitrary Pango markup and pop up empty dialog
boxes via irc_msg_invite, or (3) malicious IRC servers to cause a
denial of service (application crash) by injecting certain Pango
markup into irc_msg_badmode, irc_msg_banned, irc_msg_unknown,
irc_msg_nochan functions.


Comment 4 Josh Bressers 2005-04-12 13:56:40 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-365.html