Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 153311 - CAN-2005-0965 Gaim remote DoS issues (CAN-2005-0966)
Summary: CAN-2005-0965 Gaim remote DoS issues (CAN-2005-0966)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: gaim
Version: 4.0
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
: ---
Assignee: Warren Togami
QA Contact:
URL:
Whiteboard: impact=important,public=20050401,repo...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-04 18:28 UTC by Josh Bressers
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-12 13:56:40 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2005:365 high SHIPPED_LIVE Important: gaim security update 2005-04-12 04:00:00 UTC

Description Josh Bressers 2005-04-04 18:28:35 UTC
Two Gaim DoS issues were reported to bugtraq:
http://www.securityfocus.com/archive/1/394806/2005-04-01/2005-04-07/0

1. Buffer overread in gaim_markup_strip_html()

A programming error in gaim_markup_strip_html() causes a buffer
overread when stripping a string containing malformed HTML.

2. Lack of escaping in the IRC protocol plugin

In several places, the IRC protocol plugin handles user messages
without escaping markup

Comment 1 Josh Bressers 2005-04-04 18:31:43 UTC
This issue should also affect RHEL3

I'm not sure if this will affect RHEL2.1 (Warren can you take a look)

Comment 2 Josh Bressers 2005-04-04 19:43:06 UTC
This issue does not affects RHEL2.1

Comment 3 Josh Bressers 2005-04-04 19:44:32 UTC
======================================================
Candidate: CAN-2005-0965
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0965
Reference: BUGTRAQ:20050401 multiple remote denial of service vulnerabilities in
Gaim
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111238715307356&w=2

The gaim_markup_strip_html function in Gaim 1.2.0, and possibly
earlier versions, allows remote attackers to cause a denial of service
(application crash) via a string that contains malformed HTML, which
causes an out-of-bounds read.


======================================================
Candidate: CAN-2005-0966
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0966
Reference: BUGTRAQ:20050401 multiple remote denial of service vulnerabilities in
Gaim
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111238715307356&w=2
Reference:
CONFIRM:http://sourceforge.net/project/shownotes.php?group_id=235&release_id=317750
Reference: XF:gaim-irc-plugin-bo(19937)
Reference: URL:http://xforce.iss.net/xforce/xfdb/19937
Reference: XF:gaim-ircmsginvite-dos(19939)
Reference: URL:http://xforce.iss.net/xforce/xfdb/19939

The IRC protocol plugin in Gaim 1.2.0, and possibly earlier versions,
allows (1) remote attackers to inject arbitrary Gaim markup via
irc_msg_kick, irc_msg_mode, irc_msg_part, irc_msg_quit, (2) remote
attackers to inject arbitrary Pango markup and pop up empty dialog
boxes via irc_msg_invite, or (3) malicious IRC servers to cause a
denial of service (application crash) by injecting certain Pango
markup into irc_msg_badmode, irc_msg_banned, irc_msg_unknown,
irc_msg_nochan functions.


Comment 4 Josh Bressers 2005-04-12 13:56:40 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-365.html



Note You need to log in before you can comment on or make changes to this bug.