7.5 - DSA-434

Executive Summary

Summary
Title	New gaim packages fix several vulnerabilities

Informations
Name	DSA-434	First vendor Publication	2004-02-05
Vendor	Debian	Last vendor Modification	2004-02-05
Severity (Vendor)	N/A	Revision	1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score	7.5	Attack Range	Network
Cvss Impact Score	6.4	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Stefan Esser discovered several security related problems in Gaim, a multi-protocol instant messaging client. Not all of them are applicable for the version in Debian stable, but affected the version in the unstable distribution at least. The problems were grouped for the Common Vulnerabilities and Exposures as follows:

CAN-2004-0005

When the Yahoo Messenger handler decodes an octal value for email notification functions two different kinds of overflows can be triggered. When the MIME decoder decoded a quoted printable encoded string for email notification two other different kinds of overflows can be triggered. These problems only affect the version in the unstable distribution.

CAN-2004-0006

When parsing the cookies within the HTTP reply header of a Yahoo web connection a buffer overflow can happen. When parsing the Yahoo Login Webpage the YMSG protocol overflows stack buffers if the web page returns oversized values. When splitting an URL into its parts a stack overflow can be caused. These problems only affect the version in the unstable distribution

When an oversized keyname is read from a Yahoo Messenger packet a stack overflow can be triggered. When Gaim is setup to use a HTTP proxy for connecting to the server a malicious HTTP proxy can exploit it. These problems affect all versions Debian ships. However, the connection to Yahoo doesn't work in the version in Debian stable.

CAN-2004-0007

Internally data is copied between two tokens into a fixed size stack buffer without a size check. This only affects the version of gaim in the unstable distribution

CAN-2004-0008

When allocating memory for AIM/Oscar DirectIM packets an integer overflow can happen, resulting in a heap overflow. This only affects the version of gaim in the unstable distribution

For the stable distribution (woody) this problem has been fixed in version 0.58-2.4.

For the unstable distribution (sid) this problem has been fixed in version 0.75-2.

We recommend that you upgrade your gaim packages.

Original Source

Url : http://www.debian.org/security/2004/dsa-434

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-193	Off-by-one Error

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10222

Oval ID:	oval:org.mitre.oval:def:10222
Title:	Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.
Description:	Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2004-0006	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3	Product(s):
Definition Synopsis:
RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND gaim is earlier than 1:0.75-3.2.0

Definition Id: oval:org.mitre.oval:def:818

Oval ID:	oval:org.mitre.oval:def:818
Title:	Gaim / Ultramagnetic BO Vulnerabilities
Description:	Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2004-0006	Version:	2
Platform(s):	Red Hat Linux 9	Product(s):	Gaim
Definition Synopsis:
Software section Red Hat 9 is installed AND ix86 architecture AND gaim version is less than 0.75-0.9.0 AND Configuration section /usr/bin/gaim is executable /usr/bin/gaim is executable AND /usr/bin/gaim is executable AND /usr/bin/gaim is executable

Definition Id: oval:org.mitre.oval:def:819

Oval ID:	oval:org.mitre.oval:def:819
Title:	Gaim / Ultramagnetic Extract Info Field Function BO
Description:	Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2004-0007	Version:	2
Platform(s):	Red Hat Linux 9	Product(s):	Gaim
Definition Synopsis:
Software section Red Hat 9 is installed AND ix86 architecture AND gaim version is less than 0.75-0.9.0 AND Configuration section /usr/bin/gaim is executable /usr/bin/gaim is executable AND /usr/bin/gaim is executable AND /usr/bin/gaim is executable

Definition Id: oval:org.mitre.oval:def:820

Oval ID:	oval:org.mitre.oval:def:820
Title:	Gaim / Ultramagnetic directIM Packet Vulnerability
Description:	Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2004-0008	Version:	2
Platform(s):	Red Hat Linux 9	Product(s):	Gaim
Definition Synopsis:
Software section Red Hat 9 is installed AND ix86 architecture AND gaim version is less than 0.75-0.9.0 AND Configuration section /usr/bin/gaim is executable /usr/bin/gaim is executable AND /usr/bin/gaim is executable AND /usr/bin/gaim is executable

Definition Id: oval:org.mitre.oval:def:9469

Oval ID:	oval:org.mitre.oval:def:9469
Title:	Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.
Description:	Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2004-0008	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3	Product(s):
Definition Synopsis:
RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND gaim is earlier than 1:0.75-3.2.0

Definition Id: oval:org.mitre.oval:def:9906

Oval ID:	oval:org.mitre.oval:def:9906
Title:	Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.
Description:	Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2004-0007	Version:	5
Platform(s):	Red Hat Enterprise Linux 3 CentOS Linux 3	Product(s):
Definition Synopsis:
RHEL3 or CentOS3 The operating system installed on the system is Red Hat Enterprise Linux 3 AND CentOS Linux 3.x AND gaim is earlier than 1:0.75-3.2.0

CPE : Common Platform Enumeration

Type	Description	Count
Application	Gaim Project Gaim cpe:2.3:a:gaim_project:gaim:0.75:::::::*	1
Application	Rob Flynn Gaim cpe:2.3:a:rob_flynn:gaim:0.75:::::::* cpe:2.3:a:rob_flynn:gaim:0.74:::::::* cpe:2.3:a:rob_flynn:gaim:0.73:::::::* cpe:2.3:a:rob_flynn:gaim:0.72:::::::* cpe:2.3:a:rob_flynn:gaim:0.71:::::::* cpe:2.3:a:rob_flynn:gaim:0.70:::::::* cpe:2.3:a:rob_flynn:gaim:0.69:::::::* cpe:2.3:a:rob_flynn:gaim:0.68:::::::* cpe:2.3:a:rob_flynn:gaim:0.67:::::::* cpe:2.3:a:rob_flynn:gaim:0.66:::::::* cpe:2.3:a:rob_flynn:gaim:0.65:::::::* cpe:2.3:a:rob_flynn:gaim:0.64:::::::* cpe:2.3:a:rob_flynn:gaim:0.63:::::::* cpe:2.3:a:rob_flynn:gaim:0.62:::::::* cpe:2.3:a:rob_flynn:gaim:0.61:::::::* cpe:2.3:a:rob_flynn:gaim:0.60:::::::* cpe:2.3:a:rob_flynn:gaim:0.59.1:::::::* cpe:2.3:a:rob_flynn:gaim:0.59:::::::* cpe:2.3:a:rob_flynn:gaim:0.58:::::::* cpe:2.3:a:rob_flynn:gaim:0.57:::::::* cpe:2.3:a:rob_flynn:gaim:0.56:::::::* cpe:2.3:a:rob_flynn:gaim:0.55:::::::* cpe:2.3:a:rob_flynn:gaim:0.54:::::::* cpe:2.3:a:rob_flynn:gaim:0.53:::::::* cpe:2.3:a:rob_flynn:gaim:0.52:::::::* cpe:2.3:a:rob_flynn:gaim:0.51:::::::* cpe:2.3:a:rob_flynn:gaim:0.50:::::::* cpe:2.3:a:rob_flynn:gaim:0.10.3:::::::* cpe:2.3:a:rob_flynn:gaim:0.10:::::::*	29

OpenVAS Exploits

Date	Description
2008-09-24	Name : Gentoo Security Advisory GLSA 200401-04 (GAIM) File : nvt/glsa_200401_04.nasl
2008-09-04	Name : FreeBSD Ports: gaim, ja-gaim, ko-gaim, ru-gaim File : nvt/freebsd_gaim9.nasl
2008-01-17	Name : Debian Security Advisory DSA 434-1 (gaim) File : nvt/deb_434_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
3736	Gaim Quoted Printable Decoder Overflows A remote overflow exists in GAIM Instant Messager client. GAIM fails to address malformed input resulting in a heap overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.
3735	Gaim Yahoo Octal-Encoding Decoder Overflows
3734	Gaim DirectIM AIM/Oscar Integer Buffer Overflow A remote overflow exists in gaim. Gaim fails to correctly parse some malformed directIM packets, resulting in a heap overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.
3733	Gaim Extract Info Field Function Buffer Overflow A remote overflow exists in Gaim. The Extract Info Field Function combines data from two tokens into a fixed-length stack buffer without properly checking the size of the resulting string, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity.
3732	Gaim HTTP Proxy Connect Overflow A remote overflow exists in Gaim. The HTTP proxy (http_canread function) subsystem fails to check if the proxy sends more than 8192 bytes in a line, resulting in a buffer overflow. With a malicious proxy sending specially crafted input, an attacker can overwrite the buffer and gain control of the instruction pointer resulting in a loss of integrity.
3731	Gaim URL Parser Function Overflow A remote overflow exists in Gaim. The URL Parser Function splits a URL into its parts using temporary fixed size stackbuffers in an unsafe way, resulting in a buffer overflow. With a specially crafted set of data, an attacker can overflow the buffer and possibly execute arbitrary code on the system, resulting in a loss of integrity. Note that it is only possible to overwrite the buffers with a limited character set which makes exploitation difficult.
3730	Gaim Yahoo Parser Buffer Overflow

Nessus® Vulnerability Scanner

Date	Description
2009-04-23	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_6fd024395d7011d880e30020ed76ef5a.nasl - Type : ACT_GATHER_INFO
2004-09-29	Name : The remote Debian host is missing a security-related update. File : debian_DSA-434.nasl - Type : ACT_GATHER_INFO
2004-07-31	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2004-006.nasl - Type : ACT_GATHER_INFO
2004-07-06	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2004-033.nasl - Type : ACT_GATHER_INFO
2004-07-06	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2004-045.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 11:33:04	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	2
Oval ID(s)	6
CPE ID(s)	30
osvdb(s)	7
Openvas Exploit(s)	3
Nessus® Exploit(s)	5

	Related
9.8	CVE-2004-0005
7.5	CVE-2004-0008
7.5	CVE-2004-0007
7.5	CVE-2004-0006
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 4 more Alert(s)

7.5 - DSA-434

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU