Executive Summary
| Summary | |
|---|---|
| Title | Updated gaim package fixes security issues and bugs |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2004:604 | First vendor Publication | 2004-10-20 |
| Vendor | RedHat | Last vendor Modification | 2004-10-20 |
| Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 10 | Attack Range | Network |
| Cvss Impact Score | 10 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: An updated gaim package that fixes security issues, fixes various bugs, and includes various enhancements for Red Hat Enterprise Linux 3 is now avaliable. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Desktop version 3 - i386, x86_64 Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 3. Problem description: The gaim application is a multi-protocol instant messaging client. A buffer overflow has been discovered in the MSN protocol handler. When receiving unexpected sequence of MSNSLP messages, it is possible that an attacker could cause an internal buffer overflow, leading to a crash or possible code execution. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0891 to this issue. This updated gaim package also fixes multiple user interface, protocol, and error handling problems, including an ICQ communication encoding issue. Additionally, these updated packages have compiled gaim as a PIE (position independent executable) for added protection against future security vulnerabilities. All users of gaim should upgrade to this updated package, which includes various bug fixes, as well as a backported security patch. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ 5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info): 135678 - CAN-2004-0891 MSN protocol buffer overflow. |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2004-604.html |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:11790 | |||
| Oval ID: | oval:org.mitre.oval:def:11790 | ||
| Title: | Buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer. | ||
| Description: | Buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2004-0891 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200410-23 (gaim) File : nvt/glsa_200410_23.nasl |
| 2008-09-04 | Name : FreeBSD Ports: gaim, ja-gaim, ko-gaim, ru-gaim File : nvt/freebsd_gaim2.nasl |
| 2008-09-04 | Name : FreeBSD Ports: gaim, ja-gaim, ru-gaim File : nvt/freebsd_gaim7.nasl |
| 0000-00-00 | Name : Slackware Advisory SSA:2004-296-01 gaim File : nvt/esoft_slk_ssa_2004_296_01.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 10988 | Gaim MSN File Transfer Overflow DoS A remote overflow exists in Gaim. The application fails to perform proper bounds checking resulting in a buffer overflow. By initiating a MSN file transfer request, a remote attacker could send a file with a size which exceeds the amount of available memory and crash the application resulting in a loss of availability. |
| 10987 | Gaim Malformed MSN SLP Message DoS |
| 10986 | Gaim MSN SLP Message Handling Remote Overflow |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-01-15 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-8-1.nasl - Type : ACT_GATHER_INFO |
| 2005-07-13 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2004-296-01.nasl - Type : ACT_GATHER_INFO |
| 2005-07-13 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_1e6c4008245f11d9b5840050fc56d258.nasl - Type : ACT_GATHER_INFO |
| 2005-04-08 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-068.nasl - Type : ACT_GATHER_INFO |
| 2004-11-02 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2004-117.nasl - Type : ACT_GATHER_INFO |
| 2004-10-25 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200410-23.nasl - Type : ACT_GATHER_INFO |
| 2004-10-21 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2004-604.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:48:45 |
|
