ISS X-Force Database: gaim-mime-decoder-bo(14942): Gaim MIME decoder buffer overflow

Gaim MIME decoder buffer overflow

gaim-mime-decoder-bo (14942)

High Risk

Description:

Gaim is vulnerable to a buffer overflow in the MIME decoder. When decoding a quoted printable string for email notification, it is possible for a remote attacker to supply a backslash (in the form of \) to the sscanf function in the gaim_quotedp_decode function to overflow a buffer and execute arbitrary code on the system.

Platforms Affected:

Conectiva, Linux 8.0
Conectiva, Linux 9.0
Debian, Debian Linux 3.0
Gaim Project, Gaim 0.75
Gentoo, Linux
Slackware, Slackware Linux 9.0
Slackware, Slackware Linux 9.1
Slackware, Slackware Linux current
SuSE, SuSE Linux 8.0
SuSE, SuSE Linux 8.1
SuSE, SuSE Linux 8.2
SuSE, SuSE Linux 9.0

Remedy:

Download and install the latest version of Gaim after version 0.75, as listed on the Sourceforge Gaim Web Site. See References.

For Slackware Linux:
Upgrade to the latest gaim package, as listed below. Refer to slackware-security Mailing List, Mon, 26 Jan 2004 16:14:45 -0800 (PST) for more information. See References.

Slackware Linux 9.0: 0.75-i386-1 or later
Slackware Linux 9.1 and current: 0.75-i486-1 or later

For Gentoo Linux:
Upgrade to the latest version of gaim (0.75-r7 or later), as listed in Gentoo Linux Security Announcement 200401-04. See References.

For SuSE Linux:
Upgrade to the latest gaim package, as listed below. Refer to SuSE Security Announcement SuSE-SA:2004:004 for more information. See References.

SuSE Linux 9.0 (Intel): 0.67-65 or later
SuSE Linux 8.2: 0.59.8-60 or later
SuSE Linux 8.1: 0.59-158 or later
SuSE Linux 8.0: 0.50-187 or later

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest gaim package, as listed below. Refer to DSA-434-1 for more information. See References.

Debian GNU/Linux 3.0 (woody): 0.58-2.4 or later

For Conectiva Linux:
Upgrade to the latest gaim package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:813 for more information. See References.

Conectiva Linux 8: 0.59.8-1U80_1cl or later
Conectiva Linux 9: 0.75-27683U90_1cl or later

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

Conectiva Linux Security Announcement CLSA-2004:813, gaim at http://distro.conectiva.com/atualizacoes/index.php?id=a&anuncio=000813.
Full-Disclosure Mailing List, Mon Jan 26 2004 - 02:44:42 CST, Advisory 01/2004: 12 x Gaim remote overflows at http://archives.neohapsis.com/archives/fulldisclosure/2004-01/0994.html.
Gentoo Linux Security Announcement 200401-04, GAIM 0.75 Remote overflows at http://www.linuxsecurity.com/content/view/105690/104/. (From LinuxSecurity archive.)
slackware-security Mailing List, Mon, 26 Jan 2004 16:14:45 -0800 (PST), GAIM security update (SSA:2004-026-01) at http://www.slackware.org/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.361158.
Sourceforge Gaim Web site, Downloads at http://gaim.sourceforge.net/downloads.php.
CVE-2004-0005: Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) octal encoding in yahoo_decode that causes a null byte to be written beyond the buffer, (2) octal encoding in yahoo_decode that causes a pointer to reference memory beyond the terminating null byte, (3) a quoted printable string to the gaim_quotedp_decode MIME decoder that causes a null byte to be written beyond the buffer, and (4) quoted printable encoding in gaim_quotedp_decode that causes a pointer to reference memory beyond the terminating null byte.
DSA-434: gaim -- several vulnerabilities
OSVDB ID: 3736: Gaim Quoted Printable Decoder Overflows
SECTRACK ID: 1008850: Gaim Contains Multiple Overflows That Let a Remote User Execute Arbitrary Code
US-CERT VU#190366: Gaim contains a buffer overflow vulnerability in the gaim_quotedp_decode() function
US-CERT VU#226974: Gaim contains an off-by-one buffer overflow vulnerability in the gaim_quotedp_decode() function
US-CERT VU#404470: Gaim contains an off-by-one buffer overflow vulnerability in the yahoo_decode() function
US-CERT VU#655974: Gaim contains a buffer overflow vulnerability in the yahoo_decode() function

Reported:

Jan 26, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page