Remote arbitrary code execution vulnerability in gaim [LWN.net]

Package(s):

gaim

CVE #(s):

Created:

August 28, 2002

Updated:

September 4, 2002

Description:

gaim versions prior to 0.59.1 contained a arbitrary code execution vulnerabilty in the the hyperlink handling code.

The 'Manual' browser command passes an untrusted string to the shell without escaping or reliable quoting, permitting an attacker to execute arbitrary commands on the users machine. Unfortunately, Gaim doesn't display the hyperlink before the user clicks on it. Users who use other inbuilt browser commands aren't vulnerable.

The problem is fixed in gaim 0.59.1 which is available here. Versions prior to 0.58 also contained a buffer overflow in the Jabber plug-in module which, of course, is still fixed in 0.59.1. "Gaim is an instant messaging client written in GTK and is based on the published TOC messaging protocol from AOL."

Alerts:

Conectiva	CLA-2002:521	2002-08-30
Mandrake	MDKSA-2002:054	2002-08-01
Gentoo	gaim-20020827	2002-08-27
Debian	DSA-158-1	2002-08-27

(Log in to post comments)

Remote arbitrary code execution vulnerability in gaim

Posted Aug 29, 2002 1:44 UTC (Thu) by robot101 (subscriber, #3479) [Link]

Oops. I must apologise here, I wrote some of that text when outlining the problem to the Debian security team. Gaim does actually give you a tooltip of the URL. Furthermore, Chris Blizzard from RedHat found that whilst my patch fixed the issue for the manual browser command, it erroneously made the other browser commands use unallocated memory, which could cause a crash (but after forking, would just result in the URL not being shown, and maybe a core file =). This is fixed for Debian in 0.59.1-3 in sid, and 0.58-2.3 in woody. See here for the patch.