User: Password:
Subscribe / Log in / New account

Conectiva alert CLA-2005:949 (gaim)

From:  Conectiva Updates <>
Subject:  [CLA-2005:949] Conectiva Security Announcement - gaim
Date:  Wed, 27 Apr 2005 15:14:38 -0300

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -------------------------------------------------------------------------- PACKAGE : gaim SUMMARY : Fixes for gaim's vulnerabilities DATE : 2005-04-27 15:11:00 ID : CLA-2005:949 RELEVANT RELEASES : 9, 10 - ------------------------------------------------------------------------- DESCRIPTION Gaim[1] is a multi-protocol instant messaging (IM) client. This announcement fixes three denial of service vulnerabilities that were encountered in Gaim. The fixed vulnerabilities are: CAN-2005-0965[2]: The gaim_markup_strip_html function allows remote attackers to cause a denial of service (application crash) via a string that contains malformed HTML, which causes an out-of-bounds read. CAN-2005-0966[3]: The IRC protocol plugin allowed (1) remote attackers to inject arbitrary Gaim markup via irc_msg_kick, irc_msg_mode, irc_msg_part, irc_msg_quit, (2) remote attackers to inject arbitrary Pango markup and pop up empty dialog boxes via irc_msg_invite, or (3) malicious IRC servers to cause a denial of service (application crash) by injecting certain Pango markup into irc_msg_badmode, irc_msg_banned, irc_msg_unknown, irc_msg_nochan functions. CAN-2005-0967[4]: Sending a Gaim Jabber user a certain invalid file transfer request triggered an out-of-bounds read which caused Gaim to crash. For further informations on Gaim's vulnerabilities, please refer to the project's security page[5]. SOLUTION It is recommended that all Gaim users upgrade their packages. IMPORTANT: Gaim must be restarted after the upgrade in order to close the vulnerabilities. REFERENCES 1. 2. 3. 4. 5. UPDATED PACKAGES ADDITIONAL INSTRUCTIONS The apt tool can be used to perform RPM packages upgrades: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions regarding the use of apt and upgrade examples can be found at - ------------------------------------------------------------------------- All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at Instructions on how to check the signatures of the RPM packages can be found at - ------------------------------------------------------------------------- All our advisories and generic update instructions can be viewed at - ------------------------------------------------------------------------- Copyright (c) 2004 Conectiva Inc. - ------------------------------------------------------------------------- subscribe: unsubscribe: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see iD8DBQFCb9aM42jd0JmAcZARAg6tAKDv1rox7u/RvAcbUcSMN4RYVx1LHQCggmFl g5ryLeBaSwm5Ev99dTd+MoE= =YlMb -----END PGP SIGNATURE-----

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds