From security@mandriva.com Thu Apr 14 05:26:21 2005 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Wed, 13 Apr 2005 20:32:16 -0600 Subject: [Full-disclosure] MDKSA-2005:071 - Updated gaim packages fix multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: gaim Advisory ID: MDKSA-2005:071 Date: April 13th, 2005 Affected versions: 10.1, Corporate 3.0 ______________________________________________________________________ Problem Description: More vulnerabilities have been discovered in the gaim instant messaging client: A buffer overflow vulnerability was found in the way that gaim escapes HTML, allowing a remote attacker to send a specially crafted message to a gaim client and causing it to crash (CAN-2005-0965). A bug was discovered in several of gaim's IRC processing functions that fail to properly remove various markup tags within an IRC message. This could allow a remote attacker to send specially crafted message to a gaim client connected to an IRC server, causing it to crash (CAN-2005-0966). Finally, a problem was found in gaim's Jabber message parser that would allow a remote Jabber user to send a specially crafted message to a gaim client, bausing it to crash (CAN-2005-0967). Gaim version 1.2.1 is not vulnerable to these issues and is provided with this update. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0965 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0967 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.1: f0c9f84d95541ffba3baf9e24d85e87a 10.1/RPMS/gaim-1.2.1-0.1.101mdk.i586.rpm 75941740b8e5db4603816d3ea73cfddf 10.1/RPMS/gaim-devel-1.2.1-0.1.101mdk.i586.rpm 334adccd0d97f287a0282f236311c495 10.1/RPMS/gaim-gevolution-1.2.1-0.1.101mdk.i586.rpm 7c8c86d36881bca9f539c7c8dfc543cc 10.1/RPMS/gaim-perl-1.2.1-0.1.101mdk.i586.rpm 361e053e145405c5cf95c9fadafa21b1 10.1/RPMS/gaim-tcl-1.2.1-0.1.101mdk.i586.rpm dc4c479784bda506fc895441028b2985 10.1/RPMS/libgaim-remote0-1.2.1-0.1.101mdk.i586.rpm 342d279dbb9a076a03c596d6c1729d77 10.1/RPMS/libgaim-remote0-devel-1.2.1-0.1.101mdk.i586.rpm 6de0f7edf8c55a755c4b64809e1a246f 10.1/SRPMS/gaim-1.2.1-0.1.101mdk.src.rpm Mandrakelinux 10.1/X86_64: c51c050ac997d33f37cff42f1ddd8ee3 x86_64/10.1/RPMS/gaim-1.2.1-0.1.101mdk.x86_64.rpm ce76925c9ea35890fe06c2266f87f1a4 x86_64/10.1/RPMS/gaim-devel-1.2.1-0.1.101mdk.x86_64.rpm f862609115d62357ee65409e3accb9a0 x86_64/10.1/RPMS/gaim-gevolution-1.2.1-0.1.101mdk.x86_64.rpm f53dee67ae2ddfa5a46b8eccd7e8ffc8 x86_64/10.1/RPMS/gaim-perl-1.2.1-0.1.101mdk.x86_64.rpm 705b7a40f55d4c2c71f69b6d074cb879 x86_64/10.1/RPMS/gaim-tcl-1.2.1-0.1.101mdk.x86_64.rpm 18330f6a2b207cad6d8456c724ea9a1f x86_64/10.1/RPMS/lib64gaim-remote0-1.2.1-0.1.101mdk.x86_64.rpm e05d76f087b39d233ba73eedcc3e7063 x86_64/10.1/RPMS/lib64gaim-remote0-devel-1.2.1-0.1.101mdk.x86_64.rpm 6de0f7edf8c55a755c4b64809e1a246f x86_64/10.1/SRPMS/gaim-1.2.1-0.1.101mdk.src.rpm Corporate 3.0: 02619cb85a0a8846294c8ecdc2697231 corporate/3.0/RPMS/gaim-1.2.1-0.1.C30mdk.i586.rpm 0686d195bd0e1a69c9fd8e2952d6e31e corporate/3.0/RPMS/gaim-devel-1.2.1-0.1.C30mdk.i586.rpm 1057d2753906d97367b596be55694546 corporate/3.0/RPMS/gaim-perl-1.2.1-0.1.C30mdk.i586.rpm d69fc3be71d44677023d4902af8081a4 corporate/3.0/RPMS/gaim-tcl-1.2.1-0.1.C30mdk.i586.rpm a3d62bec1d30efef4cde7ae80cc6f3b1 corporate/3.0/RPMS/libgaim-remote0-1.2.1-0.1.C30mdk.i586.rpm ae7cec269ef28eb3664ad6941ff02e88 corporate/3.0/RPMS/libgaim-remote0-devel-1.2.1-0.1.C30mdk.i586.rpm 9ca50a9a0a46f5e616f9dd3f00e7dc52 corporate/3.0/SRPMS/gaim-1.2.1-0.1.C30mdk.src.rpm Corporate 3.0/X86_64: 5e69467d59933b94614a9567e50f22dc x86_64/corporate/3.0/RPMS/gaim-1.2.1-0.1.C30mdk.x86_64.rpm 00f868d0fce79a2557bcc7cc6f9a04f2 x86_64/corporate/3.0/RPMS/gaim-devel-1.2.1-0.1.C30mdk.x86_64.rpm 703d5bca6aea8fa580500a19096ef8e5 x86_64/corporate/3.0/RPMS/gaim-perl-1.2.1-0.1.C30mdk.x86_64.rpm f76af359b96e10c8707b14f110031491 x86_64/corporate/3.0/RPMS/gaim-tcl-1.2.1-0.1.C30mdk.x86_64.rpm 760124434b0c5b6e8420dc1e13c3533f x86_64/corporate/3.0/RPMS/lib64gaim-remote0-1.2.1-0.1.C30mdk.x86_64.rpm f53b90f50d2934bc070ca6ebb1a9324e x86_64/corporate/3.0/RPMS/lib64gaim-remote0-devel-1.2.1-0.1.C30mdk.x86_64.rpm 9ca50a9a0a46f5e616f9dd3f00e7dc52 x86_64/corporate/3.0/SRPMS/gaim-1.2.1-0.1.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCXdYwmqjQ0CJFipgRAiuIAJ0cS6yu54U+jEevRA4vmFEGYTdk4gCghOdV QVG5/7iUy+TBjcEvfVHEaek= =+qyw -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/