From mueller@kde.org Thu Jul 21 14:39:23 2005 From: Dirk Mueller To: kde-announce@kde.org Cc: bugtraq@securityfocus.com Date: Thu, 21 Jul 2005 02:16:44 +0200 Subject: [KDE Security Advisory] Multiple libgadu vulnerabilities KDE Security Advisory: libgadu vulnerabilities Original Release Date: 2005-07-21 URL: http://www.kde.org/info/security/advisory-20050721-1.txt 0. References CVE CAN-2005-1852 1. Systems affected: All versions of Kopete as included in KDE 3.3.x up to including 3.4.1. KDE 3.2.x and older are not affected. 2. Overview: Kopete contains a copy of libgadu that is used if no compatible version is installed in the system. Several input validation errors have been reported in libgadu that can lead to integer overflows and remote DoS or arbitrary code execution. 3. Impact: If the Gadu-Gadu protocol handler in Kopete is used, remote users can DoS the Kopete client or possibly even execute arbitrary code. 4. Solution: Source code patches have been made available that update the included copy of libgadu to 1.6rc3 which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: A patch for KDE 3.4.1 is available from ftp://ftp.kde.org/pub/kde/security_patches : 675008c8bc9d7edf4d0034a398d15cf0 post-3.4.1-kdenetwork-libgadu.patch A patch for KDE 3.3.2 is available from ftp://ftp.kde.org/pub/kde/security_patches : 73ebcef42173bf567d473414693898b0 post-3.3.2-kdenetwork-libgadu.patch