lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 1 Apr 2005 11:59:59 +0200
From: Jean-Yves Lefort <jylefort@...tele.be>
To: bugtraq@...urityfocus.com
Subject: multiple remote denial of service vulnerabilities in Gaim

I.   Synopsis

Gaim (http://gaim.sourceforge.net) is a multi-protocol instant
messaging client.

I have identified several remote denial of service vulnerabilities
affecting Gaim 1.2.0, and probably older versions as well.

II.  Problems

1. Buffer overread in gaim_markup_strip_html()

A programming error in gaim_markup_strip_html() causes a buffer
overread when stripping a string containing malformed HTML.

2. Lack of escaping in the IRC protocol plugin

In several places, the IRC protocol plugin handles user messages
without escaping markup (the list might not be exhaustive):

	irc_msg_kick()
	irc_msg_mode()
	irc_msg_part()
	irc_msg_quit()
	irc_msg_invite()

The irc_msg_kick(), irc_msg_mode(), irc_msg_part() and irc_msg_quit()
obliviousness allows any remote user to inject Gaim markup into the
conversation window (annoying), and, provided that the conversation
window is being logged, to trigger the gaim_markup_strip_html() buffer
overread (the text logger calls gaim_markup_strip_html() in
txt_logger_write()).

The irc_msg_invite() obliviousness allows any remote user to inject
Pango markup into a GTK+ dialog box. Fortunately, since IRC channel
names cannot contain spaces, the user cannot insert things such as
<span size="$huge">foo</span> (that would cause the program to
crash). He can however popup empty dialog boxes by injecting malformed
markup.

In several places, the IRC protocol plugin handles server messages
without escaping markup (the list is not exhaustive):

	irc_msg_badmode()
	irc_msg_banned()
	irc_msg_unknown()
	irc_msg_nochan()

This allows any malicious IRC server operator to inject Pango markup
into a GTK+ dialog box. The attacker can insert things such as
<span size="1000000000">foo</span> to crash the program.

III. Impact

Any remote IRC user may cause the victim's Gaim instance to crash, by
exploiting the gaim_markup_strip_html() bug in conjunction with the
lack of escaping in the IRC plugin.

Any remote IRC user may pop up empty dialog boxes on the victim's
computer, and may mess up the victim's conversation windows with fancy
or malformed markup.

Any remote IRC server operator may cause the victim's Gaim instance to
crash, by requesting huge font sizes to Pango.

IV.  Vendor response

The vendor has been informed via IM on 2005-03-25 and has acknowledged
the problems. Some bugs (gaim_markup_strip_html(), escaping of IRC
parts/quits) have been fixed in CVS. It is however unclear whether the
vendor is willing to fix the other problems or not.

-- 
Jean-Yves Lefort

jylefort@...tele.be
http://lefort.be.eu.org/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ