lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050512164157.GB6387@piware.de>
Date: Thu, 12 May 2005 18:41:57 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-125-1] Gaim vulnerabilities

===========================================================
Ubuntu Security Notice USN-125-1	       May 12, 2005
gaim vulnerabilities
CAN-2005-0967, CAN-2005-1261, CAN-2005-1261
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

gaim
gaim-data

The problem can be corrected by upgrading the affected package to
version 1:1.0.0-1ubuntu1.4 (for Ubuntu 4.10), or 1:1.1.4-1ubuntu4.1
(for Ubuntu 5.04). After a standard system upgrade you have to restart
Gaim to effect the necessary changes.

Details follow:

Marco Alvarez found a Denial of Service vulnerability in the Jabber
protocol handler. A remote attacker could exploit this to crash Gaim
by sending specially crafted file transfers to the user.
(CAN-2005-0967)

Stu Tomlinson discovered an insufficient bounds checking flaw in the
URL parser. By sending a message containing a very long URL, a remote
attacker could crash Gaim or execute arbitrary code with the
privileges of the user. This was not possible on all protocols, due to
message length restrictions. Jabber are SILC were known to be
vulnerable. (CAN-2005-1261)

Siebe Tolsma discovered a Denial of Service attack in the MSN handler.
By sending a specially crafted SLP message with an empty body, a
remote attacker could crash Gaim. (CAN-2005-1262)

Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.4.diff.gz
      Size/MD5:    46992 d36bd86fc86d0e1ed7cff852f262b3bd
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.4.dsc
      Size/MD5:      853 6a263a078b6fbf53822e59f466a8aae2
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0.orig.tar.gz
      Size/MD5:  6985979 7dde686aace751a49dce734fd0cb7ace

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.4_amd64.deb
      Size/MD5:  3444626 df8476ccc632e61dc8b7adc8567d3d46

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.4_i386.deb
      Size/MD5:  3354914 5dbdc651c4ec1bea08e2bc5061c80522

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.0.0-1ubuntu1.4_powerpc.deb
      Size/MD5:  3418282 8f3a48a0148143b4bb3c0d700417422f

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.1.diff.gz
      Size/MD5:   106708 245a83a77b4ad58e3c9316f40b566cb2
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.1.dsc
      Size/MD5:      991 b125a9154cf19e7d7947acb8418be0b5
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4.orig.tar.gz
      Size/MD5:  5188552 b55bf3217b271918384f3f015a6e5b62

  Architecture independent packages:

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-data_1.1.4-1ubuntu4.1_all.deb
      Size/MD5:   603526 7f96838ec2b78882660115c39823aebe

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.1.4-1ubuntu4.1_amd64.deb
      Size/MD5:   101620 b2e42f7a640536c1165b43e7002f4fa6
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.1_amd64.deb
      Size/MD5:   934090 ce17f19071a91c6af0ef361dd90f4bc8

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.1.4-1ubuntu4.1_i386.deb
      Size/MD5:   101620 616d89e2302ce0ee0f8d9493a24a1988
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.1_i386.deb
      Size/MD5:   845470 e28a7383e86bf572dad84928b0b25624

  ia64 architecture (Intel Itanium)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.1.4-1ubuntu4.1_ia64.deb
      Size/MD5:   101634 601109a3df9d10f1bf9e5bbef48c06ae
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.1_ia64.deb
      Size/MD5:  1258622 fa30fc5985afe77a04dbdcbc4d977202

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim-dev_1.1.4-1ubuntu4.1_powerpc.deb
      Size/MD5:   101648 525baf5b4ab9ff70172864b3d5a48a05
    http://security.ubuntu.com/ubuntu/pool/main/g/gaim/gaim_1.1.4-1ubuntu4.1_powerpc.deb
      Size/MD5:   910280 a651ab439ffc1bcb15f42b7a4a804f07

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ