Skip to navigation

Security Advisory gaim security update

Advisory: RHSA-2005:627-11
Type: Security Advisory
Severity: Critical
Issued on: 2005-08-09
Last updated on: 2005-08-09
Affected Products: Red Hat Desktop (v. 3)
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux WS (v. 3)
Red Hat Enterprise Linux WS (v. 4)
CVEs (cve.mitre.org): CVE-2005-2102
CVE-2005-2103
CVE-2005-2370

Details

An updated gaim package that fixes multiple security issues is now available.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Gaim is an Internet Messaging client.

A heap based buffer overflow issue was discovered in the way Gaim processes
away messages. A remote attacker could send a specially crafted away
message to a Gaim user logged into AIM or ICQ that could result in
arbitrary code execution. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-2103 to this issue.

Daniel Atallah discovered a denial of service issue in Gaim. A remote
attacker could attempt to upload a file with a specially crafted name to a
user logged into AIM or ICQ, causing Gaim to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-2102 to this issue.

A denial of service bug was found in Gaim's Gadu Gadu protocol handler. A
remote attacker could send a specially crafted message to a Gaim user
logged into Gadu Gadu, causing Gaim to crash. Please note that this issue
only affects PPC and IBM S/390 systems running Gaim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2005-2370 to this issue.

Users of gaim are advised to upgrade to this updated package, which
contains backported patches and is not vulnerable to these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Desktop (v. 3)

IA-32:
gaim-1.3.1-0.el3.3.i386.rpm
File outdated by:  RHBA-2006:0135
    MD5: 33c487f6fe88c3573f63bc4044997cad
 
x86_64:
gaim-1.3.1-0.el3.3.x86_64.rpm
File outdated by:  RHBA-2006:0135
    MD5: 5e8c3bf3eb8679f85774713462db8242
 
Red Hat Desktop (v. 4)

IA-32:
gaim-1.3.1-0.el4.3.i386.rpm
File outdated by:  RHBA-2006:0133
    MD5: c7343c6cc89f9e6e3dd30a9b918a9c8e
 
x86_64:
gaim-1.3.1-0.el4.3.x86_64.rpm
File outdated by:  RHBA-2006:0133
    MD5: 7611deb734363f6dceef660f19c3f4b9
 
Red Hat Enterprise Linux AS (v. 3)

IA-32:
gaim-1.3.1-0.el3.3.i386.rpm
File outdated by:  RHBA-2006:0135
    MD5: 33c487f6fe88c3573f63bc4044997cad
 
IA-64:
gaim-1.3.1-0.el3.3.ia64.rpm
File outdated by:  RHBA-2006:0135
    MD5: ab1a9e0a24a296ced5779462f46c26a5
 
PPC:
gaim-1.3.1-0.el3.3.ppc.rpm
File outdated by:  RHBA-2006:0135
    MD5: 2d58f880338491f34713a51db6aba3ec
 
s390:
gaim-1.3.1-0.el3.3.s390.rpm
File outdated by:  RHBA-2006:0135
    MD5: a0e34b7891936843e174ed7a50634536
 
s390x:
gaim-1.3.1-0.el3.3.s390x.rpm
File outdated by:  RHBA-2006:0135
    MD5: c3e794cd5b905baf5b29848e47a7b8b2
 
x86_64:
gaim-1.3.1-0.el3.3.x86_64.rpm
File outdated by:  RHBA-2006:0135
    MD5: 5e8c3bf3eb8679f85774713462db8242
 
Red Hat Enterprise Linux AS (v. 4)

IA-32:
gaim-1.3.1-0.el4.3.i386.rpm
File outdated by:  RHBA-2006:0133
    MD5: c7343c6cc89f9e6e3dd30a9b918a9c8e
 
IA-64:
gaim-1.3.1-0.el4.3.ia64.rpm
File outdated by:  RHBA-2006:0133
    MD5: 717a21a30f477f71d6aac3052a6f2fcb
 
PPC:
gaim-1.3.1-0.el4.3.ppc.rpm
File outdated by:  RHBA-2006:0133
    MD5: c8609fd4b5cc9801ea6cd131833da6c7
 
s390:
gaim-1.3.1-0.el4.3.s390.rpm
File outdated by:  RHBA-2006:0133
    MD5: 5a2aa34b2844b9916e2f2cd2c39f6bb3
 
s390x:
gaim-1.3.1-0.el4.3.s390x.rpm
File outdated by:  RHBA-2006:0133
    MD5: 40f2ac0065deb7cfda303d2efabbf9ac
 
x86_64:
gaim-1.3.1-0.el4.3.x86_64.rpm
File outdated by:  RHBA-2006:0133
    MD5: 7611deb734363f6dceef660f19c3f4b9
 
Red Hat Enterprise Linux ES (v. 3)

IA-32:
gaim-1.3.1-0.el3.3.i386.rpm
File outdated by:  RHBA-2006:0135
    MD5: 33c487f6fe88c3573f63bc4044997cad
 
IA-64:
gaim-1.3.1-0.el3.3.ia64.rpm
File outdated by:  RHBA-2006:0135
    MD5: ab1a9e0a24a296ced5779462f46c26a5
 
x86_64:
gaim-1.3.1-0.el3.3.x86_64.rpm
File outdated by:  RHBA-2006:0135
    MD5: 5e8c3bf3eb8679f85774713462db8242
 
Red Hat Enterprise Linux ES (v. 4)

IA-32:
gaim-1.3.1-0.el4.3.i386.rpm
File outdated by:  RHBA-2006:0133
    MD5: c7343c6cc89f9e6e3dd30a9b918a9c8e
 
IA-64:
gaim-1.3.1-0.el4.3.ia64.rpm
File outdated by:  RHBA-2006:0133
    MD5: 717a21a30f477f71d6aac3052a6f2fcb
 
x86_64:
gaim-1.3.1-0.el4.3.x86_64.rpm
File outdated by:  RHBA-2006:0133
    MD5: 7611deb734363f6dceef660f19c3f4b9
 
Red Hat Enterprise Linux WS (v. 3)

IA-32:
gaim-1.3.1-0.el3.3.i386.rpm
File outdated by:  RHBA-2006:0135
    MD5: 33c487f6fe88c3573f63bc4044997cad
 
IA-64:
gaim-1.3.1-0.el3.3.ia64.rpm
File outdated by:  RHBA-2006:0135
    MD5: ab1a9e0a24a296ced5779462f46c26a5
 
x86_64:
gaim-1.3.1-0.el3.3.x86_64.rpm
File outdated by:  RHBA-2006:0135
    MD5: 5e8c3bf3eb8679f85774713462db8242
 
Red Hat Enterprise Linux WS (v. 4)

IA-32:
gaim-1.3.1-0.el4.3.i386.rpm
File outdated by:  RHBA-2006:0133
    MD5: c7343c6cc89f9e6e3dd30a9b918a9c8e
 
IA-64:
gaim-1.3.1-0.el4.3.ia64.rpm
File outdated by:  RHBA-2006:0133
    MD5: 717a21a30f477f71d6aac3052a6f2fcb
 
x86_64:
gaim-1.3.1-0.el4.3.x86_64.rpm
File outdated by:  RHBA-2006:0133
    MD5: 7611deb734363f6dceef660f19c3f4b9
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

165392 - CAN-2005-2370 gadu gadu memory alignment issue
165400 - CAN-2005-2102 gaim AIM invalid filename DoS
165402 - CAN-2005-2103 Gaim malformed away message remote code execution


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/