Bug 158543
Summary: | CAN-2005-1261,1262,1269,1934, 2102, 2103, 2370 gaim <1.5.0 security issues | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Marc Deslauriers <marc.deslauriers> | ||||||
Component: | gaim | Assignee: | Marc Deslauriers <marc.deslauriers> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | bugs, bugzilla.redhat, deisenst, donjr, jam, jpdalbec, pekkas | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | LEGACY, rh73, rh90, 1, 2, | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2006-02-25 14:54:49 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 152916 | ||||||||
Attachments: |
|
Description
Marc Deslauriers
2005-05-23 14:11:36 UTC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated gaim packages to QA: * Mon May 23 2005 Marc Deslauriers <marcdeslauriers> 1.3.0-0.73.1.legacy - - Updated to 1.3.0 to fix security issues d390af70308f2fe3299383e207ffc0830e51c849 7.3/gaim-1.3.0-0.73.1.legacy.i386.rpm 78da71a1cf6cbd5ceed0cd41c96c688c488ee0f5 7.3/gaim-1.3.0-0.73.1.legacy.src.rpm 035f9496f9ba3c0bc02e76d79c4e9a9c1d88c3e8 9/gaim-1.3.0-0.90.1.legacy.i386.rpm 8333385924f4a090578461ac26b9da275cb17c8c 9/gaim-1.3.0-0.90.1.legacy.src.rpm a85108dbfba8199299cedbce43ba08ac69fb094a 1/gaim-1.3.0-1.fc1.legacy.i386.rpm f91f89104f9c1a413b7e8d870425ed7e687c1d69 1/gaim-1.3.0-1.fc1.legacy.src.rpm 1e1b3d4afd31ce30bb4f5ef2ba8d06b4638593c0 2/gaim-1.3.0-1.fc2.legacy.i386.rpm dae4988683cc7dce6618dad7368ee5ac86bf9024 2/gaim-1.3.0-1.fc2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/gaim-1.3.0-0.73.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/gaim-1.3.0-0.73.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/gaim-1.3.0-0.90.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/gaim-1.3.0-0.90.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/gaim-1.3.0-1.fc1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/gaim-1.3.0-1.fc1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/gaim-1.3.0-1.fc2.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/2/gaim-1.3.0-1.fc2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCkg2VLMAs/0C4zNoRAmgvAKDALcrMzfqoNWpjEJ/Xjw3mcAbtQACdGQK7 UNT0mjy9+mYiHHQLY/BrpSU= =McSB -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity verified - spec file changes minimal (but see below) - only language patches for the desktop icon, OK I noticed that FC2 package doesn't have the perl build hack (maybe it doesn't need it?) while the others do, and that perl integrationw as turned on in RHL9 while previously it was turned off (but I recall it was turned off because in the previous legacy package because it didn't work because of the hack, so it should be OK). I think the FC2 perl build hack, if it's even needed, can be added when rebuilding, so.. +PUBLISH RHL73,RHL9,FC1,FC2 78da71a1cf6cbd5ceed0cd41c96c688c488ee0f5 gaim-1.3.0-0.73.1.legacy.src.rpm 8333385924f4a090578461ac26b9da275cb17c8c gaim-1.3.0-0.90.1.legacy.src.rpm f91f89104f9c1a413b7e8d870425ed7e687c1d69 gaim-1.3.0-1.fc1.legacy.src.rpm dae4988683cc7dce6618dad7368ee5ac86bf9024 gaim-1.3.0-1.fc2.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFClA6OGHbTkzxSL7QRAhN0AKCgdPw8vaBozqwQee5dSKMY78z6bgCgo6Df SUL/UzioDUbEM4VWqaEL6ak= =AGhN -----END PGP SIGNATURE----- I'd like to know when these rpms are going to be published. Currently they're waiting to be built for updates-testing. Before that happens, there isn't much that can be done. After that is done, the packages will need to be VERIFYed (basically just simple testing that the program still works fine) and then they can be released. Packages were pushed to updates-testing. *** Bug 152916 has been marked as a duplicate of this bug. *** We need to update to 1.3.1: Description of problem: 05.24.26 CVE: CAN-2005-1269 Platform: Cross Platform Title: Gaim Yahoo! Protocol Support File Download Denial of Service Description: Gaim is an instant messaging client that supports numerous protocols. Gaim is affected by a denial of service vulnerability during the download of a file using the Yahoo! protocol. This issue can allow remote attackers to cause an affected client to fail. Gaim versions prior to 1.3.1 are reportedly affected by this vulnerability. Ref: http://gaim.sourceforge.net/security/index.php?id=18 05.24.27 CVE: CAN-2005-1934 Platform: Cross Platform Title: Gaim MSN Protocol Denial of Service Description: Gaim is an instant messaging client. It is vulnerable to a denial of service issue when handling malformed messages using the MSN protocol. Gaim versions prior to 1.3.1 are not vulnerable. Ref: http://gaim.sourceforge.net/security/index.php?id=19 *** Bug 160834 has been marked as a duplicate of this bug. *** Now we need to update to 1.5.0 The three new vulnerabilities Marc is referring to in comment #9, all fixed in version 1.5.0: * CAN-2005-2102 - AIM/ICQ non-UTF-8 filename crash "Invalid filenames can cause a crash on some systems. A remote user could cause Gaim to crash on some systems by sending the Gaim user a file whose filename contains certain invalid characters. It is unknown what combination of systems are affected, but it is suspected that Windows users and systems with older versions of GTK+ are especially susceptible." -- <http://gaim.sourceforge.net/security/index.php?id=21> * CAN-2005-2103 - AIM/ICQ away message buffer overflow "A remote AIM or ICQ user can cause a buffer overflow in Gaim by setting an away message containing many AIM substitution strings (such as %t or %n)." -- <http://gaim.sourceforge.net/security/index.php?id=22> * CAN-2005-2370 - Gadu-Gadu memory alignment bug "A memory alignment bug in the Gadu-Gadu protocol plugin can result in a buffer overflow. There was a memory alignment bug in the library Gaim uses to access the Gadu-Gadu network. This bug can not be exploited on x86 architectures. This bug was recently fixed in the libgadu library, but also needed to be fixed in Gaim because Gaim includes a copy of the libgadu library." -- <http://gaim.sourceforge.net/security/index.php?id=20> I am willing to build .src.rpm packages for gaim-1.5.0 for all four releases. However, I only have dialup access to the Internet, and it would be a pain to download all four .src.rpm's currently in updates-testing (over 20.4 mega- bytes) when all I need from them would be the current .spec files and/or any patches that might be with them. Does anyone have those .spec files (& appropriate patches) handy? If so, could you email them to me, being careful to label which goes with which if necessary? Or post them somewhere I can download them easily? Thanks in advance! -David FYI: 05.32.16 CVE: CAN-2005-2103, CAN-2005-2102 Platform: Cross Platform Title: Gaim Protocols Multiple Vulnerabilities Description: Gaim is an instant messaging client. It is vulnerable to multiple issues affecting the AIM and ICQ protocols, such as buffer overflow and denial of service. Gaim versions 1.3.1 and ealier are vulnerable. Ref: http://rhn.redhat.com/errata/RHSA-2005-589.html http://rhn.redhat.com/errata/RHSA-2005-627.html Regarding comment 11 -- nevermind. I am working on a FC1 version of gaim-1.5.0 (got sources from FC3 version, making a couple small changes to the spec-file turning off FC3+ features.) I will post a link to a FC1 .src.rpm in the next day or so for QA. Perhaps someone who is more familiar with RH73, RH9 and FC2 will know what things need tweaking to make make workable .src.rpm's for those O/S versions? Created attachment 118698 [details] Spec, patch files for gaim-1.5.0, which fixes security problems -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 48da3864254fec01aa9f31af2da848c8412ee1af gaim-1.5.0-FC1-build-files.tar.gz Enclosed for your review, gaim-1.5.0-FC1-build-files.tar.gz includes the spec file and all of the patches needed to build a version of gaim-1.5.0 for FC1; maybe other distro's as well. It includes everything but the gaim-1.5.0.tar.bz2 source tarball, which can be retrieved from RedHat's FC3 .src.rpm or from the upstream repository at gaim.sourceforge.net. MANIFEST: 893 2005-06-09 23:04:28 gaim-1.5.0-FC1/gaim-1.3.1-PIE.patch 2440 2005-08-11 23:38:34 gaim-1.5.0-FC1/gaim-desktop.patch 10794 2005-06-09 23:04:28 gaim-1.5.0-FC1/gaim-fedora-prefs.xml 22687 2005-09-11 19:29:12 gaim-1.5.0-FC1/gaim.spec 644 2004-09-09 00:03:13 gaim-1.5.0-FC1/gaim-0.76-xinput.patch 454 2004-10-07 23:40:38 gaim-1.5.0-FC1/gaim-1.0.1-naive-gnome-check.patch 22925 2005-09-08 12:13:17 gaim-1.5.0-FC1/other/gaim-1.5.0-1.fc1.1.legacy.spec Have been running a binary package based on this. It seems to work well. (Please note that what I built and am currently running omits Red Hat's PIE patch (is using the spec file in the "other/" directory, not "gaim.spec"), because I wanted to run gaim under a debugger. GDB refuses to run an exec- utable that is also a shared object file. Also note that I decided to include a couple things in the doc directory that Red Hat decided not to -- The poem "The Penguin" is cute!) :-) If somebody can help me with some webspace, I can also upload an .src.rpm file for your review. Hope this helps. ===== ps: URL's to download the source tarball if it helps: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/SRPMS/gaim-1.5.0-1.fc3.src.rpm or http://prdownloads.sourceforge.net/gaim/gaim-1.5.0.tar.bz2?download -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDJNCDxou1V/j9XZwRAqGlAKCuNzKV9cxeIFviSr90LHxOoXiV/gCgomim A5a0j5aSB3/I+IZnBk148RM= =0467 -----END PGP SIGNATURE----- Grr... $ cat <comment 14> | sed -e "s/ger\..GDB/ger. GDB/" \ | sed -e "/fc3.src.rpm/{n;d}" | gpg --verify should yield the proper validation of the comment's signature, if you wish to validate what I posted. *sigh* -David -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is an updated Fedora Core 1 gaim package to QA: 943907fbd013a565e3634b69a1542b2763b13dc7 gaim-1.5.0-1.fc1.2.legacy.src.rpm http://www.fedoralegacy.org/contrib/gaim/gaim-1.5.0-1.fc1.2.legacy.src.rpm Please note that I changed the spec-file to include a couple things in the doc directory that Red Hat decided not to -- The poem "The Penguin" is cute! :-) Also the file "COPYRIGHT" so the list of gaim contributors would be included with the binaries and not just the sources. Also not that this gaim includes Red Hat's gaim-1.3.1-PIE.patch. I don't know why they include that patch, but they do. Maybe it's for security reasons. Have been using this version of Gaim without incident since 8-Sep-2005. Seems to work well. If anyone wants test binaries to look at, I can post them too. Let me know. Please QA and post your results. Thanks. ===== FC1 Changelog (since Marc's proposed gaim-1.3.0 packages in comment 1): (n.b.: I munged email addresses, see changelong in .srpm for the real ones.) * Sun Sep 11 2005 David Eisenstein <deisenst@...> 1:1.5.0-1.fc1.2.legacy - - Re-spin as Fedora Legacy FC1 security update. Bugzilla Bug 158543. * Thu Aug 11 2005 Warren Togami <wtogami@r....com> - 1:1.5.0-1 - - 1.5.0 security and bug fixes CAN-2005-2370 Gadu-Gadu memory alignment bug CAN-2005-2102 AIM/ICQ non-UTF-8 Filename Crash CAN-2005-2103 AIM/ICQ away message buffer overflow * Tue Aug 9 2005 Jeremy Katz <katzj@r....com> - 1:1.4.0-7 - - rebuild for new evolution-data-server * Mon Aug 1 2005 Warren Togami <wtogami@r....com> 1:1.4.0-6 - - FC5+ bash regex replace for -fstack-protector-all (mharris) * Sun Jul 31 2005 Warren Togami <wtogami@r....com> 1:1.4.0-5 - - FC5+ automatic -fstack-protector-all switch - - 150: MSN buddy names with space disconnect and profile corruption (supercedes patch 149) - - 151: Gadu Gadu memory alignment crash - - 152: Rename Group Merge crash - - 153: mailto: parse crash (util.c) - - 154: mailto: parse crash (MSN) - - 155: mailto: parse crash (Zephyr) * Mon Jul 11 2005 Warren Togami <wtogami@r....com> 1:1.4.0-4 - - 149: MSN username with space disconnect fix - - Do not own perl dir, remove empty files (#162994 jpo) * Sun Jul 10 2005 Warren Togami <wtogami@r....com> 1:1.4.0-2 - - 148: AIM login crash fix * Thu Jul 07 2005 Warren Togami <wtogami@r....com> 1:1.4.0-1 - - 1.4.0 * Thu Jun 09 2005 Warren Togami <wtogami@r....com> 1:1.3.1-0 - - 1.3.1 more bug fixes CAN-2005-1269 CAN-2005-1934 - - enable Message Notification plugin by default * Mon May 23 2005 Marc Deslauriers <marcdeslauriers@....ca> 1:1.3.0-1.fc1.1.legacy - - Rebuilt as Fedora Legacy FC1 security update -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDMdXtxou1V/j9XZwRAkcnAKD0R0VC6fpT1zyrJYwOIi4Q5HJAvQCfToYI mU11iAAZr/m60/Kx1Z0DbC8= =7C4G -----END PGP SIGNATURE----- There were some minor changes to the desktop file, but nothing big. I could give FC1 version a publish, but I'd prefer to do it for all the arches at the same time. As for PIE, it's not (directly) security related, so no need to add those patches on arches which don't already have it. See: http://en.wikipedia.org/wiki/Position_independent_code -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated gaim packages for rh73, rh9 and fc2 to QA: add1cc5a66075dade5022f0ada975b66480f7ced 7.3/gaim-1.5.0-0.73.1.legacy.i386.rpm 600c0082bd52b646f003df0c11879c8fb93e4c60 7.3/gaim-1.5.0-0.73.1.legacy.src.rpm 095dcc381905aaea87a5fe4d4e51e88e3f0c759d 9/gaim-1.5.0-0.90.1.legacy.i386.rpm e100a60fd4299abd43fc8221ceffe91b15fae650 9/gaim-1.5.0-0.90.1.legacy.src.rpm d6811eef01c3634b1f6f9060d6b5c11ce23268f6 2/gaim-1.5.0-1.fc2.1.legacy.i386.rpm ccd913a6f7902e6c3e88e2bfe3423120526cb16c 2/gaim-1.5.0-1.fc2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/gaim-1.5.0-0.73.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/gaim-1.5.0-0.73.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/gaim-1.5.0-0.90.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/gaim-1.5.0-0.90.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/gaim-1.5.0-1.fc2.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/2/gaim-1.5.0-1.fc2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD0Y4rLMAs/0C4zNoRAm4hAJsE7AWMH3uQ0gjNb7kPrHutgCzAIwCguemV 8qS0awdQhTYerIbVpfXrMYE= =6Hg2 -----END PGP SIGNATURE----- I took a look at these; RHL9 and FC2 looked good. I'd like to get new packages incorporating the CVS fixes etc. (similar methodology as for FC2) for FC1 as well, so that the updates would be the same "across the board". RHL73 looked good, but .spec file wasn't "upgraded" based on FC4 similar to the others. Cursorily looking, the changes looked good though. Was there a particular reason not to bump the spec file (lack of RHL73 integration, maybe..) ? RHL 7.3 is substantially different. The desktop links are not in the same place, we can't ship the tray icon plugin, etc. The changes to the spec file would be substantial, so we're better off just using the old one. I'll make another fc1 package. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are gaim packages for fc1 to QA: 0907e8d51f039f53057c6080011869634895cc5d gaim-1.5.0-1.fc1.1.legacy.i386.rpm 7981f9603dedf84a852de15bbbc958d17ddfbf08 gaim-1.5.0-1.fc1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/gaim-1.5.0-1.fc1.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/gaim-1.5.0-1.fc1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD0ll7LMAs/0C4zNoRAvzoAKCsGSDujQqKQWGNSU1X92dgkFq5gwCfUCHY 084J3i8Jvc5VQs7eyV3YD3M= =Msup -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal (rhl73) or minimal compared to fc4 - patches verified from fc4 +PUBLISH RHL73,RHL9,FC1,FC2 600c0082bd52b646f003df0c11879c8fb93e4c60 gaim-1.5.0-0.73.1.legacy.src.rpm e100a60fd4299abd43fc8221ceffe91b15fae650 gaim-1.5.0-0.90.1.legacy.src.rpm 7981f9603dedf84a852de15bbbc958d17ddfbf08 gaim-1.5.0-1.fc1.1.legacy.src.rpm ccd913a6f7902e6c3e88e2bfe3423120526cb16c gaim-1.5.0-1.fc2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD0mFjGHbTkzxSL7QRAli4AJ0Ud8afWtsumu+PU2TSiMJnOLo9KgCgrr0F hV7RzQyQk5gfL3XHJQXikEw= =DAbD -----END PGP SIGNATURE----- Packages were pushed to updates-testing New policy: automatic accept after two weeks if no negative feedback. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed QA on the following: a51c47a7e69e2ae0de301b5aea04a078a34bd494 gaim-1.5.0-0.73.1.legacy.i386.rpm 99901a3c55dc899071cd0373c71ce18b694e38d0 gaim-1.5.0-0.90.1.legacy.i386.rpm fda20f97bf8c2ce8a5075c579bcbf6c3e3a66e81 gaim-1.5.0-1.fc1.1.legacy.i386.rpm d8c6b98a019633a8a2debd6e2a86daccae6cdeda gaim-1.5.0-1.fc2.1.legacy.i386.rpm Upgraded fine. Logged into AIM, tested by talking to a couple of bots. Was able to log into ICQ, MSN and Yahoo. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFD+TTdpxMPKJzn2lIRAuxFAJkBnoMxo1Rgp8fjbZ9LQz28AHNhQQCgtVOV jWOX2uueJOfSiCgAg2CMlvo= =SuoS -----END PGP SIGNATURE----- Thanks! -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VERIFY QA on FC1 version of gaim. fda20f97bf8c2ce8a5075c579bcbf6c3e3a66e81 gaim-1.5.0-1.fc1.1.legacy.i386.rpm * SHA1sums match. * Properly signed by the Fedora Legacy key. * Installed fine; except -- I had already installed gaim-1.5.0-1.fc1 packages from ones that I had built and submitted for QA awhile back. I had to manually uninstall the other version of gaim to install the one in updates-testing. The FC1 packages should have been named "gaim-1.5.0-1.fc1.3.legacy" for upward-compatibility. * This version of gaim, with the (upstream?) CVS changes included, works fine and has worked well ever since I installed it, a week or two ago. GRIPE: The fact that I did any work at all on this version of gaim, creating packages that address the security vulnerabilities this bug ticket is supposed to address, has been obliterated in the changelog for the RPM's that Marc Deslaurier submitted, which goes against Fedora Legacy policy and good etiquette. It is too late at this juncture to think about changing the FC1 packages to reflect my work on this, poor as it may have been; but I suppose that it doesn't matter, as that work was discarded anyway. We can do better than this. VERIFY FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFD+XBTxou1V/j9XZwRAuQTAJsEp6Vue0snoK5bk3b9s0GphrJgrgCfWZZb 0JvcpvrdvCeE/0m+ljmU20U= =YUOr -----END PGP SIGNATURE----- I am sorry David. I simply rebuilt the .src.rpm directly from upstream. I did not intend to offend you by not using your updated package. :( I think one of the most important thinks FL should be focusing on is common methodology for all the releases, i.e., unless there are good reasons for otherwise, all the releases should be updated in a similar manner. Also the amount of non-required changes should be minimized. The practical problem right now is that unless folks have set up local mach/mock environments, have fast net access, etc., they can't really do propose packages in a useful manner. Thank you, Marc. Not necessary to use the package I made, especially if there was a much better one out there. But it is important to increment version numbers and retain changelog entries, even if nothing remains of the work but those changelog entries. Created attachment 125165 [details]
Proposed Fedora Legacy Update Advisory for this issue.
Here is a proposed update advisory for this issue, so we can release these
packages to updates.
Hope this helps.
-David
Thanks David! Packages were released |