Two Gaim DoS issues were reported to bugtraq: http://www.securityfocus.com/archive/1/394806/2005-04-01/2005-04-07/0 1. Buffer overread in gaim_markup_strip_html() A programming error in gaim_markup_strip_html() causes a buffer overread when stripping a string containing malformed HTML. 2. Lack of escaping in the IRC protocol plugin In several places, the IRC protocol plugin handles user messages without escaping markup
This issue should also affect RHEL3 I'm not sure if this will affect RHEL2.1 (Warren can you take a look)
This issue does not affects RHEL2.1
====================================================== Candidate: CAN-2005-0965 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0965 Reference: BUGTRAQ:20050401 multiple remote denial of service vulnerabilities in Gaim Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111238715307356&w=2 The gaim_markup_strip_html function in Gaim 1.2.0, and possibly earlier versions, allows remote attackers to cause a denial of service (application crash) via a string that contains malformed HTML, which causes an out-of-bounds read. ====================================================== Candidate: CAN-2005-0966 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0966 Reference: BUGTRAQ:20050401 multiple remote denial of service vulnerabilities in Gaim Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111238715307356&w=2 Reference: CONFIRM:http://sourceforge.net/project/shownotes.php?group_id=235&release_id=317750 Reference: XF:gaim-irc-plugin-bo(19937) Reference: URL:http://xforce.iss.net/xforce/xfdb/19937 Reference: XF:gaim-ircmsginvite-dos(19939) Reference: URL:http://xforce.iss.net/xforce/xfdb/19939 The IRC protocol plugin in Gaim 1.2.0, and possibly earlier versions, allows (1) remote attackers to inject arbitrary Gaim markup via irc_msg_kick, irc_msg_mode, irc_msg_part, irc_msg_quit, (2) remote attackers to inject arbitrary Pango markup and pop up empty dialog boxes via irc_msg_invite, or (3) malicious IRC servers to cause a denial of service (application crash) by injecting certain Pango markup into irc_msg_badmode, irc_msg_banned, irc_msg_unknown, irc_msg_nochan functions.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-365.html