Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 158543 - CAN-2005-1261,1262,1269,1934, 2102, 2103, 2370 gaim <1.5.0 security issues
Summary: CAN-2005-1261,1262,1269,1934, 2102, 2103, 2370 gaim <1.5.0 security issues
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: gaim
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Marc Deslauriers
QA Contact:
Whiteboard: LEGACY, rh73, rh90, 1, 2,
: 152916 160834 (view as bug list)
Depends On:
Blocks: 152916
TreeView+ depends on / blocked
Reported: 2005-05-23 14:11 UTC by Marc Deslauriers
Modified: 2007-04-18 17:26 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-02-25 14:54:49 UTC

Attachments (Terms of Use)
Spec, patch files for gaim-1.5.0, which fixes security problems (11.57 KB, application/gzip)
2005-09-12 00:53 UTC, David Eisenstein
no flags Details
Proposed Fedora Legacy Update Advisory for this issue. (9.47 KB, text/plain)
2006-02-24 09:00 UTC, David Eisenstein
no flags Details

Description Marc Deslauriers 2005-05-23 14:11:36 UTC
It turns out that this is a potential Remote DoS bug resulting from not
checking a pointer for non-NULL before passing it to strncmp which
results in a crash. This can be triggered by a remote client sending an
SLP message with an empty body. (CAN-2005-1262)

A buffer overflow has been found in Gaim.  It is possible for a remote attacker
to send a message containing a very long URL to overflow a buffer.  This attack
is mitigated by the fact that not all the messaging protocols allow messages
long enough to overflow this particular buffer. (CAN-2005-1261)

Comment 1 Marc Deslauriers 2005-05-23 17:06:42 UTC
Hash: SHA1

Here are updated gaim packages to QA:

* Mon May 23 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
- - Updated to 1.3.0 to fix security issues

d390af70308f2fe3299383e207ffc0830e51c849  7.3/gaim-1.3.0-0.73.1.legacy.i386.rpm
78da71a1cf6cbd5ceed0cd41c96c688c488ee0f5  7.3/gaim-1.3.0-0.73.1.legacy.src.rpm
035f9496f9ba3c0bc02e76d79c4e9a9c1d88c3e8  9/gaim-1.3.0-0.90.1.legacy.i386.rpm
8333385924f4a090578461ac26b9da275cb17c8c  9/gaim-1.3.0-0.90.1.legacy.src.rpm
a85108dbfba8199299cedbce43ba08ac69fb094a  1/gaim-1.3.0-1.fc1.legacy.i386.rpm
f91f89104f9c1a413b7e8d870425ed7e687c1d69  1/gaim-1.3.0-1.fc1.legacy.src.rpm
1e1b3d4afd31ce30bb4f5ef2ba8d06b4638593c0  2/gaim-1.3.0-1.fc2.legacy.i386.rpm
dae4988683cc7dce6618dad7368ee5ac86bf9024  2/gaim-1.3.0-1.fc2.legacy.src.rpm


Version: GnuPG v1.2.6 (GNU/Linux)


Comment 2 Pekka Savola 2005-05-25 05:36:04 UTC
Hash: SHA1
QA w/ rpm-build-compare.sh:
 - source integrity verified
 - spec file changes minimal (but see below)
 - only language patches for the desktop icon, OK
I noticed that FC2 package doesn't have the perl build hack (maybe it
doesn't need it?) while the others do, and that perl integrationw as turned
on in RHL9 while previously it was turned off (but I recall it was turned
off because in the previous legacy package because it didn't work because of
the hack, so it should be OK).
I think the FC2 perl build hack, if it's even needed, can be added when
rebuilding, so..
78da71a1cf6cbd5ceed0cd41c96c688c488ee0f5  gaim-1.3.0-0.73.1.legacy.src.rpm
8333385924f4a090578461ac26b9da275cb17c8c  gaim-1.3.0-0.90.1.legacy.src.rpm
f91f89104f9c1a413b7e8d870425ed7e687c1d69  gaim-1.3.0-1.fc1.legacy.src.rpm
dae4988683cc7dce6618dad7368ee5ac86bf9024  gaim-1.3.0-1.fc2.legacy.src.rpm
Version: GnuPG v1.0.7 (GNU/Linux)

Comment 3 Jeff MacDonald 2005-06-03 00:57:53 UTC
I'd like to know when these rpms are going to be published.

Comment 4 Pekka Savola 2005-06-03 05:30:51 UTC
Currently they're waiting to be built for updates-testing.  Before that happens,
there isn't much that can be done.  After that is done, the packages will need
to be VERIFYed (basically just simple testing that the program still works fine)
and then they can be released.

Comment 5 Marc Deslauriers 2005-06-04 19:44:09 UTC
Packages were pushed to updates-testing.

Comment 6 Marc Deslauriers 2005-07-15 22:16:25 UTC
*** Bug 152916 has been marked as a duplicate of this bug. ***

Comment 7 Marc Deslauriers 2005-07-28 23:27:15 UTC
We need to update to 1.3.1:

Description of problem:
05.24.26 CVE: CAN-2005-1269
Platform: Cross Platform
Title: Gaim Yahoo! Protocol Support File Download Denial of Service
Description: Gaim is an instant messaging client that supports
numerous protocols. Gaim is affected by a denial of service
vulnerability during the download of a file using the Yahoo! protocol.
This issue can allow remote attackers to cause an affected client to
fail. Gaim versions prior to 1.3.1 are reportedly affected by this
Ref: http://gaim.sourceforge.net/security/index.php?id=18 

05.24.27 CVE: CAN-2005-1934
Platform: Cross Platform
Title: Gaim MSN Protocol Denial of Service
Description: Gaim is an instant messaging client. It is vulnerable to
a denial of service issue when handling malformed messages using the
MSN protocol. Gaim versions prior to 1.3.1 are not vulnerable.
Ref: http://gaim.sourceforge.net/security/index.php?id=19 

Comment 8 Marc Deslauriers 2005-07-28 23:27:46 UTC
*** Bug 160834 has been marked as a duplicate of this bug. ***

Comment 9 Marc Deslauriers 2005-08-17 00:52:54 UTC
Now we need to update to 1.5.0

Comment 10 David Eisenstein 2005-09-05 03:56:03 UTC
The three new vulnerabilities Marc is referring to in comment #9,
all fixed in version 1.5.0:

  * CAN-2005-2102 - AIM/ICQ non-UTF-8 filename crash
    "Invalid filenames can cause a crash on some systems.
    A remote user could cause Gaim to crash on some systems by sending
    the Gaim user a file whose filename contains certain invalid
    characters. It is unknown what combination of systems are affected,
    but it is suspected that Windows users and systems with older
    versions of GTK+ are especially susceptible."
        -- <http://gaim.sourceforge.net/security/index.php?id=21>

  * CAN-2005-2103 - AIM/ICQ away message buffer overflow
    "A remote AIM or ICQ user can cause a buffer overflow in Gaim by
    setting an away message containing many AIM substitution strings
    (such as %t or %n)."
        -- <http://gaim.sourceforge.net/security/index.php?id=22>

  * CAN-2005-2370 - Gadu-Gadu memory alignment bug
    "A memory alignment bug in the Gadu-Gadu protocol plugin can result
    in a buffer overflow.  There was a memory alignment bug in the
    library Gaim uses to access the Gadu-Gadu network. This bug can not
    be exploited on x86 architectures. This bug was recently fixed in the
    libgadu library, but also needed to be fixed in Gaim because Gaim
    includes a copy of the libgadu library."
        -- <http://gaim.sourceforge.net/security/index.php?id=20>

Comment 11 David Eisenstein 2005-09-05 04:16:36 UTC
I am willing to build .src.rpm packages for gaim-1.5.0 for all four releases.
However, I only have dialup access to the Internet, and it would be a pain to
download all four .src.rpm's currently in updates-testing (over 20.4 mega-
bytes) when all I need from them would be the current .spec files and/or any
patches that might be with them.

Does anyone have those .spec files (& appropriate patches) handy?  If so, 
could you email them to me, being careful to label which goes with which if

Or post them somewhere I can download them easily?

Thanks in advance!   -David

Comment 12 John Dalbec 2005-09-08 12:39:35 UTC

05.32.16 CVE: CAN-2005-2103, CAN-2005-2102
Platform: Cross Platform
Title: Gaim Protocols Multiple Vulnerabilities
Description: Gaim is an instant messaging client. It is vulnerable to
multiple issues affecting the AIM and ICQ protocols, such as buffer
overflow and denial of service. Gaim versions 1.3.1 and ealier are
Ref: http://rhn.redhat.com/errata/RHSA-2005-589.html 

Comment 13 David Eisenstein 2005-09-09 03:04:24 UTC
Regarding comment 11 -- nevermind.  I am working on a FC1 version of gaim-1.5.0
(got sources from FC3 version, making a couple small changes to the spec-file
turning off FC3+ features.)

I will post a link to a FC1 .src.rpm in the next day or so for QA.  Perhaps 
someone who is more familiar with RH73, RH9 and FC2 will know what things need
tweaking to make make workable .src.rpm's for those O/S versions?

Comment 14 David Eisenstein 2005-09-12 00:53:06 UTC
Created attachment 118698 [details]
Spec, patch files for gaim-1.5.0, which fixes security problems

Hash: SHA1

48da3864254fec01aa9f31af2da848c8412ee1af  gaim-1.5.0-FC1-build-files.tar.gz

Enclosed for your review, gaim-1.5.0-FC1-build-files.tar.gz includes the spec
file and all of the patches needed to build a version of gaim-1.5.0 for FC1;
maybe other distro's as well.  It includes everything but the
gaim-1.5.0.tar.bz2 source tarball, which can be retrieved from RedHat's FC3
.src.rpm or from the upstream repository at gaim.sourceforge.net.

   893 2005-06-09 23:04:28 gaim-1.5.0-FC1/gaim-1.3.1-PIE.patch
  2440 2005-08-11 23:38:34 gaim-1.5.0-FC1/gaim-desktop.patch
 10794 2005-06-09 23:04:28 gaim-1.5.0-FC1/gaim-fedora-prefs.xml
 22687 2005-09-11 19:29:12 gaim-1.5.0-FC1/gaim.spec
   644 2004-09-09 00:03:13 gaim-1.5.0-FC1/gaim-0.76-xinput.patch
   454 2004-10-07 23:40:38 gaim-1.5.0-FC1/gaim-1.0.1-naive-gnome-check.patch
 22925 2005-09-08 12:13:17 gaim-1.5.0-FC1/other/gaim-1.5.0-1.fc1.1.legacy.spec

Have been running a binary package based on this.  It seems to work well.

(Please note that what I built and am currently running omits Red Hat's
PIE patch (is using the spec file in the "other/" directory, not "gaim.spec"),
because I wanted to run gaim under a debugger.	GDB refuses to run an exec-
utable that is also a shared object file.  Also note that I decided to
include a couple things in the doc directory that Red Hat decided not to --
The poem "The Penguin" is cute!)  :-)

If somebody can help me with some webspace, I can also upload an .src.rpm
file for your review.

Hope this helps.


ps:  URL's to download the source tarball if it helps:



Version: GnuPG v1.2.3 (GNU/Linux)


Comment 15 David Eisenstein 2005-09-12 01:26:15 UTC

$ cat <comment 14> | sed -e "s/ger\..GDB/ger.  GDB/" \
| sed -e "/fc3.src.rpm/{n;d}" | gpg --verify

should yield the proper validation of the comment's signature, if you wish
to validate what I posted.  *sigh*   -David

Comment 16 David Eisenstein 2005-09-21 22:02:21 UTC
Hash: SHA1

Here is an updated Fedora Core 1 gaim package to QA:

943907fbd013a565e3634b69a1542b2763b13dc7  gaim-1.5.0-1.fc1.2.legacy.src.rpm


Please note that I changed the spec-file to include a couple things in the 
doc directory that Red Hat decided not to -- The poem "The Penguin" is cute!
:-)  Also the file "COPYRIGHT" so the list of gaim contributors would be
included with the binaries and not just the sources.  Also not that this gaim
includes Red Hat's gaim-1.3.1-PIE.patch.  I don't know why they include that
patch, but they do.  Maybe it's for security reasons.

Have been using this version of Gaim without incident since 8-Sep-2005.
Seems to work well.  If anyone wants test binaries to look at, I can post
them too.  Let me know.

Please QA and post your results.  Thanks.

FC1 Changelog (since Marc's proposed gaim-1.3.0 packages in comment 1):
(n.b.:  I munged email addresses, see changelong in .srpm for the real ones.)

* Sun Sep 11 2005 David Eisenstein <deisenst@...> 1:1.5.0-1.fc1.2.legacy
- - Re-spin as Fedora Legacy FC1 security update.  Bugzilla Bug 158543.

* Thu Aug 11 2005 Warren Togami <wtogami@r....com> - 1:1.5.0-1
- - 1.5.0 security and bug fixes
  CAN-2005-2370 Gadu-Gadu memory alignment bug
  CAN-2005-2102 AIM/ICQ non-UTF-8 Filename Crash
  CAN-2005-2103 AIM/ICQ away message buffer overflow

* Tue Aug  9 2005 Jeremy Katz <katzj@r....com> - 1:1.4.0-7
- - rebuild for new evolution-data-server

* Mon Aug  1 2005 Warren Togami <wtogami@r....com> 1:1.4.0-6
- - FC5+ bash regex replace for -fstack-protector-all (mharris)

* Sun Jul 31 2005 Warren Togami <wtogami@r....com> 1:1.4.0-5
- - FC5+ automatic -fstack-protector-all switch
- - 150: MSN buddy names with space disconnect and profile corruption
       (supercedes patch 149)
- - 151: Gadu Gadu memory alignment crash
- - 152: Rename Group Merge crash
- - 153: mailto: parse crash (util.c)
- - 154: mailto: parse crash (MSN)
- - 155: mailto: parse crash (Zephyr)

* Mon Jul 11 2005 Warren Togami <wtogami@r....com> 1:1.4.0-4
- - 149: MSN username with space disconnect fix
- - Do not own perl dir, remove empty files (#162994 jpo)

* Sun Jul 10 2005 Warren Togami <wtogami@r....com> 1:1.4.0-2
- - 148: AIM login crash fix

* Thu Jul 07 2005 Warren Togami <wtogami@r....com> 1:1.4.0-1
- - 1.4.0

* Thu Jun 09 2005 Warren Togami <wtogami@r....com> 1:1.3.1-0
- - 1.3.1 more bug fixes
  CAN-2005-1269 CAN-2005-1934
- - enable Message Notification plugin by default

* Mon May 23 2005 Marc Deslauriers <marcdeslauriers@....ca>
- - Rebuilt as Fedora Legacy FC1 security update

Version: GnuPG v1.2.3 (GNU/Linux)


Comment 17 Pekka Savola 2005-09-22 06:13:19 UTC
There were some minor changes to the desktop file, but nothing big.  I could
give FC1 version a publish, but I'd prefer to do it for all the arches at the
same time.

As for PIE, it's not (directly) security related, so no need to add those
patches on arches which don't already have it.  See:


Comment 18 Marc Deslauriers 2006-01-21 01:22:06 UTC
Hash: SHA1

Here are updated gaim packages for rh73, rh9 and fc2 to QA:

add1cc5a66075dade5022f0ada975b66480f7ced  7.3/gaim-1.5.0-0.73.1.legacy.i386.rpm
600c0082bd52b646f003df0c11879c8fb93e4c60  7.3/gaim-1.5.0-0.73.1.legacy.src.rpm
095dcc381905aaea87a5fe4d4e51e88e3f0c759d  9/gaim-1.5.0-0.90.1.legacy.i386.rpm
e100a60fd4299abd43fc8221ceffe91b15fae650  9/gaim-1.5.0-0.90.1.legacy.src.rpm
d6811eef01c3634b1f6f9060d6b5c11ce23268f6  2/gaim-1.5.0-1.fc2.1.legacy.i386.rpm
ccd913a6f7902e6c3e88e2bfe3423120526cb16c  2/gaim-1.5.0-1.fc2.1.legacy.src.rpm


Version: GnuPG v1.4.1 (GNU/Linux)


Comment 19 Pekka Savola 2006-01-21 08:36:10 UTC
I took a look at these; RHL9 and FC2 looked good.

I'd like to get new packages incorporating the CVS fixes etc. (similar
methodology as for FC2) for FC1 as well, so that the updates would be the same
"across the board".

RHL73 looked good, but .spec file wasn't "upgraded" based on FC4 similar to the
others.  Cursorily looking, the changes looked good though.  Was there a
particular reason not to bump the spec file (lack of RHL73 integration, maybe..) ?

Comment 20 Marc Deslauriers 2006-01-21 13:51:47 UTC
RHL 7.3 is substantially different. The desktop links are not in the same place,
we can't ship the tray icon plugin, etc. The changes to the spec file would be
substantial, so we're better off just using the old one.

I'll make another fc1 package.

Comment 21 Marc Deslauriers 2006-01-21 15:49:28 UTC
Hash: SHA1

Here are gaim packages for fc1 to QA:

0907e8d51f039f53057c6080011869634895cc5d  gaim-1.5.0-1.fc1.1.legacy.i386.rpm
7981f9603dedf84a852de15bbbc958d17ddfbf08  gaim-1.5.0-1.fc1.1.legacy.src.rpm


Version: GnuPG v1.4.1 (GNU/Linux)


Comment 22 Pekka Savola 2006-01-21 16:25:35 UTC
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal (rhl73) or minimal compared to fc4
 - patches verified from fc4


600c0082bd52b646f003df0c11879c8fb93e4c60  gaim-1.5.0-0.73.1.legacy.src.rpm
e100a60fd4299abd43fc8221ceffe91b15fae650  gaim-1.5.0-0.90.1.legacy.src.rpm
7981f9603dedf84a852de15bbbc958d17ddfbf08  gaim-1.5.0-1.fc1.1.legacy.src.rpm
ccd913a6f7902e6c3e88e2bfe3423120526cb16c  gaim-1.5.0-1.fc2.1.legacy.src.rpm
Version: GnuPG v1.0.7 (GNU/Linux)


Comment 23 Marc Deslauriers 2006-01-24 23:30:11 UTC
Packages were pushed to updates-testing

Comment 24 Pekka Savola 2006-02-14 06:30:26 UTC
New policy: automatic accept after two weeks if no negative feedback.

Comment 25 Donald Maner 2006-02-20 03:14:19 UTC
Hash: SHA1

I performed QA on the following:

a51c47a7e69e2ae0de301b5aea04a078a34bd494  gaim-1.5.0-0.73.1.legacy.i386.rpm
99901a3c55dc899071cd0373c71ce18b694e38d0  gaim-1.5.0-0.90.1.legacy.i386.rpm
fda20f97bf8c2ce8a5075c579bcbf6c3e3a66e81  gaim-1.5.0-1.fc1.1.legacy.i386.rpm
d8c6b98a019633a8a2debd6e2a86daccae6cdeda  gaim-1.5.0-1.fc2.1.legacy.i386.rpm

Upgraded fine.  Logged into AIM, tested by talking to a couple of bots.

Was able to log into ICQ, MSN and Yahoo.

Version: GnuPG v1.2.6 (GNU/Linux)


Comment 26 Pekka Savola 2006-02-20 05:32:58 UTC

Comment 27 David Eisenstein 2006-02-20 07:31:24 UTC
Hash: SHA1

VERIFY QA on FC1 version of gaim.

fda20f97bf8c2ce8a5075c579bcbf6c3e3a66e81  gaim-1.5.0-1.fc1.1.legacy.i386.rpm

  * SHA1sums match.
  * Properly signed by the Fedora Legacy key.
  * Installed fine; except -- I had already installed gaim-1.5.0-1.fc1 
    packages from ones that I had built and submitted for QA awhile back.
    I had to manually uninstall the other version of gaim to install the
    one in updates-testing.  The FC1 packages should have been named
    "gaim-1.5.0-1.fc1.3.legacy" for upward-compatibility.
  * This version of gaim, with the (upstream?) CVS changes included, works
    fine and has worked well ever since I installed it, a week or two ago.

GRIPE:  The fact that I did any work at all on this version of gaim, 
creating packages that address the security vulnerabilities this bug ticket
is supposed to address, has been obliterated in the changelog for the
RPM's that Marc Deslaurier submitted, which goes against Fedora Legacy
policy and good etiquette.  It is too late at this juncture to think about
changing the FC1 packages to reflect my work on this, poor as it may have
been; but I suppose that it doesn't matter, as that work was discarded

We can do better than this.


Version: GnuPG v1.2.3 (GNU/Linux)


Comment 28 Marc Deslauriers 2006-02-20 12:54:42 UTC
I am sorry David. I simply rebuilt the .src.rpm directly from upstream. I did
not intend to offend you by not using your updated package. :(

Comment 29 Pekka Savola 2006-02-20 13:00:27 UTC
I think one of the most important thinks FL should be focusing on is common
methodology for all the releases, i.e., unless there are good reasons for
otherwise, all the releases should be updated in a similar manner.  Also the
amount of non-required changes should be minimized.

The practical problem right now is that unless folks have set up local mach/mock
environments, have fast net access, etc., they can't really do propose packages
in a useful manner.

Comment 30 David Eisenstein 2006-02-21 06:39:11 UTC
Thank you, Marc.  Not necessary to use the package I made, especially if there
was a much better one out there.  But it is important to increment version 
numbers and retain changelog entries, even if nothing remains of the work but
those changelog entries.

Comment 31 David Eisenstein 2006-02-24 09:00:26 UTC
Created attachment 125165 [details]
Proposed Fedora Legacy Update Advisory for this issue.

Here is a proposed update advisory for this issue, so we can release these
packages to updates.   

Hope this helps.


Comment 32 Marc Deslauriers 2006-02-25 14:05:18 UTC
Thanks David!

Comment 33 Marc Deslauriers 2006-02-25 14:54:49 UTC
Packages were released

Note You need to log in before you can comment on or make changes to this bug.