Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 72728

Summary:	gaim 0.59.1 is released with important security and bug fixes
Product:	[Retired] Red Hat Public Beta	Reporter:	Robert McQueen <robot101>
Component:	gaim	Assignee:	Christopher Blizzard <blizzard>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	null	CC:	wtogami
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
URL:	http://gaim.sourceforge.net/ChangeLog
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2002-09-10 08:59:49 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Robert McQueen 2002-08-27 00:27:22 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020610
Debian/1.2.5-1

Description of problem:
Hi from your friendly Debian Gaim maintainer. Gaim has branched in CVS with a
gtk1-stable branch for maintainance releases for gtk1.2. HEAD is now exclusively
for gtk2 - but it's not ready yet, hence the branch. 0.59.1 is the latest
release from this branch.

Three changes are highly relevant to you:
1. There is a much nicer icon by default. =)
2. i18n is fixed to use libiconv instead of some half-baked home grown "What's
UTF8?" function. It might actually work now.
3. A fix has been made to the URL handler for the manual browser option. in all
previous versions of Gaim, it passed the manual browser command to the shell
after substituting in %s, without any quoting or escaping. Seeing as y'all patch
Gaim to make it use the manual browser command by default, I'm guessing this
will concern you greatly (even more than it would anyway =). A link crafted to
contain close quotes and a command (as shown below) will be executed when the
user clicks it, and they will be totally unaware of that fact. 0.59.1 contains a
patch to fix this by bypassing the shell totally, and just executing the browser
command directly after substituting spaces in the URL with +, and splitting the
browser command by space.

You will need to do an advisory for any current RedHat releases that contain
Gaim. I'm not sure how much of this info is duplicated versus anything shared
with you by the Debian Security Team, who are working on an advisory for woody,
but I thought I'd file a bug with you to make sure. I've never used Bugzilla
before, either, so I apologise if I've messed anything up. =)

Version-Release number of selected component (if applicable): < 0.59.1

How reproducible: Always (requires previous knowledge of type/presence of
quoting in user's browser command, but the defaut "" is a fair guess)

Steps to Reproduce:
1. Find someone you don't like who is running Gaim on RedHat null.
2. IM them a link saying <a
href='http://www.google.com/search/search?recovering+deleted+files" && rm -rf /
"'>check this out</a>
3. Laugh heartily if you're really that evil.

Actual Results: I didn't actually do it, but testing here showed it was
certainly possible.

Additional info:
1. Now that it doesn't use the shell, quoting "%s" in the browser command will
just send quotes to the browser, you need to make the default 'htmlview %s'.
2. The non-manual browser options (Moz, Galeon, Opera, etc) were not vunlerable,
they didn't use the shell.

Regards,
Rob

Comment 1 Christopher Blizzard 2002-08-27 02:08:56 UTC

I was going to do a release of 0.59 with the security problem fixed anyway but
since 0.59.1 is out I'll just use this instead.

Thanks for the update, much appreciated.

Comment 2 Robert McQueen 2002-08-27 02:55:07 UTC

While we're talking, your description for the package says 'Gtk+ clone of AOL
Instant Messenger'. You know it's so much more than that. =)

Comment 3 Christopher Blizzard 2002-08-28 20:58:01 UTC

Errata is in the works.

Comment 4 Warren Togami 2002-09-05 17:28:09 UTC

Please test the URL handler of the Errata package before it is launched.  I just
now tested msw's gaim-0.59.1-1 packages from
http://people.redhat.com/msw/gaim/ and it appears that this security update
changed the behavior of the manual custom URL handler.  When you click links
now, it sends the URL to htmlview including the quotes, which opens improperly
in Mozilla.  The fix appears to be removing quotes from the command so it reads:
htmlview %s

I suspect that this is secure.

Comment 5 Warren Togami 2002-09-09 15:21:47 UTC

msw said the URL handler is fixed in 0.59.1-2.  Thanks Matt.

Comment 6 Mark J. Cox 2002-09-10 08:59:49 UTC

An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2002-189.html