Bug 72728 - gaim 0.59.1 is released with important security and bug fixes
gaim 0.59.1 is released with important security and bug fixes
Product: Red Hat Public Beta
Classification: Retired
Component: gaim (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Christopher Blizzard
: Security
Depends On:
  Show dependency treegraph
Reported: 2002-08-26 20:27 EDT by Robert McQueen
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-09-10 04:59:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Robert McQueen 2002-08-26 20:27:22 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020610

Description of problem:
Hi from your friendly Debian Gaim maintainer. Gaim has branched in CVS with a
gtk1-stable branch for maintainance releases for gtk1.2. HEAD is now exclusively
for gtk2 - but it's not ready yet, hence the branch. 0.59.1 is the latest
release from this branch.

Three changes are highly relevant to you:
1. There is a much nicer icon by default. =)
2. i18n is fixed to use libiconv instead of some half-baked home grown "What's
UTF8?" function. It might actually work now.
3. A fix has been made to the URL handler for the manual browser option. in all
previous versions of Gaim, it passed the manual browser command to the shell
after substituting in %s, without any quoting or escaping. Seeing as y'all patch
Gaim to make it use the manual browser command by default, I'm guessing this
will concern you greatly (even more than it would anyway =). A link crafted to
contain close quotes and a command (as shown below) will be executed when the
user clicks it, and they will be totally unaware of that fact. 0.59.1 contains a
patch to fix this by bypassing the shell totally, and just executing the browser
command directly after substituting spaces in the URL with +, and splitting the
browser command by space.

You will need to do an advisory for any current RedHat releases that contain
Gaim. I'm not sure how much of this info is duplicated versus anything shared
with you by the Debian Security Team, who are working on an advisory for woody,
but I thought I'd file a bug with you to make sure. I've never used Bugzilla
before, either, so I apologise if I've messed anything up. =)

Version-Release number of selected component (if applicable): < 0.59.1

How reproducible: Always (requires previous knowledge of type/presence of
quoting in user's browser command, but the defaut "" is a fair guess)

Steps to Reproduce:
1. Find someone you don't like who is running Gaim on RedHat null.
2. IM them a link saying <a
href='http://www.google.com/search/search?recovering+deleted+files" && rm -rf /
"'>check this out</a>
3. Laugh heartily if you're really that evil.

Actual Results: I didn't actually do it, but testing here showed it was
certainly possible.

Additional info:
1. Now that it doesn't use the shell, quoting "%s" in the browser command will
just send quotes to the browser, you need to make the default 'htmlview %s'.
2. The non-manual browser options (Moz, Galeon, Opera, etc) were not vunlerable,
they didn't use the shell.

Comment 1 Christopher Blizzard 2002-08-26 22:08:56 EDT
I was going to do a release of 0.59 with the security problem fixed anyway but
since 0.59.1 is out I'll just use this instead.

Thanks for the update, much appreciated.
Comment 2 Robert McQueen 2002-08-26 22:55:07 EDT
While we're talking, your description for the package says 'Gtk+ clone of AOL
Instant Messenger'. You know it's so much more than that. =)
Comment 3 Christopher Blizzard 2002-08-28 16:58:01 EDT
Errata is in the works.
Comment 4 Warren Togami 2002-09-05 13:28:09 EDT
Please test the URL handler of the Errata package before it is launched.  I just
now tested msw@redhat.com's gaim-0.59.1-1 packages from
http://people.redhat.com/msw/gaim/ and it appears that this security update
changed the behavior of the manual custom URL handler.  When you click links
now, it sends the URL to htmlview including the quotes, which opens improperly
in Mozilla.  The fix appears to be removing quotes from the command so it reads:
htmlview %s

I suspect that this is secure.

Comment 5 Warren Togami 2002-09-09 11:21:47 EDT
msw said the URL handler is fixed in 0.59.1-2.  Thanks Matt.
Comment 6 Mark J. Cox (Product Security) 2002-09-10 04:59:49 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.