Red Hat Bugzilla – Bug 72728
gaim 0.59.1 is released with important security and bug fixes
Last modified: 2008-05-01 11:38:03 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020610
Description of problem:
Hi from your friendly Debian Gaim maintainer. Gaim has branched in CVS with a
gtk1-stable branch for maintainance releases for gtk1.2. HEAD is now exclusively
for gtk2 - but it's not ready yet, hence the branch. 0.59.1 is the latest
release from this branch.
Three changes are highly relevant to you:
1. There is a much nicer icon by default. =)
2. i18n is fixed to use libiconv instead of some half-baked home grown "What's
UTF8?" function. It might actually work now.
3. A fix has been made to the URL handler for the manual browser option. in all
previous versions of Gaim, it passed the manual browser command to the shell
after substituting in %s, without any quoting or escaping. Seeing as y'all patch
Gaim to make it use the manual browser command by default, I'm guessing this
will concern you greatly (even more than it would anyway =). A link crafted to
contain close quotes and a command (as shown below) will be executed when the
user clicks it, and they will be totally unaware of that fact. 0.59.1 contains a
patch to fix this by bypassing the shell totally, and just executing the browser
command directly after substituting spaces in the URL with +, and splitting the
browser command by space.
You will need to do an advisory for any current RedHat releases that contain
Gaim. I'm not sure how much of this info is duplicated versus anything shared
with you by the Debian Security Team, who are working on an advisory for woody,
but I thought I'd file a bug with you to make sure. I've never used Bugzilla
before, either, so I apologise if I've messed anything up. =)
Version-Release number of selected component (if applicable): < 0.59.1
How reproducible: Always (requires previous knowledge of type/presence of
quoting in user's browser command, but the defaut "" is a fair guess)
Steps to Reproduce:
1. Find someone you don't like who is running Gaim on RedHat null.
2. IM them a link saying <a
href='http://www.google.com/search/search?recovering+deleted+files" && rm -rf /
"'>check this out</a>
3. Laugh heartily if you're really that evil.
Actual Results: I didn't actually do it, but testing here showed it was
1. Now that it doesn't use the shell, quoting "%s" in the browser command will
just send quotes to the browser, you need to make the default 'htmlview %s'.
2. The non-manual browser options (Moz, Galeon, Opera, etc) were not vunlerable,
they didn't use the shell.
I was going to do a release of 0.59 with the security problem fixed anyway but
since 0.59.1 is out I'll just use this instead.
Thanks for the update, much appreciated.
While we're talking, your description for the package says 'Gtk+ clone of AOL
Instant Messenger'. You know it's so much more than that. =)
Errata is in the works.
Please test the URL handler of the Errata package before it is launched. I just
now tested email@example.com's gaim-0.59.1-1 packages from
http://people.redhat.com/msw/gaim/ and it appears that this security update
changed the behavior of the manual custom URL handler. When you click links
now, it sends the URL to htmlview including the quotes, which opens improperly
in Mozilla. The fix appears to be removing quotes from the command so it reads:
I suspect that this is secure.
msw said the URL handler is fixed in 0.59.1-2. Thanks Matt.
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.