From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020610 Debian/1.2.5-1 Description of problem: Hi from your friendly Debian Gaim maintainer. Gaim has branched in CVS with a gtk1-stable branch for maintainance releases for gtk1.2. HEAD is now exclusively for gtk2 - but it's not ready yet, hence the branch. 0.59.1 is the latest release from this branch. Three changes are highly relevant to you: 1. There is a much nicer icon by default. =) 2. i18n is fixed to use libiconv instead of some half-baked home grown "What's UTF8?" function. It might actually work now. 3. A fix has been made to the URL handler for the manual browser option. in all previous versions of Gaim, it passed the manual browser command to the shell after substituting in %s, without any quoting or escaping. Seeing as y'all patch Gaim to make it use the manual browser command by default, I'm guessing this will concern you greatly (even more than it would anyway =). A link crafted to contain close quotes and a command (as shown below) will be executed when the user clicks it, and they will be totally unaware of that fact. 0.59.1 contains a patch to fix this by bypassing the shell totally, and just executing the browser command directly after substituting spaces in the URL with +, and splitting the browser command by space. You will need to do an advisory for any current RedHat releases that contain Gaim. I'm not sure how much of this info is duplicated versus anything shared with you by the Debian Security Team, who are working on an advisory for woody, but I thought I'd file a bug with you to make sure. I've never used Bugzilla before, either, so I apologise if I've messed anything up. =) Version-Release number of selected component (if applicable): < 0.59.1 How reproducible: Always (requires previous knowledge of type/presence of quoting in user's browser command, but the defaut "" is a fair guess) Steps to Reproduce: 1. Find someone you don't like who is running Gaim on RedHat null. 2. IM them a link saying <a href='http://www.google.com/search/search?recovering+deleted+files" && rm -rf / "'>check this out</a> 3. Laugh heartily if you're really that evil. Actual Results: I didn't actually do it, but testing here showed it was certainly possible. Additional info: 1. Now that it doesn't use the shell, quoting "%s" in the browser command will just send quotes to the browser, you need to make the default 'htmlview %s'. 2. The non-manual browser options (Moz, Galeon, Opera, etc) were not vunlerable, they didn't use the shell. Regards, Rob
I was going to do a release of 0.59 with the security problem fixed anyway but since 0.59.1 is out I'll just use this instead. Thanks for the update, much appreciated.
While we're talking, your description for the package says 'Gtk+ clone of AOL Instant Messenger'. You know it's so much more than that. =)
Errata is in the works.
Please test the URL handler of the Errata package before it is launched. I just now tested msw's gaim-0.59.1-1 packages from http://people.redhat.com/msw/gaim/ and it appears that this security update changed the behavior of the manual custom URL handler. When you click links now, it sends the URL to htmlview including the quotes, which opens improperly in Mozilla. The fix appears to be removing quotes from the command so it reads: htmlview %s I suspect that this is secure.
msw said the URL handler is fixed in 0.59.1-2. Thanks Matt.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2002-189.html