Fedora Legacy Test Update Notification: gaim

Marc Deslauriers marcdeslauriers at videotron.ca
Tue Sep 28 11:45:52 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2004-1237
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1237
2004-09-28
- ---------------------------------------------------------------------

Name        : gaim
Versions    : 7.3: 0.82.1-0.73.2, 9: 0.82.1-0.90.2
Summary     : A GTK+ clone of the AOL Instant Messenger client.
Description : 
Gaim is a clone of America Online's Instant Messenger client. It
features nearly all of the functionality of the official AIM client
while also being smaller, faster, and commercial-free.

- ---------------------------------------------------------------------
Update Information:

Issues fixed with this gaim release include:

Multiple buffer overflows that affect versions of Gaim 0.75 and earlier.
1) When parsing cookies in a Yahoo web connection, 2) YMSG protocol
overflows parsing the Yahoo login webpage, 3) a YMSG packet overflow, 4)
flaws in the URL parser, and 5) flaws in HTTP Proxy connect. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name
CAN-2004-0006 to these issues.

A buffer overflow in Gaim 0.74 and earlier in the Extract Info
Field Function used for MSN and YMSG protocol handlers. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0007 to this issue.

An integer overflow in Gaim 0.74 and earlier, when allocating
memory for a directIM packet results in heap overflow.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0008 to this issue.

Buffer overflow bugs were found in the Gaim MSN protocol handler. In
order
to exploit these bugs, an attacker would have to perform a man in the
middle attack between the MSN server and the vulnerable Gaim client.
Such
an attack could allow arbitrary code execution. The Common
Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0500
to this issue.

An integer overflow bug has been found in the Gaim Groupware message
receiver. It is possible that if a user connects to a malicious server,
an attacker could send carefully crafted data which could lead to
arbitrary
code execution on the victims machine. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0754 to
this issue.

A shell escape bug has been found in the Gaim smiley theme file
installation. When a user installs a smiley theme, which is contained
within a tar file, the unarchiving of the data is done in an unsafe
manner.
An attacker could create a malicious smiley theme that would execute
arbitrary commands if the theme was installed by the victim. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name
CAN-2004-0784 to this issue.

Buffer overflow bugs have been found in the Gaim URL decoder, local
hostname resolver, and the RTF message parser. It is possible that a
remote attacker could send carefully crafted data to a vulnerable client
and lead to a crash or arbitrary code execution. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name
CAN-2004-0785 to this issue.

- ---------------------------------------------------------------------
7.3 changelog:
* Mon Sep 27 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.82.1-0.73.2.legacy
 
- - Added mozilla-nspr-devel and mozilla-nss BuildRequires
- - Specify mozilla version
 
* Sun Sep 05 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.82.1-0.73.1.legacy
 
- - Updated to 0.82.1
 
* Sat Jun 12 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.78-0.73.1.legacy
 
- - Rebuilt as Fedora Legacy update for rh73 (FL#1237)
- - Disabled some requirements not available on rh73
- - Removed Fedora specific config file and patches
- - Created a desktop file for rh73
- - Removed docklet.so plugin as it doesn't work in rh73

9 changelog:
* Mon Sep 27 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.82.1-0.90.2.legacy
 
- - Added mozilla-nspr-devel and mozilla-nss BuildRequires
 
* Sun Sep 05 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.82.1-0.90.1.legacy
 
- - Updated to 0.82.1
 
* Sat Jun 12 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
0.78-0.90.1.legacy
 
- - Rebuilt as Fedora Legacy update for rh9 (FL#1237)
- - Disabled some requirements not available on rh9

- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/redhat/
(sha1sums)

cda084b78e263bb725ad92fdef0fc4b329b705d5
7.3/updates-testing/i386/gaim-0.82.1-0.73.2.legacy.i386.rpm
e28d0c278324c7a508af7a30565cc5741b7ec4f0
7.3/updates-testing/SRPMS/gaim-0.82.1-0.73.2.legacy.src.rpm
a35de8c26f1c748cd773957bddebb95114b711e2
9/updates-testing/i386/gaim-0.82.1-0.90.2.legacy.i386.rpm
2a6144f3fac77e921de382548f1ac11ad3da9d83
9/updates-testing/SRPMS/gaim-0.82.1-0.90.2.legacy.src.rpm

- ---------------------------------------------------------------------

Please test and comment in bugzilla.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWU5nLMAs/0C4zNoRAi5wAKCBu36xXdWyf1L4pAit712l79NajgCcDzs4
ADzM/az0JZVtWD88ftwB4Tk=
=Utkq
-----END PGP SIGNATURE-----

More information about the fedora-legacy-list mailing list