I. Synopsis Gaim (http://gaim.sourceforge.net) is a multi-protocol instant messaging client. I have identified several remote denial of service vulnerabilities affecting Gaim 1.2.0, and probably older versions as well. II. Problems 1. Buffer overread in gaim_markup_strip_html() A programming error in gaim_markup_strip_html() causes a buffer overread when stripping a string containing malformed HTML. 2. Lack of escaping in the IRC protocol plugin In several places, the IRC protocol plugin handles user messages without escaping markup (the list might not be exhaustive): irc_msg_kick() irc_msg_mode() irc_msg_part() irc_msg_quit() irc_msg_invite() The irc_msg_kick(), irc_msg_mode(), irc_msg_part() and irc_msg_quit() obliviousness allows any remote user to inject Gaim markup into the conversation window (annoying), and, provided that the conversation window is being logged, to trigger the gaim_markup_strip_html() buffer overread (the text logger calls gaim_markup_strip_html() in txt_logger_write()). The irc_msg_invite() obliviousness allows any remote user to inject Pango markup into a GTK+ dialog box. Fortunately, since IRC channel names cannot contain spaces, the user cannot insert things such as <span size="$huge">foo</span> (that would cause the program to crash). He can however popup empty dialog boxes by injecting malformed markup. In several places, the IRC protocol plugin handles server messages without escaping markup (the list is not exhaustive): irc_msg_badmode() irc_msg_banned() irc_msg_unknown() irc_msg_nochan() This allows any malicious IRC server operator to inject Pango markup into a GTK+ dialog box. The attacker can insert things such as <span size="1000000000">foo</span> to crash the program. III. Impact Any remote IRC user may cause the victim's Gaim instance to crash, by exploiting the gaim_markup_strip_html() bug in conjunction with the lack of escaping in the IRC plugin. Any remote IRC user may pop up empty dialog boxes on the victim's computer, and may mess up the victim's conversation windows with fancy or malformed markup. Any remote IRC server operator may cause the victim's Gaim instance to crash, by requesting huge font sizes to Pango. IV. Vendor response The vendor has been informed via IM on 2005-03-25 and has acknowledged the problems. Some bugs (gaim_markup_strip_html(), escaping of IRC parts/quits) have been fixed in CVS. It is however unclear whether the vendor is willing to fix the other problems or not. -- Jean-Yves Lefort jylefort@xxxxxxxxxx http://lefort.be.eu.org/
Attachment:
pgpgmDCMG3MJs.pgp
Description: PGP signature