multiple remote denial of service vulnerabilities in Gaim

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: multiple remote denial of service vulnerabilities in Gaim
From: Jean-Yves Lefort <jylefort@xxxxxxxxxx>
Date: Fri, 1 Apr 2005 11:59:59 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

I.   Synopsis

Gaim (http://gaim.sourceforge.net) is a multi-protocol instant
messaging client.

I have identified several remote denial of service vulnerabilities
affecting Gaim 1.2.0, and probably older versions as well.

II.  Problems

1. Buffer overread in gaim_markup_strip_html()

A programming error in gaim_markup_strip_html() causes a buffer
overread when stripping a string containing malformed HTML.

2. Lack of escaping in the IRC protocol plugin

In several places, the IRC protocol plugin handles user messages
without escaping markup (the list might not be exhaustive):

        irc_msg_kick()
        irc_msg_mode()
        irc_msg_part()
        irc_msg_quit()
        irc_msg_invite()

The irc_msg_kick(), irc_msg_mode(), irc_msg_part() and irc_msg_quit()
obliviousness allows any remote user to inject Gaim markup into the
conversation window (annoying), and, provided that the conversation
window is being logged, to trigger the gaim_markup_strip_html() buffer
overread (the text logger calls gaim_markup_strip_html() in
txt_logger_write()).

The irc_msg_invite() obliviousness allows any remote user to inject
Pango markup into a GTK+ dialog box. Fortunately, since IRC channel
names cannot contain spaces, the user cannot insert things such as
<span size="$huge">foo</span> (that would cause the program to
crash). He can however popup empty dialog boxes by injecting malformed
markup.

In several places, the IRC protocol plugin handles server messages
without escaping markup (the list is not exhaustive):

        irc_msg_badmode()
        irc_msg_banned()
        irc_msg_unknown()
        irc_msg_nochan()

This allows any malicious IRC server operator to inject Pango markup
into a GTK+ dialog box. The attacker can insert things such as
<span size="1000000000">foo</span> to crash the program.

III. Impact

Any remote IRC user may cause the victim's Gaim instance to crash, by
exploiting the gaim_markup_strip_html() bug in conjunction with the
lack of escaping in the IRC plugin.

Any remote IRC user may pop up empty dialog boxes on the victim's
computer, and may mess up the victim's conversation windows with fancy
or malformed markup.

Any remote IRC server operator may cause the victim's Gaim instance to
crash, by requesting huge font sizes to Pango.

IV.  Vendor response

The vendor has been informed via IM on 2005-03-25 and has acknowledged
the problems. Some bugs (gaim_markup_strip_html(), escaping of IRC
parts/quits) have been fixed in CVS. It is however unclear whether the
vendor is willing to fix the other problems or not.

-- 
Jean-Yves Lefort

jylefort@xxxxxxxxxx
http://lefort.be.eu.org/

Attachment: pgpgmDCMG3MJs.pgp
Description: PGP signature

Prev by Date: Information leak in the Linux kernel ext2 implementation
Next by Date: [ GLSA 200504-01 ] telnet-bsd: Multiple buffer overflows
Previous by thread: Information leak in the Linux kernel ext2 implementation
Next by thread: [ GLSA 200504-01 ] telnet-bsd: Multiple buffer overflows
Index(es):
- Date
- Thread