--------------------------------------------------------------------------- Peachtree Linux Security Notice PLSN-0002 April 20, 2005 Multiple remote vulnerabilities in Gaim CAN-2005-0965, CAN-2005-0966, CAN-2005-0967, CAN-2005-0208, CAN-2005-0473, CAN-2005-0472 --------------------------------------------------------------------------- The following Peachtree Linux releases are affected: Peachtree Linux release 1 ("Atlanta") Description: CAN-2005-0965: The gaim_markup_strip_html function in Gaim 1.2.0, and possibly earlier versions, allows remote attackers to cause a denial of service (application crash) via a string that contains malformed HTML, which causes an out-of-bounds read. CAN-2005-0966: The IRC protocol plugin in Gaim 1.2.0, and possibly earlier versions, allows (1) remote attackers to inject arbitrary Gaim markup via irc_msg_kick, irc_msg_mode, irc_msg_part, irc_msg_quit, (2) remote attackers to inject arbitrary Pango markup and pop up empty dialog boxes via irc_msg_invite, or (3) malicious IRC servers to cause a denial of service (application crash) by injecting certain Pango markup into irc_msg_badmode, irc_msg_banned, irc_msg_unknown, irc_msg_nochan functions. CAN-2005-0967: Gaim 1.2.0 allows remote attackers to cause a denial of service (application crash) via a malformed file transfer request to a Jabber user, which leads to an out-of-bounds read. CAN-2005-0208: The HTML parsing functions in Gaim before 1.1.4 allow remote attackers to cause a denial of service (application crash) via malformed HTML that causes "an invalid memory access," a different vulnerability than CAN-2005-0473. CAN-2005-0473: The HTML parsing functions in Gaim before 1.1.3 allow remote attackers to cause a denial of service (application crash) via malformed HTML that causes "an invalid memory access," a different vulnerability than CAN-2005-0208. CAN-2005-0472: Gaim before 1.1.3 allows remote attackers to cause a denial of service (infinite loop) via malformed SNAC packets from (1) AIM or (2) ICQ. Packages: Download the updated gaim package for your release of Peachtree Linux and your host architecture. The main updates site is: http://peachtree.burdell.org/updates/ Updated packages available for Peachtree Linux release 1 ("Atlanta"): alpha 4aadbdb96b4ce84d636bebc9a91cca26 gaim-1.2.1.alpha.dist i386 5b00656d3f2bf2ce224ef8df96361d32 gaim-1.2.1.i686.dist ppc 5378ffd8f0b31d3bb3fa40cded1429b0 gaim-1.2.1.ppc.dist Solution: Download the appropriate package for your release of Peachtree Linux. Upgrade your system to the new package: distadd -u packagename Where packagename is the name of the package file from the list above. After installation of the new package, kill any running gaim processes and reload the application. -- Peachtree Linux Security Team http://peachtree.burdell.org/
Attachment:
pgpr4ippcZGfT.pgp
Description: PGP signature