Debian Project

Debian testing security team - Advisory

DTSA-5-1

Date Reported:
August 28th, 2005
Affected Package:
gaim
Vulnerability:
multiple remote vulnerabilities
Problem-Scope:
remote
Debian-specific:
No
CVE:
CVE-2005-2102 CVE-2005-2370 CVE-2005-2103

More information:
Multiple security holes were found in gaim: 
 
CVE-2005-2102 
 
The AIM/ICQ module in Gaim allows remote attackers to cause a denial of 
service (application crash) via a filename that contains invalid UTF-8 
characters. 
 
CVE-2005-2370 
 
Multiple memory alignment errors in libgadu, as used in gaim and other 
packages, allow remote attackers to cause a denial of service (bus error) 
on certain architectures such as SPARC via an incoming message. 
 
CVE-2005-2103 
 
Buffer overflow in the AIM and ICQ module in Gaim allows remote attackers 
to cause a denial of service (application crash) and possibly execute 
arbitrary code via an away message with a large number of AIM substitution 
strings, such as %t or %n. 

For the testing distribution (etch) this is fixed in version 1:1.4.0-5etch2
For the unstable distribution (sid) this is fixed in version 1:1.4.0-5

This upgrade is recommended if you use gaim.

If you have the secure testing lines in your sources.list, you can update by running this command as root:
apt-get update && apt-get install gaim

The Debian testing security team does not track security issues for then stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready.

To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list:

deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib non-free

The archive signing key can be downloaded from
http://testing-security.debian.net/ziyi-2005-7.asc

For further information about the Debian testing security team, please refer to http://testing-security.debian.net/

Valid HTML 4.01! Valid CSS!