COMMAND
Gaim
SYSTEMS AFFECTED
Gaim 0.10.3 and previous 0.10.x versions
PROBLEM
Stan Bubrouski found following. There is a buffer overflow in
Gaim's parsing of HTML tags when using the OSCAR protocol which
allows shell code to be executed when recieving a message with a
large HTML tag (i.e. <AAAA...AAA>). The size of the static buffer
which is overflowed is about 4100. Due to the way AIM's protocols
work, exploiting this is possible but difficult because:
1) All communication a side from file transfers is done
anonymously through a server without an IP being exchanged
between two clients.
2) A special client would have to constructed to login to the
AIM servers and send the specially crafted message required
to exploit this.
3) The TOC protocol is the default protocol used by Gaim and
it is not vulnerable to this overflow.
4) Determining what client a user is using is difficult in
most circumstances.
5) With the server between the two clients using one to
exploit the other could not result in a remote shell
because the server is between the two and can't forward the
shell, although a remote xterm would do the trick.
No known exploits for this currently exist.
SOLUTION
The overflow is fixed in the Gaim CVS tree as of 11/10/2000, and a
patch (provided by Eric Warmenhoven of the gaim project) is
available here for versions 0.10.3 and before:
Index: gtkhtml.c
===================================================================
RCS file: /cvsroot/gaim/gaim/src/gtkhtml.c,v
retrieving revision 1.76
diff -u -r1.76 gtkhtml.c
--- gtkhtml.c 2000/11/03 10:46:58 1.76
+++ gtkhtml.c 2000/11/10 02:58:08
@@ -3193,7 +3193,7 @@
GdkFont *cfont;
GdkRectangle area;
char *ws,
- tag[BUF_LONG],
+ *tag,
*c,
*url = NULL;
gint intag = 0,
@@ -3237,6 +3237,7 @@
c = text;
ws = g_malloc(strlen(text) + 2);
+ tag = g_malloc(strlen(text) + 2);
while (*c)
{
@@ -3681,6 +3682,7 @@
g_free(ws);
+ g_free(tag);
gdk_window_get_size(html->html_area, NULL, &height);
area.height = height;