From b8c0a7ef697ad7b4d897671bdcaa6351bd23b25a Mon Sep 17 00:00:00 2001 From: simon Date: Fri, 12 Aug 2005 14:21:10 +0000 Subject: Document libgadu -- multiple vulnerabilities. Approved by: portmgr (blanket, VuXML) --- security/vuxml/vuln.xml | 78 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) (limited to 'security') diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index dae0f9b15eb4..de2dd6f7a8e8 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -32,6 +32,84 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. --> + + libgadu -- multiple vulnerabilities + + + gaim + ja-gaim + ko-gaim + ru-gaim + 1.5.0 + + + kdenetwork + 3.2.23.4.2 + + + pl-ekg + 1.6r3,1 + + + pl-gnugadu2 + 2.2.8 + + + centericq + kadu + pl-gnugadu + 0 + + + + +

Wojtek Kaniewski reports:

+
+

Multiple vulnerabilities have been found in libgadu, a + library for handling Gadu-Gadu instant messaging + protocol. It is a part of ekg, a Gadu-Gadu client, but is + widely used in other clients. Also some of the user + contributed scripts were found to behave in an insecure + manner.

+
    +
  • integer overflow in libgadu (CAN-2005-1852) that could + be triggered by an incomming message and lead to + application crash and/or remote code execution
    • +
  • insecure file creation (CAN-2005-1850) and shell + command injection (CAN-2005-1851) in other user + contributed scripts (discovered by Marcin Owsiany and + Wojtek Kaniewski)
    • +
  • several signedness errors in libgadu that could be + triggered by an incomming network data or an application + passing invalid user input to the library
    • +
  • memory alignment errors in libgadu that could be + triggered by an incomming message and lead to bus errors + on architectures like SPARC
    • +
  • endianness errors in libgadu that could cause invalid + behaviour of applications on big-endian + architectures
    • +
+
+ + + + 14345 + CAN-2005-1850 + CAN-2005-1851 + CAN-2005-1852 + CAN-2005-2369 + CAN-2005-2370 + CAN-2005-2448 + http://marc.theaimsgroup.com/?l=bugtraq&m=112198499417250 + http://gaim.sourceforge.net/security/?id=20 + http://www.kde.org/info/security/advisory-20050721-1.txt + + + 2005-07-21 + 2005-08-12 + + + gaim -- AIM/ICQ non-UTF-8 filename crash -- cgit