Debian alert: New gaim packages fix arbitrary program execution
The developers of Gaim, an instant messenger client that combines
several different networks, found a vulnerability in the hyperlink
handling code. The 'Manual' browser command passes an untrusted
string to the shell without escaping or reliable quoting, permitting
an attacker to execute arbitrary commands on the users machine.
Unfortunately, Gaim doesn't display the hyperlink before the user
clicks on it. Users who use other inbuilt browser commands aren't
vulnerable.
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 158-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
August 27th, 2002 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : gaim
Vulnerability : arbitrary program execution
Problem-Type : remote
Debian-specific: no
The developers of Gaim, an instant messenger client that combines
several different networks, found a vulnerability in the hyperlink
handling code. The 'Manual' browser command passes an untrusted
string to the shell without escaping or reliable quoting, permitting
an attacker to execute arbitrary commands on the users machine.
Unfortunately, Gaim doesn't display the hyperlink before the user
clicks on it. Users who use other inbuilt browser commands aren't
vulnerable.
This problem has been fixed in version 0.58-2.2 for the current
stable distribution (woody) and in version 0.59.1-2 for the unstable
distribution (sid). The old stable distribution (potato) is not
affected since it doesn't ship the Gaim program.
The fixed version of Gaim no longer passes the user's manual browser
command to the shell. Commands which contain the %s in quotes will
need to be amended, so they don't contain any quotes. The 'Manual'
browser command can be edited in the 'General' pane of the
'Preferences' dialog, which can be accessed by clicking 'Options' from
the login window, or 'Tools' and then 'Preferences' from the menu bar
in the buddy list window.
We recommend that you upgrade your gaim package immediately.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2.dsc
Size/MD5 checksum: 681 388e7ad7ea82f72e80f5e7b950b74d9f
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2.diff.gz
Size/MD5 checksum: 21077 f40a10f65ec69c219209f3833a601451
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58.orig.tar.gz
Size/MD5 checksum: 1928057 644df289daeca5f9dd3983d65c8b2407
Alpha architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_alpha.deb
Size/MD5 checksum: 479720 4d8e4ea7f37653cc63bd9c6f3f5b2698
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_alpha.deb
Size/MD5 checksum: 674568 60234f1a1896d77e924e9ebb99eee12b
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_alpha.deb
Size/MD5 checksum: 501208 932052409cdc11ea89330709a41f32e4
ARM architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_arm.deb
Size/MD5 checksum: 401834 6a25ab2f49f104a8cb60dfb266687b4e
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_arm.deb
Size/MD5 checksum: 614864 251f521cfe92b00282f3d633e2ecdc06
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_arm.deb
Size/MD5 checksum: 422330 420edd09bad2f4587b843f18e7c56a0c
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_i386.deb
Size/MD5 checksum: 389256 bb1688d11f1e444e7116e3ce48d4b299
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_i386.deb
Size/MD5 checksum: 606056 ff6443a2cc3be13f8d97f8c56f93bf05
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_i386.deb
Size/MD5 checksum: 409108 028dc6cfa04b921f94500853d65f1069
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_ia64.deb
Size/MD5 checksum: 557146 d99d9f408b423e4ecb572d6c529ec271
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_ia64.deb
Size/MD5 checksum: 765084 20cf4447c02e5691f90f7c19088dc556
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_ia64.deb
Size/MD5 checksum: 569896 829bba8b920ff5355cbc72dc918bc6a4
HP Precision architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_hppa.deb
Size/MD5 checksum: 459416 42f17cb42279fd9148a44be663244298
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_hppa.deb
Size/MD5 checksum: 690992 b6e1d262705760055eb6fd3c2a8b393e
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_hppa.deb
Size/MD5 checksum: 481388 5c142618e62f2d67d2bc827722668ff5
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_m68k.deb
Size/MD5 checksum: 370536 5d39e480ed1d679defe431f572057f84
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_m68k.deb
Size/MD5 checksum: 622442 50592bfee0dae035546809ffbf1cb4c6
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_m68k.deb
Size/MD5 checksum: 392112 03fd2c0fbb9609f8d3a32f72f9e0cb4c
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_mips.deb
Size/MD5 checksum: 406360 7b6285a0ff3524dd0880b1a527ed34f7
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_mips.deb
Size/MD5 checksum: 614736 a5f56778d9f5dc6a8a994cd00dec3e11
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_mips.deb
Size/MD5 checksum: 427188 8eae2b955d9f1d52eb98040b6a34500c
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_mipsel.deb
Size/MD5 checksum: 396998 1c0c22d86c37c1d45be00ae5109398cb
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_mipsel.deb
Size/MD5 checksum: 607172 656a46f56cf74c5a3344867d6035ac32
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_mipsel.deb
Size/MD5 checksum: 416714 f0cc84cc3ebc22a57676fc772c2d0ac6
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_powerpc.deb
Size/MD5 checksum: 413474 b550a080853403e43b22b87e93cf5d49
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_powerpc.deb
Size/MD5 checksum: 642704 6cc33cd7c71f9d9aa876fdc8ec9d398a
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_powerpc.deb
Size/MD5 checksum: 434308 cb41515071ff367d0ef4fc0f5584922e
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_s390.deb
Size/MD5 checksum: 392194 06512a9f37536e2e35c1f86005fd5756
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_s390.deb
Size/MD5 checksum: 639284 4da689aa738e0a4d9e2cd8f706ba43d2
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_s390.deb
Size/MD5 checksum: 413366 86da87c92f1683a5fc28f48a81a8fdea
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.2_sparc.deb
Size/MD5 checksum: 409692 235cd54de30bc2350327f9f23402c2b3
http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.2_sparc.deb
Size/MD5 checksum: 653688 7db26ec6875eb42c7a655fb9622f0128
http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.2_sparc.deb
Size/MD5 checksum: 428526 3e4ecedebe2eeaa38c4857f5a37816dc
These files will probably be moved into the stable distribution on
its next revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9a3g3W5ql+IAeqTIRAj6IAJ9CmLA8l1torLm1aYL/34XGDrKLAgCgpxmO
2a5nTITob/hwYWDYzRs1a6w=
=tgdV
-----END PGP SIGNATURE-----
|
This topic does not have any threads posted yet!
You cannot post until you login.