Security Flaw in Gaim

Bug #7674 reported by Debian Bug Importer on 2004-08-29
8
Affects Status Importance Assigned to Milestone
gaim (Debian)
Fix Released
Unknown
gaim (Ubuntu)
High
Sebastien Bacher

Bug Description

Automatically imported from Debian bug report #268783 http://bugs.debian.org/268783

CVE References

Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #268783 http://bugs.debian.org/268783

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 28 Aug 2004 23:36:06 -0400
From: Jeremy Brown <email address hidden>
To: <email address hidden>
Subject: Security Flaw in Gaim

Package: gaim
Version: 0.81-3
Severity: serious

The upstream Gaim 0.81 source has several security issues:

http://gaim.sourceforge.net/security/index.php

Not sure if these issues are present in Debian Gaim 0.81-3. Either way
they have been fixed upstream in 0.82.1.

# Automatically generated email from bts, devscripts version 2.8
package gaim
severity 268783 grave
tags 268783 + sarge

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sun, 29 Aug 2004 18:35:09 +0100
From: Robert McQueen <email address hidden>
To: <email address hidden>
Subject: setting package to gaim, severity of 268783 is grave, tagging 268783

# Automatically generated email from bts, devscripts version 2.8
package gaim
severity 268783 grave
tags 268783 + sarge

Source: gaim
Source-Version: 1:0.82.1-1

We believe that the bug you reported is fixed in the latest version of
gaim, which is due to be installed in the Debian FTP archive:

gaim_0.82.1-1.diff.gz
  to pool/main/g/gaim/gaim_0.82.1-1.diff.gz
gaim_0.82.1-1.dsc
  to pool/main/g/gaim/gaim_0.82.1-1.dsc
gaim_0.82.1-1_i386.deb
  to pool/main/g/gaim/gaim_0.82.1-1_i386.deb
gaim_0.82.1.orig.tar.gz
  to pool/main/g/gaim/gaim_0.82.1.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert McQueen <email address hidden> (supplier of updated gaim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 29 Aug 2004 22:19:07 +0100
Source: gaim
Binary: gaim
Architecture: source i386
Version: 1:0.82.1-1
Distribution: unstable
Urgency: high
Maintainer: Robert McQueen <email address hidden>
Changed-By: Robert McQueen <email address hidden>
Description:
 gaim - multi-protocol instant messaging client
Closes: 268783
Changes:
 gaim (1:0.82.1-1) unstable; urgency=high
 .
   * New upstream version. Fixes known security issues CAN-2004-0754 and
      CAN-2004-0785, and includes several important bug fixes.
        (closes: #268783)
 .
   * debian/patches/allow-blist-shrink.patch:
      - removed, I'm trusting upstream on this one :)
 .
   * debian/patches/libtoolize.patch:
      - updated
 .
   * debian/patches/msn-fixes-CAN-2004-0500.patch:
      - removed, included upstream
Files:
 e76d674acba7b41e1fdfbef642c9f442 825 net optional gaim_0.82.1-1.dsc
 16cfc29a95543fbc6825e648868b9761 6747121 net optional gaim_0.82.1.orig.tar.gz
 a71cfbbcc16812a1606a7caa7a04ed40 32046 net optional gaim_0.82.1-1.diff.gz
 c0692d902b5f56aa0a03b3d4dbef5d3e 3220802 net optional gaim_0.82.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBMk4jXcrf4TUB5sURApFfAJ4rO2IviSqbdPjDjo+yFD3TqSmCBQCfWocW
hvngDBzKnOtdOv7fS2Dxlig=
=81f5
-----END PGP SIGNATURE-----

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sun, 29 Aug 2004 18:02:06 -0400
From: Robert McQueen <email address hidden>
To: <email address hidden>
Subject: Bug#268783: fixed in gaim 1:0.82.1-1

Source: gaim
Source-Version: 1:0.82.1-1

We believe that the bug you reported is fixed in the latest version of
gaim, which is due to be installed in the Debian FTP archive:

gaim_0.82.1-1.diff.gz
  to pool/main/g/gaim/gaim_0.82.1-1.diff.gz
gaim_0.82.1-1.dsc
  to pool/main/g/gaim/gaim_0.82.1-1.dsc
gaim_0.82.1-1_i386.deb
  to pool/main/g/gaim/gaim_0.82.1-1_i386.deb
gaim_0.82.1.orig.tar.gz
  to pool/main/g/gaim/gaim_0.82.1.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robert McQueen <email address hidden> (supplier of updated gaim package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 29 Aug 2004 22:19:07 +0100
Source: gaim
Binary: gaim
Architecture: source i386
Version: 1:0.82.1-1
Distribution: unstable
Urgency: high
Maintainer: Robert McQueen <email address hidden>
Changed-By: Robert McQueen <email address hidden>
Description:
 gaim - multi-protocol instant messaging client
Closes: 268783
Changes:
 gaim (1:0.82.1-1) unstable; urgency=high
 .
   * New upstream version. Fixes known security issues CAN-2004-0754 and
      CAN-2004-0785, and includes several important bug fixes.
        (closes: #268783)
 .
   * debian/patches/allow-blist-shrink.patch:
      - removed, I'm trusting upstream on this one :)
 .
   * debian/patches/libtoolize.patch:
      - updated
 .
   * debian/patches/msn-fixes-CAN-2004-0500.patch:
      - removed, included upstream
Files:
 e76d674acba7b41e1fdfbef642c9f442 825 net optional gaim_0.82.1-1.dsc
 16cfc29a95543fbc6825e648868b9761 6747121 net optional gaim_0.82.1.orig.tar.gz
 a71cfbbcc16812a1606a7caa7a04ed40 32046 net optional gaim_0.82.1-1.diff.gz
 c0692d902b5f56aa0a03b3d4dbef5d3e 3220802 net optional gaim_0.82.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBMk4jXcrf4TUB5sURApFfAJ4rO2IviSqbdPjDjo+yFD3TqSmCBQCfWocW
hvngDBzKnOtdOv7fS2Dxlig=
=81f5
-----END PGP SIGNATURE-----

Sebastien Bacher (seb128) wrote :

 gaim (1:0.82.1-1ubuntu1) warty; urgency=low
 .
   * Upload of the new version to fix the security issues (Warty: #915).

reopen 268783
thanks

I know we are close to release, but is this bug present in woody? I don't
see either (CAN-2004-0785 or CAN-2004-0754) of them listed in
http://www.nl.debian.org/security/nonvulns-woody.

Regards

Javier

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 2 Sep 2004 10:44:36 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: <email address hidden>
Subject: Is this bug present in woody?

--NzB8fVQJ5HfG6fxh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

reopen 268783
thanks

I know we are close to release, but is this bug present in woody? I don't=
=20
see either (CAN-2004-0785 or CAN-2004-0754) of them listed in=20
http://www.nl.debian.org/security/nonvulns-woody.

Regards

Javier

--NzB8fVQJ5HfG6fxh
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBNt10i4sehJTrj0oRAnoQAKCeZ6RHYoW4aPF9d1d77hUnr4zqKQCeI82t
/oMnWOiEnW1EU2zmLzspfJM=
=/nQe
-----END PGP SIGNATURE-----

--NzB8fVQJ5HfG6fxh--

tags 268783 - sarge
tags 268783 + woody
thanks

On Thu, Sep 02, 2004 at 10:44:36AM +0200, Javier Fernández-Sanguino Peña wrote:
> reopen 268783
> thanks
>
> I know we are close to release, but is this bug present in woody?

Please, please update the bug's tags when you do this kind of thing.

Cheers,

--
Colin Watson [<email address hidden>]

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 5 Sep 2004 04:06:09 +0100
From: Colin Watson <email address hidden>
To: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Is this bug present in woody?

tags 268783 - sarge
tags 268783 + woody
thanks

On Thu, Sep 02, 2004 at 10:44:36AM +0200, Javier Fern�ez-Sanguino Pe�rote:
> reopen 268783
> thanks
>
> I know we are close to release, but is this bug present in woody?

Please, please update the bug's tags when you do this kind of thing.

Cheers,

--
Colin Watson [<email address hidden>]

On Sun, Sep 05, 2004 at 04:06:09AM +0100, Colin Watson wrote:
> On Thu, Sep 02, 2004 at 10:44:36AM +0200, Javier Fernández-Sanguino Peña wrote:
> > reopen 268783
> > thanks
> >
> > I know we are close to release, but is this bug present in woody?
>
> Please, please update the bug's tags when you do this kind of thing.

Sorry, for not doing that, there's no excuse.

FWIW, I tried to review the code in woody but there have been a lof of
changes from woody's 0.52 to sid's 0.82 and the precise changes done to the
CVS are not easy to trace (I don't find CVS logs with big SECURITY message
commits in them). I've investigated some vulnerabilities and they don't
seem to apply to the woody version because the functionality was not
present there (in the case of the MSN stuff) but I can't tell for sure.

Regards

Javier

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 5 Sep 2004 10:54:12 +0200
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Colin Watson <email address hidden>
Cc: <email address hidden>
Subject: Re: Is this bug present in woody?

--aVD9QWMuhilNxW9f
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 05, 2004 at 04:06:09AM +0100, Colin Watson wrote:
> On Thu, Sep 02, 2004 at 10:44:36AM +0200, Javier Fern=E1ndez-Sanguino Pe=
=F1a wrote:
> > reopen 268783
> > thanks
> >=20
> > I know we are close to release, but is this bug present in woody?
>=20
> Please, please update the bug's tags when you do this kind of thing.

Sorry, for not doing that, there's no excuse.

FWIW, I tried to review the code in woody but there have been a lof of=20
changes from woody's 0.52 to sid's 0.82 and the precise changes done to the=
=20
CVS are not easy to trace (I don't find CVS logs with big SECURITY message=
=20
commits in them). I've investigated some vulnerabilities and they don't=20
seem to apply to the woody version because the functionality was not=20
present there (in the case of the MSN stuff) but I can't tell for sure.

Regards

Javier

--aVD9QWMuhilNxW9f
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBOtQ0i4sehJTrj0oRAnTIAJoDRjAXdNr3/mbnSpb99d7a2ihAMACfUlAR
KfI9D0TQq2fm7KJ7QX+ZYBA=
=fZwb
-----END PGP SIGNATURE-----

--aVD9QWMuhilNxW9f--

On Sun, Sep 05, 2004 at 10:54:12AM +0200, Javier Fernández-Sanguino Peña wrote:
> On Sun, Sep 05, 2004 at 04:06:09AM +0100, Colin Watson wrote:
> > On Thu, Sep 02, 2004 at 10:44:36AM +0200, Javier Fernández-Sanguino Peña wrote:
> > > reopen 268783
> > > thanks
> > >
> > > I know we are close to release, but is this bug present in woody?
> >
> > Please, please update the bug's tags when you do this kind of thing.
>
> Sorry, for not doing that, there's no excuse.
>
> FWIW, I tried to review the code in woody but there have been a lof of
> changes from woody's 0.52 to sid's 0.82 and the precise changes done to the
> CVS are not easy to trace (I don't find CVS logs with big SECURITY message

you won't, the fixes were by and large intentionally downplayed in the
cvs commits.

> commits in them). I've investigated some vulnerabilities and they don't
> seem to apply to the woody version because the functionality was not
> present there (in the case of the MSN stuff) but I can't tell for sure.

for all I know debian policy, and even mostly agree with the reasons for
it, 0.5x is incredibly ancient, and by and large won't even work because
of chagnes to the protocols.

luke
gaim support

>
> Regards
>
> Javier

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 5 Sep 2004 22:18:02 -0400
From: Luke Schierer <email address hidden>
To: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>, <email address hidden>
Subject: Re: Bug#268783: Is this bug present in woody?

On Sun, Sep 05, 2004 at 10:54:12AM +0200, Javier Fern�ez-Sanguino Pe�rote:
> On Sun, Sep 05, 2004 at 04:06:09AM +0100, Colin Watson wrote:
> > On Thu, Sep 02, 2004 at 10:44:36AM +0200, Javier Fern�ez-Sanguino Pe�rote:
> > > reopen 268783
> > > thanks
> > >
> > > I know we are close to release, but is this bug present in woody?
> >
> > Please, please update the bug's tags when you do this kind of thing.
>
> Sorry, for not doing that, there's no excuse.
>
> FWIW, I tried to review the code in woody but there have been a lof of
> changes from woody's 0.52 to sid's 0.82 and the precise changes done to the
> CVS are not easy to trace (I don't find CVS logs with big SECURITY message

you won't, the fixes were by and large intentionally downplayed in the
cvs commits.

> commits in them). I've investigated some vulnerabilities and they don't
> seem to apply to the woody version because the functionality was not
> present there (in the case of the MSN stuff) but I can't tell for sure.

for all I know debian policy, and even mostly agree with the reasons for
it, 0.5x is incredibly ancient, and by and large won't even work because
of chagnes to the protocols.

luke
gaim support

>
> Regards
>
> Javier

tags 268783 +security
tags 270529 -experimental

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 09 Sep 2004 10:16:54 -0400
From: Ari Pollak <email address hidden>
To: <email address hidden>
Subject: (no subject)

tags 268783 +security
tags 270529 -experimental

Hi!

This bug only affects the Debian Woody version of gaim. Now the
next stable Debian version "Sarge" is released, thus it does not make
any sense any more to keep them open.

Thanks and have a nice day,

Roberto

Changed in gaim:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.