Vulnerability Note VU#523888

Gaim vulnerable to HTML processing denial of service

Overview

Gaim contains a flaw in HTML processing that may result in an invalid memory access and denial of service condition.

I. Description

From the Gaim project:

Gaim is a multi-protocol instant messaging (IM) client for Linux, BSD, MacOS X, and Windows. It is compatible with AIM and ICQ (Oscar protocol), MSN Messenger, Yahoo!, IRC, Jabber, Gadu-Gadu, SILC, GroupWise Messenger, and Zephyr networks

Gaim is susceptible to receiving a malformed HTML message which may result in an invalid memory access.

II. Impact

A remote attacker can cause Gaim to crash, causing a denial of service condition.

III. Solution

Apply an update

This flaw has been fixed in Gaim 1.1.3, along with other potential security vulnerabilities. All users may download an update at the Gaim Downloads page.
As a best practice and potential workaround, users should not accept unexpected messages from unknown sources.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Gaim	Vulnerable	21-Feb-2005

References

http://secunia.com/advisories/14322/
http://gaim.sourceforge.net/security/index.php?id=11

Credit

Thanks to the Gaim project for reporting this vulnerability.

This document was written by Ken MacInnis based primarily on information from the Gaim project.

Other Information

Date Public:	2005-02-17
Date First Published:	2005-02-21
Date Last Updated:	2005-02-21
CERT Advisory:
CVE-ID(s):	CAN-2005-0473
NVD-ID(s):	CAN-2005-0473
US-CERT Technical Alerts:
Metric:	1.28
Document Revision:	8

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader