Vulnerability Note VU#795812

Gaim vulnerable to DoS via specially crafted HTML

Overview

Gaim contains a flaw in HTML processing that may result in an invalid memory access and denial of service condition.

I. Description

From the Gaim project:

Gaim is a multi-protocol instant messaging (IM) client for Linux, BSD, MacOS X, and Windows. It is compatible with AIM and ICQ (Oscar protocol), MSN Messenger, Yahoo!, IRC, Jabber, Gadu-Gadu, SILC, GroupWise Messenger, and Zephyr networks

Gaim is susceptible to receiving a malformed HTML message which may result in an invalid memory access.

II. Impact

A remote attacker can cause Gaim to crash, causing a denial of service condition.

III. Solution

Apply an update

This flaw has been fixed in Gaim 1.1.4. All users may download an update at the Gaim Downloads page.

As a best practice and potential workaround, users should not accept unexpected messages from unknown sources.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Gaim	Vulnerable	28-Feb-2005

References

http://gaim.sourceforge.net/security/index.php?id=12
http://secunia.com/advisories/14386/

Credit

Thanks to the Gaim project for reporting this vulnerability.

This document was written by Ken MacInnis based primarily on information from the Gaim project.

Other Information

Date Public:	2005-02-28
Date First Published:	2005-02-28
Date Last Updated:	2005-02-28
CERT Advisory:
CVE-ID(s):	CAN-2005-0208
NVD-ID(s):	CAN-2005-0208
US-CERT Technical Alerts:
Metric:	1.28
Document Revision:	4

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader