diff options
Diffstat (limited to 'share/security/advisories/FreeBSD-SA-00:74.gaim.asc')
| -rw-r--r-- | share/security/advisories/FreeBSD-SA-00:74.gaim.asc | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/share/security/advisories/FreeBSD-SA-00:74.gaim.asc b/share/security/advisories/FreeBSD-SA-00:74.gaim.asc new file mode 100644 index 0000000000..ac85747eea --- /dev/null +++ b/share/security/advisories/FreeBSD-SA-00:74.gaim.asc @@ -0,0 +1,94 @@ +-----BEGIN PGP SIGNED MESSAGE----- + +============================================================================= +FreeBSD-SA-00:74 Security Advisory + FreeBSD, Inc. + +Topic: gaim remote vulnerability + +Category: ports +Module: gaim +Announced: 2000-11-20 +Credits: Stan Bubrouski <stan@CCS.NEU.EDU> +Affects: Ports collection prior to the correction date. +Corrected: 2000-11-16 +Vendor status: Updated version released +FreeBSD only: NO + +I. Background + +gaim is a popular AOL Instant Messenger client. + +II. Problem Description + +The gaim port, versions prior to 0.10.3_1, allows a client-side +exploit through a buffer overflow in the HTML parsing code. This +vulnerability may allow remote users to execute arbitrary code as the +user running gaim. + +The gaim port is not installed by default, nor is it "part of FreeBSD" +as such: it is part of the FreeBSD ports collection, which contains +over 4100 third-party applications in a ready-to-install format. The +ports collections shipped with FreeBSD 3.5.1 and 4.1.1 contain this +problem since it was discovered after the releases, but it was +corrected prior to the release of FreeBSD 4.2. + +FreeBSD makes no claim about the security of these third-party +applications, although an effort is underway to provide a security +audit of the most security-critical ports. + +III. Impact + +Malicious remote users may execute arbitrary code as the user running +gaim. + +If you have not chosen to install the gaim port/package, then your +system is not vulnerable to this problem. + +IV. Workaround + +Deinstall the gaim port/package, if you you have installed it. + +V. Solution + +One of the following: + +1) Upgrade your entire ports collection and rebuild the gaim port. + +2) Deinstall the old package and install a new package dated after the +correction date, obtained from: + +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/gaim-0.10.3_1.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/gaim-0.10.3_1.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/gaim-0.10.3_1.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/gaim-0.10.3_1.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/gaim-0.10.3_1.tgz + +NOTE: It may be several days before updated packages are available. + +3) download a new port skeleton for the gaim port from: + +http://www.freebsd.org/ports/ + +and use it to rebuild the port. + +4) Use the portcheckout utility to automate option (3) above. The +portcheckout port is available in /usr/ports/devel/portcheckout or the +package can be obtained from: + +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz +ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.0.4 (FreeBSD) +Comment: For info see http://www.gnupg.org + +iQCVAwUBOhmWVVUuHi5z0oilAQGDvwP+LYld3QmBByW+w9LkQ6wKLtaqFqWO+dEL +1JQm44OEVgWX01btMuyVvso9iqn3bCVHE8CatXPp4mnwEgR29lu2taU7ilKWOxwX +Odh9Q+XrWGaCRP/LkiPYUVpsc1gwoBpqEdrGjbv2LhIg04uyd/W1rwEfSPtOZUNW +3ISE4DYF7RQ= +=Yt3k +-----END PGP SIGNATURE----- |