gentoo-overlay/metadata/glsa/glsa-200507-26.xml

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">

<glsa id="200507-26">
  <title>GNU Gadu, CenterICQ, Kadu, EKG, libgadu: Remote code execution in Gadu library</title>
  <synopsis>
    GNU Gadu, CenterICQ, Kadu, EKG and libgadu are vulnerable to an integer
    overflow which could potentially lead to the execution of arbitrary code or
    a Denial of Service.
  </synopsis>
  <product type="ebuild">gnugadu centericq kadu ekg libgadu</product>
  <announced>July 27, 2005</announced>
  <revised>February 26, 2007: 02</revised>
  <bug>99816</bug>
  <bug>99890</bug>
  <bug>99583</bug>
  <access>remote</access>
  <affected>
    <package name="net-im/gnugadu" auto="yes" arch="*">
      <unaffected range="ge">2.2.6-r1</unaffected>
      <vulnerable range="lt">2.2.6-r1</vulnerable>
    </package>
    <package name="net-im/centericq" auto="yes" arch="*">
      <unaffected range="ge">4.20.0-r3</unaffected>
      <vulnerable range="lt">4.20.0-r3</vulnerable>
    </package>
    <package name="net-im/kadu" auto="yes" arch="*">
      <unaffected range="ge">0.4.1</unaffected>
      <vulnerable range="lt">0.4.1</vulnerable>
    </package>
    <package name="net-im/ekg" auto="yes" arch="*">
      <unaffected range="ge">1.6_rc3</unaffected>
      <vulnerable range="lt">1.6_rc3</vulnerable>
    </package>
    <package name="net-libs/libgadu" auto="yes" arch="*">
      <unaffected range="ge">1.7.0_pre20050719</unaffected>
      <vulnerable range="lt">1.7.0_pre20050719</vulnerable>
    </package>
  </affected>
  <background>
    <p>
    GNU Gadu, CenterICQ, Kadu and EKG are instant messaging applications
    created to support Gadu Gadu instant messaging protocol. libgadu is a
    library that implements the client side of the Gadu-Gadu protocol.
    </p>
  </background>
  <description>
    <p>
    GNU Gadu, CenterICQ, Kadu, EKG and libgadu are vulnerable to an integer
    overflow.
    </p>
  </description>
  <impact type="high">
    <p>
    A remote attacker could exploit the integer overflow to execute
    arbitrary code or cause a Denial of Service.
    </p>
  </impact>
  <workaround>
    <p>
    There is no known workaround at this time.
    </p>
  </workaround>
  <resolution>
    <p>
    All GNU Gadu users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=net-im/gnugadu-2.2.6-r1&quot;</code>
    <p>
    All Kadu users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=net-im/kadu-0.4.1&quot;</code>
    <p>
    All EKG users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=net-im/ekg-1.6_rc3&quot;</code>
    <p>
    All libgadu users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=net-libs/libgadu-20050719&quot;</code>
    <p>
    All CenterICQ users should upgrade to the latest version:
    </p>
    <code>
    # emerge --sync
    # emerge --ask --oneshot --verbose &quot;&gt;=net-im/centericq-4.20.0-r3&quot;</code>
    <p>
    CenterICQ is no longer distributed with Gadu Gadu support, affected
    users are encouraged to migrate to an alternative package.
    </p>
  </resolution>
  <references>
    <uri link="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1852">CAN-2005-1852</uri>
    <uri link="http://www.securityfocus.com/archive/1/406026/30/">BugTraq Announcement</uri>
  </references>
  <metadata tag="requester" timestamp="Sat, 23 Jul 2005 12:05:13 +0000">
    jaervosz
  </metadata>
  <metadata tag="submitter" timestamp="Sat, 23 Jul 2005 12:53:13 +0000">
    adir
  </metadata>
  <metadata tag="bugReady" timestamp="Tue, 26 Jul 2005 19:58:40 +0000">
    DerCorny
  </metadata>
</glsa>