-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2005.0347 -- Debian Security Advisory DSA 716-1
                  New gaim packages fix denial of service
                               28 April 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           gaim
Publisher:         Debian
Operating System:  Debian GNU/Linux 3.0
                   Linux variants
Impact:            Denial of Service
Access:            Remote/Unauthenticated
CVE Names:         CAN-2005-0472

Original Bulletin: http://www.debian.org/security/2005/dsa-716

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 716-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
April 27th, 2005                        http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : gaim
Vulnerability  : denial of service
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-0472

It has been discovered that certain malformed SNAC packets sent by
other AIM or ICQ users can trigger an infinite loop in Gaim, a
multi-protocol instant messaging client, and hence lead to a denial of
service of the client.

Two more denial of service conditions have been discovered in newer
versions of Gaim which are fixed in the package in sid but are not
present in the package in woody.

For the stable distribution (woody) this problem has been fixed in
version 0.58-2.5.

For the unstable distribution (sid) these problems have been fixed in
version 1.1.3-1.

We recommend that you upgrade your gaim packages.


Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5.dsc
      Size/MD5 checksum:      681 e985a045131d5ad43c2192533d581d49
    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5.diff.gz
      Size/MD5 checksum:    23078 688d4d51bd00e863c4c911f539708f0d
    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58.orig.tar.gz
      Size/MD5 checksum:  1928057 644df289daeca5f9dd3983d65c8b2407

  Alpha architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_alpha.deb
      Size/MD5 checksum:   480588 297fed5e44fab4f49c3c103159ee3dc4
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_alpha.deb
      Size/MD5 checksum:   674918 1a59dbf94b98f25c18eaeee28aab5910
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_alpha.deb
      Size/MD5 checksum:   501450 bbe7cdac070bed0937596df34052c555

  ARM architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_arm.deb
      Size/MD5 checksum:   401938 1f9588d2015c20477f35f59de2e67190
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_arm.deb
      Size/MD5 checksum:   615258 6a1d88825004fb405881674236b5f34b
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_arm.deb
      Size/MD5 checksum:   422646 eab79e46b080475268510509635388b2

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_i386.deb
      Size/MD5 checksum:   389530 e4b3815727835a3ab112fb109a328021
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_i386.deb
      Size/MD5 checksum:   605678 619283e7b98add8bf725beb71a3de75b
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_i386.deb
      Size/MD5 checksum:   409274 c81aa5abd01455d0b082c6503e5abb32

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_ia64.deb
      Size/MD5 checksum:   557214 f57cd6a3c35d2d7042690e5584d3c49c
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_ia64.deb
      Size/MD5 checksum:   765410 33b7051caea6919c87519bc9c570ef69
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_ia64.deb
      Size/MD5 checksum:   570064 2a9d5dbdd9b1bc7470d3a7a12cf3b453

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_hppa.deb
      Size/MD5 checksum:   459698 74a1621f52f73e436aeffc82e1c528a5
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_hppa.deb
      Size/MD5 checksum:   691344 06a88c54e725114cb0818b50dce65fd5
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_hppa.deb
      Size/MD5 checksum:   481568 5aaf2370d855711ae2d2916c13831f0b

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_m68k.deb
      Size/MD5 checksum:   370690 627841728dabb3c6e83e60c8001a0ac4
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_m68k.deb
      Size/MD5 checksum:   622818 e4205658f157914fc5cea27c7248a71d
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_m68k.deb
      Size/MD5 checksum:   392316 8ee4f81a43e8b9ae123adadba2eed04c

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_mips.deb
      Size/MD5 checksum:   406618 354027157ccc8439f28f3d05198cce12
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_mips.deb
      Size/MD5 checksum:   615058 36c64cdcac52153d504eb7e246560510
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_mips.deb
      Size/MD5 checksum:   427314 7f59f09c347ed39a12fad8408c40fab3

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_mipsel.deb
      Size/MD5 checksum:   397210 f690bab2d77b7f5bc5c207ab8799a7ae
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_mipsel.deb
      Size/MD5 checksum:   607548 a62777c3ba8590660821edb1f46947ee
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_mipsel.deb
      Size/MD5 checksum:   416922 31b725e25888062257b1d9a212450a0e

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_powerpc.deb
      Size/MD5 checksum:   413722 b499efefdd53e1e1f99c82fe4345d740
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_powerpc.deb
      Size/MD5 checksum:   643070 e6a50e343c77e80e72c26570e4086452
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_powerpc.deb
      Size/MD5 checksum:   434530 be29354736f00ed85d5aa36d0bb86330

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_s390.deb
      Size/MD5 checksum:   399718 1328ff0fecf64d0a8db50bcbf6a4307d
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_s390.deb
      Size/MD5 checksum:   644284 c668b1de2ad8c707c5f8ad2de456bf9c
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_s390.deb
      Size/MD5 checksum:   422222 14e4654f7df7c22fb6e8240908c7836c

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/g/gaim/gaim_0.58-2.5_sparc.deb
      Size/MD5 checksum:   409866 7d8a00f61567dea550246ba36ee8f350
    http://security.debian.org/pool/updates/main/g/gaim/gaim-common_0.58-2.5_sparc.deb
      Size/MD5 checksum:   654072 aca9f7da61fa3f05e5394844fd1cc0ba
    http://security.debian.org/pool/updates/main/g/gaim/gaim-gnome_0.58-2.5_sparc.deb
      Size/MD5 checksum:   428798 d4eb82d10dfcaee16df40d3c4547e809


  These files will probably be moved into the stable distribution on
  its next update.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCb1MxW5ql+IAeqTIRAuyDAKCLgLcvQQL/yHUrPyfnN4NA+l1xigCfRGK7
sXTZIJCQn4+aJhY27nCPr7Y=
=muNJ
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQnA7hyh9+71yA2DNAQJ5igP/YrlnuX+Rtn6wRS1cPgkwqY+nK78rBauM
uvIIHd2rovB93XqXKo4f8XoFfh9vW0na8ugdlG2yQlLYrrz4Ydnx+fdh9vq/001E
l5NelCtOlq1TIbM7j2kPGRMSjyBk7C3Hb12hbLpSnGh7ZWoSsKJcjIU0jJN6i3TA
YmxnxFu/uSg=
=3SV5
-----END PGP SIGNATURE-----