Vulnerability Update [VU#825121]
Luke Schierer
lschiere at pidgin.im
Wed Feb 28 17:19:05 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Feb 28, 2007, at 17:09 EST, Daniel Atallah wrote:
> On 2/28/07, Luke Schierer <lschiere at pidgin.im> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Anyone have any ideas on what we should say in our "vendor
>> statement"?
>>
>> luke
>
> Which vulnerability is this?
> -D
>
- --- Begin report - Not for public distribution ----------
There is a function whose prototype is :
void gaim_debug(GaimDebugLevel level, const char *category, const
char *format, ...);
declared in my /usr/include/gaim/debug.h header.
Now, if you look at the source file in <somepath>/gaim-1.5.0/
plugins/perl/common/Gaim.c
you'll find this function missused in 3 places :
line 204: gaim_debug(level, category, string);
line 220:Â gaim_debug(GAIM_DEBUG_MISC, category, string);
line 237:Â gaim_debug(GAIM_DEBUG_INFO, category, string);
In those 3 places, the "string" variable can allow an attacker to
inject its own format string, and therefore,
read or write anywhere in the process's memory, potentially allowing
arbitrary execution.
- --- End Report - Not for public distribution -----------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFF5f/aUsDanPbyGdkRAjFoAKCB0imwvCj0UBB9+hge6++Vgy4C1QCeKaOQ
itazilO2/TW1Q/uh9bgTsLw=
=lWor
-----END PGP SIGNATURE-----
More information about the Cabal
mailing list