Vulnerability Update [VU#825121]

Luke Schierer lschiere at
Wed Feb 28 18:00:32 EST 2007

Hash: SHA1

On Feb 28, 2007, at 17:37 EST, Daniel Atallah wrote:

> On 2/28/07, Luke Schierer <lschiere at> wrote:
>> - --- Begin report - Not for public distribution ----------
>> There is a function whose prototype is :
>> void gaim_debug(GaimDebugLevel level, const char *category, const
>> char *format, ...);
>> declared in my /usr/include/gaim/debug.h header.
>>   Now, if you look at the source file in  <somepath>/gaim-1.5.0/
>> plugins/perl/common/Gaim.c
>>   you'll find this function missused in 3 places :
>>   line 204: gaim_debug(level, category, string);
>>   line 220:Â gaim_debug(GAIM_DEBUG_MISC, category, string);
>>   line 237:Â gaim_debug(GAIM_DEBUG_INFO, category, string);
>>   In those 3 places, the "string" variable can allow an attacker to
>>   inject its own format string, and therefore,
>>   read or write anywhere in the process's memory, potentially  
>> allowing
>>   arbitrary execution.
>> - --- End Report - Not for public distribution -----------
> Has anyone actually verified that this is actually exploitable  
> remotely?
> These are just in the Perl bindings - a malicious perl plugin could
> certainly do bad things with them, but the ability of a plugin to do
> bad things is hardly a vulnerability.
> -D

my reply at the time was:

We received a report of these potential problems yesterday.  We have  
investigated them and found none to be remotely exploitable.  A  
couple of them could be exploited if you load a malicious plugin into  
gaim, but we consider this very low risk because the same care should  
be exercised in choosing plugins as goes into deciding what software  
to run,  a plugin does not need for such weak points to exist to do  
all sorts of potentially malicious things.

That being said, we have checked in fixes to these issues for the  
2.0.0 beta6 release, which should be this month, unfortunately I do  
not have exact timing on this release at this time.

Version: GnuPG v1.4.5 (Darwin)


More information about the Cabal mailing list