Users login

Create an account »


Users login

Home » Hacking News » DSA 158-1-gaim

DSA 158-1-gaim

by Nikola Strahija on August 27th, 2002 The developers of Gaim, an instant messenger client that combines several different networks, found a vulnerability in the hyperlink handling code. The 'Manual' browser command passes an untrusted string to the shell without escaping or reliable quoting, permitting an attacker to execute arbitrary commands on the users machine. Unfortunately, Gaim doesn't display the hyperlink before the user clicks on it. Users who use other inbuilt browser commands aren't vulnerable.

This problem has been fixed in version 0.58-2.2 for the current
stable distribution (woody) and in version 0.59.1-2 for the unstable
distribution (sid). The old stable distribution (potato) is not
affected since it doesn't ship the Gaim program.

The fixed version of Gaim no longer passes the user's manual browser
command to the shell. Commands which contain the %s in quotes will
need to be amended, so they don't contain any quotes. The 'Manual'
browser command can be edited in the 'General' pane of the
'Preferences' dialog, which can be accessed by clicking 'Options' from
the login window, or 'Tools' and then 'Preferences' from the menu bar
in the buddy list window.

We recommend that you upgrade your gaim package immediately.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

Source archives:
Size/MD5 checksum: 681 388e7ad7ea82f72e80f5e7b950b74d9f
Size/MD5 checksum: 21077 f40a10f65ec69c219209f3833a601451
Size/MD5 checksum: 1928057 644df289daeca5f9dd3983d65c8b2407

Alpha architecture:
Size/MD5 checksum: 479720 4d8e4ea7f37653cc63bd9c6f3f5b2698
Size/MD5 checksum: 674568 60234f1a1896d77e924e9ebb99eee12b
Size/MD5 checksum: 501208 932052409cdc11ea89330709a41f32e4

ARM architecture:
Size/MD5 checksum: 401834 6a25ab2f49f104a8cb60dfb266687b4e
Size/MD5 checksum: 614864 251f521cfe92b00282f3d633e2ecdc06
Size/MD5 checksum: 422330 420edd09bad2f4587b843f18e7c56a0c

Intel IA-32 architecture:
Size/MD5 checksum: 389256 bb1688d11f1e444e7116e3ce48d4b299
Size/MD5 checksum: 606056 ff6443a2cc3be13f8d97f8c56f93bf05
Size/MD5 checksum: 409108 028dc6cfa04b921f94500853d65f1069

Intel IA-64 architecture:
Size/MD5 checksum: 557146 d99d9f408b423e4ecb572d6c529ec271
Size/MD5 checksum: 765084 20cf4447c02e5691f90f7c19088dc556
Size/MD5 checksum: 569896 829bba8b920ff5355cbc72dc918bc6a4

HP Precision architecture:
Size/MD5 checksum: 459416 42f17cb42279fd9148a44be663244298
Size/MD5 checksum: 690992 b6e1d262705760055eb6fd3c2a8b393e
Size/MD5 checksum: 481388 5c142618e62f2d67d2bc827722668ff5

Motorola 680x0 architecture:
Size/MD5 checksum: 370536 5d39e480ed1d679defe431f572057f84
Size/MD5 checksum: 622442 50592bfee0dae035546809ffbf1cb4c6
Size/MD5 checksum: 392112 03fd2c0fbb9609f8d3a32f72f9e0cb4c

Big endian MIPS architecture:
Size/MD5 checksum: 406360 7b6285a0ff3524dd0880b1a527ed34f7
Size/MD5 checksum: 614736 a5f56778d9f5dc6a8a994cd00dec3e11
Size/MD5 checksum: 427188 8eae2b955d9f1d52eb98040b6a34500c

Little endian MIPS architecture:
Size/MD5 checksum: 396998 1c0c22d86c37c1d45be00ae5109398cb
Size/MD5 checksum: 607172 656a46f56cf74c5a3344867d6035ac32
Size/MD5 checksum: 416714 f0cc84cc3ebc22a57676fc772c2d0ac6

PowerPC architecture:
Size/MD5 checksum: 413474 b550a080853403e43b22b87e93cf5d49
Size/MD5 checksum: 642704 6cc33cd7c71f9d9aa876fdc8ec9d398a
Size/MD5 checksum: 434308 cb41515071ff367d0ef4fc0f5584922e

IBM S/390 architecture:
Size/MD5 checksum: 392194 06512a9f37536e2e35c1f86005fd5756
Size/MD5 checksum: 639284 4da689aa738e0a4d9e2cd8f706ba43d2
Size/MD5 checksum: 413366 86da87c92f1683a5fc28f48a81a8fdea

Sun Sparc architecture:
Size/MD5 checksum: 409692 235cd54de30bc2350327f9f23402c2b3
Size/MD5 checksum: 653688 7db26ec6875eb42c7a655fb9622f0128
Size/MD5 checksum: 428526 3e4ecedebe2eeaa38c4857f5a37816dc

These files will probably be moved into the stable distribution on
its next revision.

For apt-get: deb stable/updates main
For dpkg-ftp:
Mailing list: [email protected]
Package info: `apt-cache show ' and

Version: GnuPG v1.0.7 (GNU/Linux)


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »