[33264] in bugtraq
Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code
daemon@ATHENA.MIT.EDU (lowhalo@hush.com)
Tue Jan 27 13:21:27 2004
Message-Id: <200401270116.i0R1GFbO064083@mailserver1.hushmail.com>
Date: Mon, 26 Jan 2004 17:16:14 -0800
To: bugtraq@securityfocus.com
Cc:
From: <lowhalo@hush.com>
MIME-Version: 1.0
Content-type: multipart/mixed; boundary="Hush_boundary-4015bbde7dac5"
--Hush_boundary-4015bbde7dac5
Content-type: text/plain
Ultramagnetic Advisory #001: January 26th, 2004
http://ultramagnetic.sourceforge.net/advisories/001.html
Severity: 9 (High)
Document Revision: 1.0
Overview
Ultramagnetic is a concurrent fork of the Gaim instant messaging software
which adds strong end-to-end encryption and authentication using GnuPG's
libgcrypt and anonymous routing with Hacktivismo's Six/Four protocol.
Multiple buffer overflow vulnerabilities have been found in the code
forked from Gaim. Full details are available at this URL:
http://security.e-matters.de/advisories/012004.html
Note that these vulnerabilities DO NOT compromise the
integrity of the encryption or authentication.
Affected Versions
All versions prior to Ultramagnetic v0.81 are affected by CAN-2004-0006,
CAN-2004-0007, CAN-2004-0008:
v0.01 Preview Alpha 1
v0.02 Preview Alpha 2
v0.03 Preview Alpha 3
v0.10 Beta
v0.20 Beta
v0.40 Beta
v0.50 Beta
v0.55 Beta
v0.60 Beta
v0.65 Beta
v0.70 Beta
v0.80 Beta
None of the versions mentioned above are vulnerable to CAN-2004-0005.
Solution
All users are strongly encouraged to upgrade to Ultramagnetic v0.81
(or later):
Source bz2:
http://prdownloads.sourceforge.net/ultramagnetic/
ultramagnetic-0.81.tar.bz2?download
http://prdownloads.sourceforge.net/ultramagnetic/
ultramagnetic-0.81.tar.bz2.sig?download
Linux x86 RPM:
http://prdownloads.sourceforge.net/ultramagnetic/
ultramagnetic-0.81-1.i386.rpm?download
http://prdownloads.sourceforge.net/ultramagnetic/
ultramagnetic-0.81-1.i386.rpm.sig?download
References
* E-matters: 12 x Gaim remote overflows:
http://security.e-matters.de/advisories/012004.html
* CVE: CAN-2004-0006
* CVE: CAN-2004-0007
* CVE: CAN-2004-0008
- --
low halo
Defender of Truth and Liberty
http://ultramagnetic.sourceforge.net/
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AFB17F6
9AB1 FF04 016F 89A3 5B4E A585 BDBB 5FBE 3AFB 17F6
--Hush_boundary-4015bbde7dac5
Content-type: text/plain; name="001.txt.asc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="001.txt.asc"
LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEExCgoKVWx0cmFtYWdu
ZXRpYyBBZHZpc29yeSAjMDAxOiBKYW51YXJ5IDI2dGgsIDIwMDQKaHR0cDovL3VsdHJhbWFnbmV0
aWMuc291cmNlZm9yZ2UubmV0L2Fkdmlzb3JpZXMvMDAxLmh0bWwKU2V2ZXJpdHk6IDkgKEhpZ2gp
CkRvY3VtZW50IFJldmlzaW9uOiAxLjAKCgpPdmVydmlldwoKVWx0cmFtYWduZXRpYyBpcyBhIGNv
bmN1cnJlbnQgZm9yayBvZiB0aGUgR2FpbSBpbnN0YW50IG1lc3NhZ2luZyBzb2Z0d2FyZQp3aGlj
aCBhZGRzIHN0cm9uZyBlbmQtdG8tZW5kIGVuY3J5cHRpb24gYW5kIGF1dGhlbnRpY2F0aW9uIHVz
aW5nIEdudVBHJ3MKbGliZ2NyeXB0IGFuZCBhbm9ueW1vdXMgcm91dGluZyB3aXRoIEhhY2t0aXZp
c21vJ3MgU2l4L0ZvdXIgcHJvdG9jb2wuCgpNdWx0aXBsZSBidWZmZXIgb3ZlcmZsb3cgdnVsbmVy
YWJpbGl0aWVzIGhhdmUgYmVlbiBmb3VuZCBpbiB0aGUgY29kZQpmb3JrZWQgZnJvbSBHYWltLiAg
RnVsbCBkZXRhaWxzIGFyZSBhdmFpbGFibGUgYXQgdGhpcyBVUkw6Cmh0dHA6Ly9zZWN1cml0eS5l
LW1hdHRlcnMuZGUvYWR2aXNvcmllcy8wMTIwMDQuaHRtbAoKTm90ZSB0aGF0IHRoZXNlIHZ1bG5l
cmFiaWxpdGllcyBETyBOT1QgY29tcHJvbWlzZSB0aGUKaW50ZWdyaXR5IG9mIHRoZSBlbmNyeXB0
aW9uIG9yIGF1dGhlbnRpY2F0aW9uLgoKCgpBZmZlY3RlZCBWZXJzaW9ucwoKQWxsIHZlcnNpb25z
IHByaW9yIHRvIFVsdHJhbWFnbmV0aWMgdjAuODEgYXJlIGFmZmVjdGVkIGJ5IENBTi0yMDA0LTAw
MDYsCkNBTi0yMDA0LTAwMDcsIENBTi0yMDA0LTAwMDg6Cgp2MC4wMSBQcmV2aWV3IEFscGhhIDEK
djAuMDIgUHJldmlldyBBbHBoYSAyCnYwLjAzIFByZXZpZXcgQWxwaGEgMwp2MC4xMCBCZXRhCnYw
LjIwIEJldGEKdjAuNDAgQmV0YQp2MC41MCBCZXRhCnYwLjU1IEJldGEKdjAuNjAgQmV0YQp2MC42
NSBCZXRhCnYwLjcwIEJldGEKdjAuODAgQmV0YQoKTm9uZSBvZiB0aGUgdmVyc2lvbnMgbWVudGlv
bmVkIGFib3ZlIGFyZSB2dWxuZXJhYmxlIHRvIENBTi0yMDA0LTAwMDUuCgoKClNvbHV0aW9uCgpB
bGwgdXNlcnMgYXJlIHN0cm9uZ2x5IGVuY291cmFnZWQgdG8gdXBncmFkZSB0byBVbHRyYW1hZ25l
dGljIHYwLjgxCihvciBsYXRlcik6CgpTb3VyY2UgYnoyOgogICAgaHR0cDovL3ByZG93bmxvYWRz
LnNvdXJjZWZvcmdlLm5ldC91bHRyYW1hZ25ldGljLwogICAgICAgIHVsdHJhbWFnbmV0aWMtMC44
MS50YXIuYnoyP2Rvd25sb2FkCiAgICBodHRwOi8vcHJkb3dubG9hZHMuc291cmNlZm9yZ2UubmV0
L3VsdHJhbWFnbmV0aWMvCiAgICAgICAgdWx0cmFtYWduZXRpYy0wLjgxLnRhci5iejIuc2lnP2Rv
d25sb2FkCgpMaW51eCB4ODYgUlBNOgogICAgaHR0cDovL3ByZG93bmxvYWRzLnNvdXJjZWZvcmdl
Lm5ldC91bHRyYW1hZ25ldGljLwogICAgICAgIHVsdHJhbWFnbmV0aWMtMC44MS0xLmkzODYucnBt
P2Rvd25sb2FkCiAgICBodHRwOi8vcHJkb3dubG9hZHMuc291cmNlZm9yZ2UubmV0L3VsdHJhbWFn
bmV0aWMvCiAgICAgICAgdWx0cmFtYWduZXRpYy0wLjgxLTEuaTM4Ni5ycG0uc2lnP2Rvd25sb2Fk
CgoKUmVmZXJlbmNlcwoKICAgICogRS1tYXR0ZXJzOiAxMiB4IEdhaW0gcmVtb3RlIG92ZXJmbG93
czoKICAgICAgICAgIGh0dHA6Ly9zZWN1cml0eS5lLW1hdHRlcnMuZGUvYWR2aXNvcmllcy8wMTIw
MDQuaHRtbAogICAgKiBDVkU6IENBTi0yMDA0LTAwMDYKICAgICogQ1ZFOiBDQU4tMjAwNC0wMDA3
CiAgICAqIENWRTogQ0FOLTIwMDQtMDAwOAoKCgotIC0tCmxvdyBoYWxvIApEZWZlbmRlciBvZiBU
cnV0aCBhbmQgTGliZXJ0eQpodHRwOi8vdWx0cmFtYWduZXRpYy5zb3VyY2Vmb3JnZS5uZXQvCiAK
aHR0cDovL3BncC5taXQuZWR1OjExMzcxL3Brcy9sb29rdXA/b3A9Z2V0JnNlYXJjaD0weDNBRkIx
N0Y2CjlBQjEgRkYwNCAwMTZGIDg5QTMgNUI0RSAgQTU4NSBCREJCIDVGQkUgM0FGQiAxN0Y2Cgot
LS0tLUJFR0lOIFBHUCBTSUdOQVRVUkUtLS0tLQpWZXJzaW9uOiBHbnVQRyB2MS4yLjQgKEdOVS9M
aW51eCkKCmlEOERCUUZBRlg3TXZidGZ2anI3Ri9ZUkFuS29BSjQzRndHcmtKVlBuaXBMbEhrclNM
K21oMWRQVVFDZlNtTnEKR3pRa3pBclpjOU45VEpWWXNwSEJ2S289Cj16dG1uCi0tLS0tRU5EIFBH
UCBTSUdOQVRVUkUtLS0tLQo=
--Hush_boundary-4015bbde7dac5--
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
