Home page logo

bugtraq logo Bugtraq mailing list archives

recent gaim advisory
From: infamous41md () hotpop com
Date: Fri, 13 Aug 2004 01:12:24 -0400

if anyone else was looking for some of the overflows mentioned in the
rather cryptic advisory, i found one of them in:

/gaim-0.81/src/protocols/msn/slp.c :648 in the function msn_slp_sip_recv().  an
improper use of strncpy().  


not very interesting for us, but there is a local overflow.  it's not stack
based- the buffer is a global so it's somewhere in .bss.  that is in:

/gaim-0.81/src/protocols/msn/utils.c :134 in the function encode_spaces(). it
doesn't check the length of the buffer it copies into.  unless there is some max
bounds way higher up in the gtk functions that i missed.


another local (stack based) overflow in:

/gaim-0.81/src/protocols/msn/utils.c :198 in the function msn_import_html(). it
is not exploitable though.  multiple calls to strcat() to a small buffer, but no
control over the data being appended.


and there are many many places where the return value of dynamic memory
allocation routines is not tested. actually, to rephrase that, i don't think
there are many places where the return value IS checked.  or in some cases
the check is only after the possibly NULL pointer has already been used.  on a
similar note, there is little to no checking the return value of all sorts of
other library functions.


  By Date           By Thread  

Current thread:
  • recent gaim advisory infamous41md (Aug 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]