Various overflows in the handling of AIM DirectIM packets was revealed in GAIM that could lead to a remote compromise of the IM client.
|Package||net-im/gaim on all architectures|
|Affected versions||< 0.75-r7|
|Unaffected versions||>= 0.75-r7|
Gaim is a multi-platform and multi-protocol instant messaging client. It is compatible with AIM , ICQ, MSN Messenger, Yahoo, IRC, Jabber, Gadu-Gadu, and the Zephyr networks.
Yahoo changed the authentication methods to their IM servers, rendering GAIM useless. The GAIM team released a rushed release solving this issue, however, at the same time a code audit revealed 12 new vulnerabilities.
Due to the nature of instant messaging many of these bugs require man-in-the-middle attacks between the client and the server. But the underlying protocols are easy to implement and attacking ordinary TCP sessions is a fairly simple task. As a result, all users are advised to upgrade their GAIM installation.
There is no immediate workaround; a software upgrade is required.
All users are recommended to upgrade GAIM to 0.75-r7.
$> emerge sync $> emerge -pv ">=net-im/gaim-0.75-r7" $> emerge ">=net-im/gaim-0.75-r7"
January 26, 2004
January 26, 2004: 01