COMMAND
	Gaim-Encryption Plugin heap corruption
SYSTEMS AFFECTED
	gaim-encryption 1.15 and earlier
PROBLEM
	In Rapid7 Advisory R7-0013 [http://www.rapid7.com/]:
	
	-----BEGIN PGP SIGNED MESSAGE-----
	Hash: SHA1
	_______________________________________________________________________
	                     Rapid7, Inc. Security Advisory
	      Visit http://www.rapid7.com/ to download NeXpose, the
	           world's most advanced vulnerability scanner.
	       Linux and Windows 2000/XP versions are available now!
	_______________________________________________________________________
	Rapid7 Advisory R7-0013
	Heap Corruption in Gaim-Encryption Plugin
	   Published:  April 11, 2003
	   Revision:   1.0
	   http://www.rapid7.com/advisories/R7-0013.html
	   CVE:           CAN-2003-0163
	   Bugtraq ID:    7182
	1. Affected system(s):
	   KNOWN VULNERABLE:
	    o gaim-encryption 1.15 and earlier
	   NOT VULNERABLE:
	    o gaim-encryption 1.16 and later
	2. Summary
	   GAIM is a multi-protocol instant messaging client that is
	   compatible with AIM, ICQ, MSN Messenger, Jabber, and other
	   protocols.  The Gaim-Encryption plugin provides transparent
	   message encryption between two users.
	   The Gaim-Encryption plugin does insufficient validation on the
	   message length parameter supplied by a remote user.  This allows
	   an arbitrary heap location to be overwritten with a zero byte
	   and will also cause an unbounded read into the heap.
	   The most obvious impact of this vulnerability would be a denial
	   of service to the GAIM client.  While this vulnerability is not
	   likely to be exploitable, exploitation cannot be ruled out.
	   Please note that Gaim-Encryption is not part of GAIM and is not
	   developed by GAIM.
	3. Vendor status and information
	   William Tompkins <bill AT icarion DOT com>
	   http://gaim-encryption.sourceforge.net/
	   The author was notified and a fixed version was released on
	   March 16th, 2003.
	4. Solution
	   Upgrade to version 1.16 of the Gaim-Encryption plugin.  Note that
	   while a patched version of 1.15 was released, some versions of
	   1.15 may still be vulnerable.
	5. Detailed analysis
	   The decrypt_msg function is responsible for decrypting encrypted
	   GAIM messages.  It reads the message length from a user-supplied
	   header using sscanf.  While some bounds checking is performed, a
	   negative length is not properly handled.  This causes the NUL
	   termination of the message string to place a zero byte in an
	   arbitrary location in memory rather than at the end of the string
	   where it belongs.
	6. Contact Information
	   Rapid7 Security Advisories
	   Email:  [email protected]
	   Web:    http://www.rapid7.com/
	   Phone:  +1 (212) 558-8700
	8. Disclaimer and Copyright
	   Rapid7, Inc. is not responsible for the misuse of the information
	   provided in our security advisories.  These advisories are a service
	   to the professional security community.  There are NO WARRANTIES
	   with regard to this information.  Any application or distribution of
	   this information constitutes acceptance AS IS, at the user's own
	   risk.  This information is subject to change without notice.
	   This advisory Copyright (C) 2003 Rapid7, Inc.  Permission is
	   hereby granted to redistribute this advisory, providing that no
	   changes are made and that the copyright notices and disclaimers
	   remain intact.
	-----BEGIN PGP SIGNATURE-----
	Version: PGP 8.0
	iQA/AwUBPpcmgiT52JC2U8wAEQKc4ACfbhx2R3ogtcV71xymR/ExjqSckQIAoIxh
	GuzV+92KF3r6hFJ3dTZGRFVs
	=J9Hm
	-----END PGP SIGNATURE-----
	
SOLUTION
	Upgrade