FreeBSD : libgadu -- multiple vulnerabilities (3b4a6982-0b24-11da-bc08-0001020eed82)

This script is Copyright (C) 2006-2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Wojtek Kaniewski reports :

Multiple vulnerabilities have been found in libgadu, a library for
handling Gadu-Gadu instant messaging protocol. It is a part of ekg, a
Gadu-Gadu client, but is widely used in other clients. Also some of
the user contributed scripts were found to behave in an insecure
manner.

- integer overflow in libgadu (CVE-2005-1852) that could be triggered
by an incomming message and lead to application crash and/or remote
code execution

- insecure file creation (CVE-2005-1850) and shell command injection
(CVE-2005-1851) in other user contributed scripts (discovered by
Marcin Owsiany and Wojtek Kaniewski)

- several signedness errors in libgadu that could be triggered by an
incomming network data or an application passing invalid user input to
the library

- memory alignment errors in libgadu that could be triggered by an
incomming message and lead to bus errors on architectures like SPARC

- endianness errors in libgadu that could cause invalid behaviour of
applications on big-endian architectures

See also :

http://marc.info/?l=bugtraq&m=112198499417250
http://gaim.sourceforge.net/security/?id=20
http://www.kde.org/info/security/advisory-20050721-1.txt
http://www.nessus.org/u?03d7176c

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 21414 (freebsd_pkg_3b4a69820b2411dabc080001020eed82.nasl)

Bugtraq ID: 14345

CVE ID: CVE-2005-1850
CVE-2005-1851
CVE-2005-1852
CVE-2005-2369
CVE-2005-2370
CVE-2005-2448

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now