FreeBSD : libgadu -- multiple vulnerabilities (3b4a6982-0b24-11da-bc08-0001020eed82)
Critical Nessus Plugin ID 21414
SynopsisThe remote FreeBSD host is missing one or more security-related updates.
DescriptionWojtek Kaniewski reports :
Multiple vulnerabilities have been found in libgadu, a library for handling Gadu-Gadu instant messaging protocol. It is a part of ekg, a Gadu-Gadu client, but is widely used in other clients. Also some of the user contributed scripts were found to behave in an insecure manner.
- integer overflow in libgadu (CVE-2005-1852) that could be triggered by an incomming message and lead to application crash and/or remote code execution
- insecure file creation (CVE-2005-1850) and shell command injection (CVE-2005-1851) in other user contributed scripts (discovered by Marcin Owsiany and Wojtek Kaniewski)
- several signedness errors in libgadu that could be triggered by an incomming network data or an application passing invalid user input to the library
- memory alignment errors in libgadu that could be triggered by an incomming message and lead to bus errors on architectures like SPARC
- endianness errors in libgadu that could cause invalid behaviour of applications on big-endian architectures
SolutionUpdate the affected packages.