Bug#601425: wengophone embeds gaim which is vulnerable to cve-2008-2927

Silvio Cesare silvio.cesare at gmail.com
Tue Oct 26 00:07:53 UTC 2010


Package: wengophone
Version: 2.1.2.dfsg0-6
Severity: important
Tags: security

wengophone embeds a copy of an old version of gaim which is vulnerable to
cve-2008-2927 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927.
There is a related vulnerability from an incorrect fix in
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376.

The debian security tracker has these as
http://security-tracker.debian.org/tracker/CVE-2008-2927 and
http://security-tracker.debian.org/tracker/CVE-2009-1376

Even they the original cve is not for gaim, I have looked at
wengophone/libs/3rdparty/gaim/src/libgaim/protocols/msn/slplink.c and
verified that the unpatched code is present as shown in
https://bugzilla.redhat.com/show_bug.cgi?id=453764

I have not investigated if this copy of gaim is vulnerable to any other
known bugs. I suspect there are other vulnerabilities present since pidgin
which is the current descendant of gaim has a number of additional
vulnerabilities. Ideally, the embedded copy of gaim would be replaced by a
system wide shared library.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20101026/05679d44/attachment.htm>


More information about the Pkg-voip-maintainers mailing list