Stefan Esser of e-matters found almost a dozen remotely
exploitable vulnerabilities in Gaim. From the e-matters
advisory:
While developing a custom add-on, an integer overflow
in the handling of AIM DirectIM packets was revealed that
could lead to a remote compromise of the IM client. After
disclosing this bug to the vendor, they had to make a
hurried release because of a change in the Yahoo connection
procedure that rendered GAIM useless. Unfourtunately at the
same time a closer look onto the sourcecode revealed 11 more
vulnerabilities.
The 12 identified problems range from simple standard
stack overflows, over heap overflows to an integer overflow
that can be abused to cause a heap overflow. Due to the
nature of instant messaging many of these bugs require
man-in-the-middle attacks between client and server. But the
underlying protocols are easy to implement and MIM attacks
on ordinary TCP sessions is a fairly simple task.
In combination with the latest kernel vulnerabilities or
the habit of users to work as root/administrator these bugs
can result in remote root compromises.