Multiple vulnerabilities have been found in libgadu, a library for
handling Gadu-Gadu instant messaging protocol. It is a part of ekg, a
Gadu-Gadu client, but is widely used in other clients. Also some of the
user contributed scripts were found to behave in an insecure manner.
Bugs fixed in ekg-1.6rc3:
Bugs fixed in ekg-1.6rc2:
insecure file creation in user contributed Python script
(CAN-2005-1916, discovered by Eric Romang of ZATAZ audit),
insecure file creation (CAN-2005-1850) and shell command injection
(CAN-2005-1851) in other user contributed scripts (discovered by
Marcin Owsiany and Wojtek Kaniewski),
several signedness errors in libgadu that could be triggered by an
incomming network data or an application passing invalid user input to
the library (discovered by Grzegorz Jaśkiewicz),
memory alignment errors in libgadu that could be triggered by an
incomming message and lead to bus errors on architectures like SPARC
(discovered by Szymon Zygmunt and Michał Bartoszkiewicz),
endianness errors in libgadu that could cause invalid behaviour of
applications on big-endian architectures (discovered by Marcin
Ślusarz).
Update is strongly recommended. The current version of ekg (including
fixed libgadu) can be downloaded from:
http://dev.null.pl/ekg/ekg-1.6rc3.tar.gz
Note that due to frequent protocol modifications that require API and
ABI changes, several Gadu-Gadu clients include libgadu in their source
trees and use it as a static library. If you use Gadu-Gadu client based
on libgadu other than ekg, please consult your vendor whether an update
is necessary.
Regards,
Wojtek Kaniewski