Vulnerabilities in the open source instant-messaging client would allow attackers to crash the application or run malicious code on a user's PC - Gaim 1.5.0 fixes them

Users of Gaim, the multiplatform instant messaging application, should upgrade to a new version to protect themselves from three newly discovered security holes.

Gaim 1.5.0 was released on Thursday. It fixes a flaw in the way Gaim processes a setting in AOL Instant Messenger (AIM) and ICQ showing a user is away from their machine. A malicious attacker could run a large number of "%n" symbols in their away message and trigger a buffer overflow when the Gaim user ran their mouse over this text. This could then allow the attacker to run malicious code on the Gaim user's PC.

A second problem, in the way Gaim handled file transfers, could also be exploited to crash the application. The third flaw, in a protocol handler, was less serious and didn't affect users on x86 machines.

The new version of Gaim can be downloaded from its homepage here.

Source: ZDNet