Package: wengophone Version: 2.1.2.dfsg0-6 Severity: important Tags: security
wengophone embeds a copy of an old version of gaim which is vulnerable to cve-2008-2927 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2927. There is a related vulnerability from an incorrect fix in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1376. The debian security tracker has these as http://security-tracker.debian.org/tracker/CVE-2008-2927 and http://security-tracker.debian.org/tracker/CVE-2009-1376 Even they the original cve is not for gaim, I have looked at wengophone/libs/3rdparty/gaim/src/libgaim/protocols/msn/slplink.c and verified that the unpatched code is present as shown in https://bugzilla.redhat.com/show_bug.cgi?id=453764 I have not investigated if this copy of gaim is vulnerable to any other known bugs. I suspect there are other vulnerabilities present since pidgin which is the current descendant of gaim has a number of additional vulnerabilities. Ideally, the embedded copy of gaim would be replaced by a system wide shared library.
