pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/chat/gaim Security fixes for CAN-2005-2102 and CAN-200...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/045cb9f01fb0
branches:  trunk
changeset: 498024:045cb9f01fb0
user:      salo <salo%pkgsrc.org@localhost>
date:      Wed Aug 10 16:13:33 2005 +0000

description:
Security fixes for CAN-2005-2102 and CAN-2005-2103.

- An error in the handling of away messages can be exploited to cause
  a heap-based buffer overflow by sending a specially crafted away message
  to a user logged into AIM or ICQ.

  Successful exploitation allows execution of arbitrary code.

- An error in the handling of file transfers can be exploited to crash
  the application by attempting to upload a file with a non-UTF8 filename
  to a user logged into AIM or ICQ.

Patches from RedHat.

diffstat:

 chat/gaim/Makefile         |   4 +-
 chat/gaim/buildlink3.mk    |   4 +-
 chat/gaim/distinfo         |   4 +-
 chat/gaim/patches/patch-af |  78 ++++++++++++++++++++++++++++++++++++++++++++++
 chat/gaim/patches/patch-ag |  26 +++++++++++++++
 5 files changed, 111 insertions(+), 5 deletions(-)

diffs (158 lines):

diff -r e6b0dcd3382d -r 045cb9f01fb0 chat/gaim/Makefile
--- a/chat/gaim/Makefile        Wed Aug 10 13:58:47 2005 +0000
+++ b/chat/gaim/Makefile        Wed Aug 10 16:13:33 2005 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.93 2005/08/05 14:33:53 salo Exp $
+# $NetBSD: Makefile,v 1.94 2005/08/10 16:13:33 salo Exp $
 
 DISTNAME=      gaim-1.4.0
-PKGREVISION=   1
+PKGREVISION=   2
 CATEGORIES=    chat x11
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=gaim/}
 EXTRACT_SUFX=  .tar.bz2
diff -r e6b0dcd3382d -r 045cb9f01fb0 chat/gaim/buildlink3.mk
--- a/chat/gaim/buildlink3.mk   Wed Aug 10 13:58:47 2005 +0000
+++ b/chat/gaim/buildlink3.mk   Wed Aug 10 16:13:33 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: buildlink3.mk,v 1.6 2005/08/05 14:33:53 salo Exp $
+# $NetBSD: buildlink3.mk,v 1.7 2005/08/10 16:13:34 salo Exp $
 
 BUILDLINK_DEPTH:=      ${BUILDLINK_DEPTH}+
 GAIM_BUILDLINK3_MK:=   ${GAIM_BUILDLINK3_MK}+
@@ -12,7 +12,7 @@
 
 .if !empty(GAIM_BUILDLINK3_MK:M+)
 BUILDLINK_DEPENDS.gaim+=       gaim>=1.1.2
-BUILDLINK_RECOMMENDED.gaim+=   gaim>=1.4.0nb1
+BUILDLINK_RECOMMENDED.gaim+=   gaim>=1.4.0nb2
 BUILDLINK_PKGSRCDIR.gaim?=     ../../chat/gaim
 
 PRINT_PLIST_AWK+=      /^@dirrm lib\/gaim$$/ \
diff -r e6b0dcd3382d -r 045cb9f01fb0 chat/gaim/distinfo
--- a/chat/gaim/distinfo        Wed Aug 10 13:58:47 2005 +0000
+++ b/chat/gaim/distinfo        Wed Aug 10 16:13:33 2005 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.67 2005/08/05 14:33:53 salo Exp $
+$NetBSD: distinfo,v 1.68 2005/08/10 16:13:34 salo Exp $
 
 SHA1 (gaim-1.4.0.tar.bz2) = 49955722104216e6e41757657abaa94388c42249
 RMD160 (gaim-1.4.0.tar.bz2) = d12354df0828451d32124750340b759180289591
@@ -6,3 +6,5 @@
 SHA1 (patch-aa) = 555c394dbb4cd9ef4fea621d30ce72baae309067
 SHA1 (patch-ad) = 21ffc478343793ce065c75a24ed0cf58b0677359
 SHA1 (patch-ae) = 6c8a5960918ea77a766cdb4f3c2d805a61235771
+SHA1 (patch-af) = 63f14c28109a3515bffbed1ece14ae56f0652d13
+SHA1 (patch-ag) = 145aaa3e990eaada33186a5b13196e613b5aac91
diff -r e6b0dcd3382d -r 045cb9f01fb0 chat/gaim/patches/patch-af
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/chat/gaim/patches/patch-af        Wed Aug 10 16:13:33 2005 +0000
@@ -0,0 +1,78 @@
+$NetBSD: patch-af,v 1.1 2005/08/10 16:13:34 salo Exp $
+
+Fix for CAN-2005-2103, from RedHat.
+
+--- src/util.c.orig    2005-06-09 06:00:36.000000000 +0200
++++ src/util.c 2005-08-10 16:35:33.000000000 +0200
+@@ -2129,8 +2129,7 @@
+ gaim_str_sub_away_formatters(const char *str, const char *name)
+ {
+       char *c;
+-      gchar *cpy;
+-      int cnt = 0;
++      GString *cpy;
+       time_t t;
+       struct tm *tme;
+       char tmp[20];
+@@ -2138,12 +2137,12 @@
+       g_return_val_if_fail(str  != NULL, NULL);
+       g_return_val_if_fail(name != NULL, NULL);
+ 
+-      cpy = g_malloc(BUF_LONG);
++      /* Create an empty GString that is hopefully big enough for most messages */
++      cpy = g_string_sized_new(1024);
+ 
+       t = time(NULL);
+       tme = localtime(&t);
+ 
+-      cpy[0] = '\0';
+       c = (char *)str;
+       while (*c) {
+               switch (*c) {
+@@ -2152,39 +2151,35 @@
+                               switch (*(c + 1)) {
+                               case 'n':
+                                       /* append name */
+-                                      strcpy(cpy + cnt, name);
+-                                      cnt += strlen(name);
++                                      g_string_append(cpy, name);
+                                       c++;
+                                       break;
+                               case 'd':
+                                       /* append date */
+                                       strftime(tmp, 20, "%m/%d/%Y", tme);
+-                                      strcpy(cpy + cnt, tmp);
+-                                      cnt += strlen(tmp);
++                                      g_string_append(cpy, tmp);
+                                       c++;
+                                       break;
+                               case 't':
+                                       /* append time */
+                                       strftime(tmp, 20, "%I:%M:%S %p", tme);
+-                                      strcpy(cpy + cnt, tmp);
+-                                      cnt += strlen(tmp);
++                                      g_string_append(cpy, tmp);
+                                       c++;
+                                       break;
+                               default:
+-                                      cpy[cnt++] = *c;
++                                      g_string_append_c(cpy, *c);
+                               }
+                       } else {
+-                              cpy[cnt++] = *c;
++                              g_string_append_c(cpy, *c);
+                       }
+                       break;
+               default:
+-                      cpy[cnt++] = *c;
++                      g_string_append_c(cpy, *c);
+               }
+               c++;
+       }
+-      cpy[cnt] = '\0';
+ 
+-      return cpy;
++      return g_string_free(cpy, FALSE);
+ }
+ 
+ gchar *
diff -r e6b0dcd3382d -r 045cb9f01fb0 chat/gaim/patches/patch-ag
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/chat/gaim/patches/patch-ag        Wed Aug 10 16:13:33 2005 +0000
@@ -0,0 +1,26 @@
+$NetBSD: patch-ag,v 1.1 2005/08/10 16:13:34 salo Exp $
+
+Fix for CAN-2005-2102, from RedHat.
+
+--- src/protocols/oscar/oscar.c.orig   2005-07-02 18:13:14.000000000 +0200
++++ src/protocols/oscar/oscar.c        2005-08-10 16:37:02.000000000 +0200
+@@ -3455,7 +3455,18 @@
+                       xfer = gaim_xfer_new(gc->account, GAIM_XFER_RECEIVE, userinfo->sn);
+                       xfer->remote_ip = g_strdup(args->verifiedip);
+                       xfer->remote_port = args->port;
+-                      gaim_xfer_set_filename(xfer, args->info.sendfile.filename);
++
++                      if (g_utf8_validate(args->info.sendfile.filename, -1,
++                                              NULL)) {
++                              gaim_xfer_set_filename(xfer,
++                                              args->info.sendfile.filename);
++                      } else {
++                              gchar * utf8_filename = gaim_utf8_salvage(
++                                              args->info.sendfile.filename);
++                              gaim_xfer_set_filename(xfer, utf8_filename);
++                              g_free(utf8_filename);
++                      }
++
+                       gaim_xfer_set_size(xfer, args->info.sendfile.totsize);
+                       gaim_xfer_set_message(xfer, message);
+ 



Home | Main Index | Thread Index | Old Index