diff options
author | agc <agc> | 2004-01-29 18:38:50 +0000 |
---|---|---|
committer | agc <agc> | 2004-01-29 18:38:50 +0000 |
commit | 81cdc860d03a919b32d4b13e7d56133e5e94f2ee (patch) | |
tree | a9e25d34642f82773e2276620b69054a5256a77a | |
parent | 97aa93e954000276720c942b28bee4c542d5431d (diff) | |
download | pkgsrc-81cdc860d03a919b32d4b13e7d56133e5e94f2ee.tar.gz |
Update gaim to version 0.75 to fix security problem on the
pkgsrc-2003Q4 branch, requested by Marc Recht. The files here were
hand-edited, since much has changed between the version of this
package on the pkgsrc-2003Q4 branch and the head.
Original commit message follows:
Module Name: pkgsrc
Committed By: recht
Date: Tue Jan 27 01:24:52 UTC 2004
Modified Files:
pkgsrc/chat/gaim: Makefile distinfo
pkgsrc/chat/gaim/patches: patch-aa
Added Files:
pkgsrc/chat/gaim/patches: patch-ab patch-ac patch-ad
Log Message:
12 vulnerabilities were found in the instant messenger GAIM that allow
remote compromise. The 12 identified problems range from simple standard
stack overflows, over heap overflows to an integer overflow that can be
abused to cause a heap overflow. Due to the nature of instant messaging
some of these bugs require man-in-the-middle attacks between client and
server. But the underlying protocols are easy to implement and MIM attacks
on ordinary TCP sessions is afairly simple task.
Please see http://security.e-matters.de/advisories/012004.html
for more details.
Apply the fix posted in that advisory (originally by the FreeBSD security
team) and bump PKGREVISION to 1.
-rw-r--r-- | chat/gaim/Makefile | 6 | ||||
-rw-r--r-- | chat/gaim/PLIST | 10 | ||||
-rw-r--r-- | chat/gaim/distinfo | 10 | ||||
-rw-r--r-- | chat/gaim/patches/patch-aa | 12 | ||||
-rw-r--r-- | chat/gaim/patches/patch-ab | 176 | ||||
-rw-r--r-- | chat/gaim/patches/patch-ac | 13 | ||||
-rw-r--r-- | chat/gaim/patches/patch-ad | 136 |
7 files changed, 356 insertions, 7 deletions
diff --git a/chat/gaim/Makefile b/chat/gaim/Makefile index 51e69cf7db9..e7fcaaf96b0 100644 --- a/chat/gaim/Makefile +++ b/chat/gaim/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.42 2003/10/18 08:18:46 jmmv Exp $ +# $NetBSD: Makefile,v 1.42.2.1 2004/01/29 18:38:50 agc Exp $ # -DISTNAME= gaim-0.71 +DISTNAME= gaim-0.75 +PKGREVISION= 1 CATEGORIES= chat x11 MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=gaim/} EXTRACT_SUFX= .tar.bz2 @@ -27,6 +28,7 @@ LIBTOOL_OVERRIDE= ${WRKSRC}/libtool CONFIGURE_ARGS+= --disable-nas CONFIGURE_ARGS+= --disable-perl CONFIGURE_ARGS+= --disable-nss +CONFIGURE_ARGS+= --disable-tcl .include "../../mk/bsd.prefs.mk" diff --git a/chat/gaim/PLIST b/chat/gaim/PLIST index e3990396e7e..76dcd1f4b6a 100644 --- a/chat/gaim/PLIST +++ b/chat/gaim/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.20 2003/10/18 08:18:46 jmmv Exp $ +@comment $NetBSD: PLIST,v 1.20.2.1 2004/01/29 18:38:50 agc Exp $ bin/gaim bin/gaim-remote include/gaim-remote/remote-socket.h @@ -54,6 +54,9 @@ lib/gaim/libzephyr.so lib/gaim/notify.a lib/gaim/notify.la lib/gaim/notify.so +lib/gaim/relnot.a +lib/gaim/relnot.la +lib/gaim/relnot.so lib/gaim/spellchk.a lib/gaim/spellchk.la lib/gaim/spellchk.so @@ -89,6 +92,7 @@ ${PKGLOCALEDIR}/locale/ca/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/cs/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/da/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/de/LC_MESSAGES/gaim.mo +${PKGLOCALEDIR}/locale/en_GB/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/es/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/fi/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/fr/LC_MESSAGES/gaim.mo @@ -101,14 +105,15 @@ ${PKGLOCALEDIR}/locale/ko/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/nl/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/no/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/pl/LC_MESSAGES/gaim.mo +${PKGLOCALEDIR}/locale/pt/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/pt_BR/LC_MESSAGES/gaim.mo -${PKGLOCALEDIR}/locale/pt_PT/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/ro/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/ru/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/sk/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/sr/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/sr@Latn/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/sv/LC_MESSAGES/gaim.mo +${PKGLOCALEDIR}/locale/vi/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/zh_CN/LC_MESSAGES/gaim.mo ${PKGLOCALEDIR}/locale/zh_TW/LC_MESSAGES/gaim.mo share/pixmaps/gaim.png @@ -329,6 +334,7 @@ share/pixmaps/gaim/status/default/napster.png share/pixmaps/gaim/status/default/notauthorized.png share/pixmaps/gaim/status/default/occupied.png share/pixmaps/gaim/status/default/offline.png +share/pixmaps/gaim/status/default/secure.png share/pixmaps/gaim/status/default/trepia.png share/pixmaps/gaim/status/default/wireless.png share/pixmaps/gaim/status/default/yahoo.png diff --git a/chat/gaim/distinfo b/chat/gaim/distinfo index 9fd1fa69321..589eeeb6fe6 100644 --- a/chat/gaim/distinfo +++ b/chat/gaim/distinfo @@ -1,4 +1,8 @@ -$NetBSD: distinfo,v 1.33 2003/10/18 08:18:46 jmmv Exp $ +$NetBSD: distinfo,v 1.33.2.1 2004/01/29 18:38:50 agc Exp $ -SHA1 (gaim-0.71.tar.bz2) = 3615ca1973704de57ab48a098ec6ece147bba578 -Size (gaim-0.71.tar.bz2) = 3109536 bytes +SHA1 (gaim-0.75.tar.bz2) = 20a7ccadf276d9db6b74ae3d07d90601d805a4a9 +Size (gaim-0.75.tar.bz2) = 3370977 bytes +SHA1 (patch-aa) = 90d7bbc5c9ab5c6ffeba30a6c782e66cb1e3d861 +SHA1 (patch-ab) = aff902959e96d00c0712ac88b235aa918ba082d6 +SHA1 (patch-ac) = 803423543063b5838139dfad4c80172d6bfb4d70 +SHA1 (patch-ad) = 02f5d4d7b6cf2bc49043eba09b079ce2530552dc diff --git a/chat/gaim/patches/patch-aa b/chat/gaim/patches/patch-aa new file mode 100644 index 00000000000..1e2bcc4323e --- /dev/null +++ b/chat/gaim/patches/patch-aa @@ -0,0 +1,12 @@ +$NetBSD: patch-aa,v 1.15.2.1 2004/01/29 18:38:50 agc Exp $ + +--- src/protocols/oscar/ft.c.orig 2004-01-05 02:34:04.000000000 +0100 ++++ src/protocols/oscar/ft.c +@@ -44,6 +44,7 @@ + #include <config.h> + #endif + ++#include <limits.h> + #include <aim.h> + + #ifndef _WIN32 diff --git a/chat/gaim/patches/patch-ab b/chat/gaim/patches/patch-ab new file mode 100644 index 00000000000..b4c69dddbd3 --- /dev/null +++ b/chat/gaim/patches/patch-ab @@ -0,0 +1,176 @@ +$NetBSD: patch-ab,v 1.5.2.1 2004/01/29 18:38:50 agc Exp $ + +--- src/protocols/yahoo/yahoo.c.orig 2004-01-10 06:04:09.000000000 +0100 ++++ src/protocols/yahoo/yahoo.c +@@ -20,6 +20,7 @@ + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + */ ++#include <limits.h> + #include "internal.h" + + #include "account.h" +@@ -131,8 +132,15 @@ static void yahoo_packet_read(struct yah + while (pos + 1 < len) { + if (data[pos] == 0xc0 && data[pos + 1] == 0x80) + break; ++ if (x >= sizeof(key)-1) { ++ x++; ++ continue; ++ ++ } + key[x++] = data[pos++]; + } ++ if (x >= sizeof(key)-1) ++ x = 0; + key[x] = 0; + pos += 2; + pair->key = strtol(key, NULL, 10); +@@ -868,32 +876,66 @@ static void yahoo_process_contact(GaimCo + } + } + ++ ++static void octal(const char **p, const char *end, unsigned char *n) ++{ ++ int i, c; ++ ++ for (i = 0, c = 0; i < 3 && *p < end; ++i, ++*p) { ++ c <<= 3; ++ switch (**p) { ++ case '0': break; ++ case '1': c += 1; break; ++ case '2': c += 2; break; ++ case '3': c += 3; break; ++ case '4': c += 4; break; ++ case '5': c += 5; break; ++ case '6': c += 6; break; ++ case '7': c += 7; break; ++ default: ++ if (i == 0) { ++ *n = **p; ++ ++*p; ++ return; ++ } ++ c >>= 3; ++ goto done; ++ } ++ } ++done: ++ *n = (c > UCHAR_MAX) ? '?' : c; ++ return; ++} ++ + #define OUT_CHARSET "utf-8" + + static char *yahoo_decode(const char *text) + { + char *converted; +- char *p, *n, *new; +- +- n = new = g_malloc(strlen (text) + 1); +- +- for (p = (char *)text; *p; p++, n++) { ++ unsigned char *n, *new; ++ size_t len; ++ const char *p, *end; ++ ++ len = strlen (text); ++ p = text; ++ end = &text[len]; ++ n = new = g_malloc(len + 1); ++ while (p < end) { + if (*p == '\\') { +- sscanf(p + 1, "%3o\n", (int *)n); +- p += 3; +- } +- else +- *n = *p; ++ ++p; ++ octal(&p, end, n); ++ } else ++ *n = *p++; ++ ++n; + } +- + *n = '\0'; +- + converted = g_convert(new, n - new, OUT_CHARSET, "iso-8859-1", NULL, NULL, NULL); + g_free(new); + + return converted; + } + ++ + static void yahoo_process_mail(GaimConnection *gc, struct yahoo_packet *pkt) + { + GaimAccount *account = gaim_connection_get_account(gc); +@@ -1903,32 +1945,30 @@ static void yahoo_got_web_connected(gpoi + + static void yahoo_web_pending(gpointer data, gint source, GaimInputCondition cond) + { ++ static const char http302[] = "HTTP/1.0 302"; ++ static const char setcookie[] = "Set-Cookie: "; + GaimConnection *gc = data; + GaimAccount *account = gaim_connection_get_account(gc); + struct yahoo_data *yd = gc->proto_data; +- char buf[1024], buf2[256], *i = buf, *r = buf2; +- int len, o = 0; ++ char buf[1024], *i = buf; ++ int len; ++ GString *s; + + len = read(source, buf, sizeof(buf)); +- if (len <= 0 || strncmp(buf, "HTTP/1.0 302", strlen("HTTP/1.0 302"))) { ++ if (len <= 0 || (len >= sizeof(http302)-1 && ++ memcmp(http302, buf, sizeof(http302)-1) != 0)) { + gaim_connection_error(gc, _("Unable to read")); + return; + } +- +- while ((i = strstr(i, "Set-Cookie: ")) && 0 < 2) { +- i += strlen("Set-Cookie: "); +- for (;*i != ';'; r++, i++) { +- *r = *i; +- } +- *r=';'; +- r++; +- *r=' '; +- r++; +- o++; +- } +- /* Get rid of that "; " */ +- *(r-2) = '\0'; +- yd->auth = g_strdup(buf2); ++ s = g_string_sized_new(len); ++ buf[len] = '\0'; ++ while ((i = strstr(i, setcookie)) != NULL) { ++ i += sizeof(setcookie)-1; ++ for (;*i != ';'; i++) ++ g_string_append_c(s, *i); ++ g_string_append(s, "; "); ++ } ++ yd->auth = g_string_free(s, FALSE); + gaim_input_remove(gc->inpa); + close(source); + /* Now we have our cookies to login with. I'll go get the milk. */ +@@ -1974,15 +2014,17 @@ static GHashTable *yahoo_login_page_hash + const char *c = buf; + char *d; + char name[64], value[64]; ++ int count = sizeof(name)-1; + while ((c < (buf + len)) && (c = strstr(c, "<input "))) { + c = strstr(c, "name=\"") + strlen("name=\""); +- for (d = name; *c!='"'; c++, d++) ++ for (d = name; *c!='"' && count; c++, d++, count--) + *d = *c; + *d = '\0'; ++ count = sizeof(value)-1; + d = strstr(c, "value=\"") + strlen("value=\""); + if (strchr(c, '>') < d) + break; +- for (c = d, d = value; *c!='"'; c++, d++) ++ for (c = d, d = value; *c!='"' && count; c++, d++, count--) + *d = *c; + *d = '\0'; + g_hash_table_insert(hash, g_strdup(name), g_strdup(value)); diff --git a/chat/gaim/patches/patch-ac b/chat/gaim/patches/patch-ac new file mode 100644 index 00000000000..ecee0935b8c --- /dev/null +++ b/chat/gaim/patches/patch-ac @@ -0,0 +1,13 @@ +$NetBSD: patch-ac,v 1.4.2.1 2004/01/29 18:38:50 agc Exp $ + +--- src/proxy.c.orig 2004-01-10 05:04:56.000000000 +0100 ++++ src/proxy.c +@@ -974,7 +974,7 @@ http_canread(gpointer data, gint source, + + gaim_input_remove(phb->inpa); + +- while ((nlc != 2) && (read(source, &inputline[pos++], 1) == 1)) { ++ while ((pos < sizeof(inputline)-1) && (nlc != 2) && (read(source, &inputline[pos++], 1) == 1)) { + if (inputline[pos - 1] == '\n') + nlc++; + else if (inputline[pos - 1] != '\r') diff --git a/chat/gaim/patches/patch-ad b/chat/gaim/patches/patch-ad new file mode 100644 index 00000000000..08d0ec19373 --- /dev/null +++ b/chat/gaim/patches/patch-ad @@ -0,0 +1,136 @@ +$NetBSD: patch-ad,v 1.1.2.2 2004/01/29 18:38:50 agc Exp $ + +--- src/util.c.orig 2004-01-10 05:04:56.000000000 +0100 ++++ src/util.c +@@ -247,24 +247,71 @@ gaim_base64_decode(const char *text, cha + /************************************************************************** + * Quoted Printable Functions + **************************************************************************/ +-void +-gaim_quotedp_decode(const char *str, char **ret_str, int *ret_len) ++static void hex(const char **p, const char *end, unsigned char *n) + { +- char *p, *n, *new; ++ int i, c; + +- n = new = g_malloc(strlen (str) + 1); ++ for (i = 0, c = 0; i < 2 && *p < end; ++i, ++*p) { ++ c <<= 4; ++ switch (**p) { ++ case '0': break; ++ case '1': c += 1; break; ++ case '2': c += 2; break; ++ case '3': c += 3; break; ++ case '4': c += 4; break; ++ case '5': c += 5; break; ++ case '6': c += 6; break; ++ case '7': c += 7; break; ++ case '8': c += 8; break; ++ case '9': c += 9; break; ++ case 'a': c += 10; break; ++ case 'b': c += 11; break; ++ case 'c': c += 12; break; ++ case 'd': c += 13; break; ++ case 'e': c += 14; break; ++ case 'f': c += 15; break; ++ case 'A': c += 10; break; ++ case 'B': c += 11; break; ++ case 'C': c += 12; break; ++ case 'D': c += 13; break; ++ case 'E': c += 14; break; ++ case 'F': c += 15; break; ++ default: ++ if (i == 0) { ++ *n = **p; ++ ++*p; ++ return; ++ } ++ c >>= 4; ++ goto done; ++ } ++ } ++done: ++ *n = (c > UCHAR_MAX) ? '?' : c; ++ return; ++} + +- for (p = (char *)str; *p; p++, n++) { ++void ++gaim_quotedp_decode(const char *str, char **ret_str, int *ret_len) ++{ ++ const char *p, *end; ++ unsigned char *n, *new; ++ size_t len; ++ ++ len = strlen (str); ++ n = new = g_malloc(len + 1); ++ p = str; ++ end = &p[len]; ++ while (p < end) { + if (*p == '=') { +- sscanf(p + 1, "%2x\n", (int *)n); +- p += 2; +- } +- else if (*p == '_') ++ ++p; ++ hex(&p, end, n); ++ } else if (*p == '_') + *n = ' '; + else + *n = *p; ++ ++n; + } +- + *n = '\0'; + + if (ret_len) +@@ -1962,7 +2009,7 @@ gaim_url_parse(const char *url, char **r + char **ret_path) + { + char scan_info[255]; +- char port_str[5]; ++ char port_str[6]; + int f; + const char *turl; + char host[256], path[256]; +@@ -1982,16 +2029,21 @@ gaim_url_parse(const char *url, char **r + } + + g_snprintf(scan_info, sizeof(scan_info), +- "%%[%s]:%%[%s]/%%[%s]", addr_ctrl, port_ctrl, page_ctrl); ++ "%%255[%s]:%%5[%s]/%%255[%s]", addr_ctrl, port_ctrl, page_ctrl); ++ addr_ctrl[sizeof(addr_ctrl)-1] = '\0'; ++ port_ctrl[sizeof(port_ctrl)-1] = '\0'; ++ page_ctrl[sizeof(page_ctrl)-1] = '\0'; + + f = sscanf(url, scan_info, host, port_str, path); + + if (f == 1) + { + g_snprintf(scan_info, sizeof(scan_info), +- "%%[%s]/%%[%s]", ++ "%%255[%s]/%%255[%s]", + addr_ctrl, page_ctrl); + f = sscanf(url, scan_info, host, path); ++ addr_ctrl[sizeof(addr_ctrl)-1] = '\0'; ++ page_ctrl[sizeof(page_ctrl)-1] = '\0'; + g_snprintf(port_str, sizeof(port_str), "80"); + } + +@@ -2081,9 +2133,14 @@ parse_redirect(const char *data, size_t + static size_t + parse_content_len(const char *data, size_t data_len) + { +- size_t content_len = 0; ++ int content_len = 0; ++ char *tmp; + +- sscanf(data, "Content-Length: %d", (int *)&content_len); ++ tmp = g_malloc(data_len + 1); ++ memcpy(tmp, data, data_len); ++ tmp[data_len] = '\0'; ++ sscanf(tmp, "Content-Length: %d", &content_len); ++ g_free(tmp); + + return content_len; + } |