From 1eb2c5b1fd59132181fe24fa26283c6ccbd5f6ee Mon Sep 17 00:00:00 2001 From: adrianp Date: Mon, 19 Sep 2005 19:42:11 +0000 Subject: Security fix for centericq via Debian http://secunia.com/advisories/16240/ --- chat/centericq/Makefile | 4 +- chat/centericq/distinfo | 8 +- chat/centericq/patches/patch-af | 80 ++++++++++++++++++++ chat/centericq/patches/patch-ag | 16 ++++ chat/centericq/patches/patch-ah | 161 ++++++++++++++++++++++++++++++++++++++++ chat/centericq/patches/patch-ai | 31 ++++++++ chat/centericq/patches/patch-aj | 83 +++++++++++++++++++++ chat/centericq/patches/patch-ak | 13 ++++ 8 files changed, 393 insertions(+), 3 deletions(-) create mode 100644 chat/centericq/patches/patch-af create mode 100644 chat/centericq/patches/patch-ag create mode 100644 chat/centericq/patches/patch-ah create mode 100644 chat/centericq/patches/patch-ai create mode 100644 chat/centericq/patches/patch-aj create mode 100644 chat/centericq/patches/patch-ak diff --git a/chat/centericq/Makefile b/chat/centericq/Makefile index b2ea1c3eb62..28bf6e694dd 100644 --- a/chat/centericq/Makefile +++ b/chat/centericq/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.52 2005/07/16 18:55:22 adrianp Exp $ +# $NetBSD: Makefile,v 1.53 2005/09/19 19:42:11 adrianp Exp $ # DISTNAME= centericq-4.20.0 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= chat MASTER_SITES= http://konst.org.ua/download/ \ http://centericq.de/archive/source/releases/ diff --git a/chat/centericq/distinfo b/chat/centericq/distinfo index 1fbb00a2bd1..43f706b836e 100644 --- a/chat/centericq/distinfo +++ b/chat/centericq/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.17 2005/09/06 08:10:57 abs Exp $ +$NetBSD: distinfo,v 1.18 2005/09/19 19:42:11 adrianp Exp $ SHA1 (centericq-4.20.0.tar.bz2) = 14b37c5257039853f0a1b948c7eaa49581a5913c RMD160 (centericq-4.20.0.tar.bz2) = 7f17cd87aa4b98269fa65173b3e6317143c7c8ca @@ -8,3 +8,9 @@ SHA1 (patch-ab) = 6d9beb28024666bbfef2e95cab648d7058f8136c SHA1 (patch-ac) = 74ae25e19bf5d250a407a937bf78405b38cc86da SHA1 (patch-ad) = be8ba5c952bf560b0758c97ba81c4faef04ffe49 SHA1 (patch-ae) = 01b4bf2e26c9974b189ffe5d0361651aabaef549 +SHA1 (patch-af) = 5104572b93c4bc1872340ac4d179d74f74958fe8 +SHA1 (patch-ag) = c63b3e1011205f7635ca1710a6e5b39f7ef8986c +SHA1 (patch-ah) = 2e643c6cfd5812f5f35a08e29cfa858902e1760b +SHA1 (patch-ai) = 2ac32940347733dbb63e12bdd54212435795b30d +SHA1 (patch-aj) = 1e4ea16dfc5c8eeae9b70b4bda01a2b367ea2879 +SHA1 (patch-ak) = 155067c43db79d398465bac2d70878e8b714fa8b diff --git a/chat/centericq/patches/patch-af b/chat/centericq/patches/patch-af new file mode 100644 index 00000000000..4ffe4344711 --- /dev/null +++ b/chat/centericq/patches/patch-af @@ -0,0 +1,80 @@ +$NetBSD: patch-af,v 1.1 2005/09/19 19:42:11 adrianp Exp $ + +--- libgadu-0.1/common.c.orig 2004-07-31 11:47:20.000000000 +0100 ++++ libgadu-0.1/common.c +@@ -284,6 +284,8 @@ char *gg_read_line(int sock, char *buf, + { + int ret; + ++ if (!buf || length < 0) ++ return NULL; + for (; length > 1; buf++, length--) { + do { + if ((ret = read(sock, buf, 1)) == -1 && errno != EINTR) { +@@ -340,7 +342,7 @@ char *gg_urlencode(const char *str) + { + char *q, *buf, hex[] = "0123456789abcdef"; + const char *p; +- int size = 0; ++ unsigned int size = 0; + + if (!str && !(str = strdup(""))) + return NULL; +@@ -392,18 +394,18 @@ int gg_http_hash(const char *format, ... + va_start(ap, format); + + for (j = 0; j < strlen(format); j++) { +- unsigned char *arg, buf[16]; ++ char *arg, buf[16]; + + if (format[j] == 'u') { + snprintf(buf, sizeof(buf), "%d", va_arg(ap, uin_t)); + arg = buf; + } else { +- if (!(arg = va_arg(ap, unsigned char*))) ++ if (!(arg = va_arg(ap, char*))) + arg = ""; + } + + i = 0; +- while ((c = (int) arg[i++]) != 0) { ++ while ((c = (unsigned char) arg[i++]) != 0) { + a = (c ^ b) + (c << 8); + b = (a >> 24) | (a << 8); + } +@@ -532,7 +534,7 @@ static char gg_base64_charset[] = + char *gg_base64_encode(const char *buf) + { + char *out, *res; +- int i = 0, j = 0, k = 0, len = strlen(buf); ++ unsigned int i = 0, j = 0, k = 0, len = strlen(buf); + + res = out = malloc((len / 3 + 1) * 4 + 2); + +@@ -590,7 +592,7 @@ char *gg_base64_decode(const char *buf) + { + char *res, *save, *foo, val; + const char *end; +- int index = 0; ++ unsigned int index = 0; + + if (!buf) + return NULL; +@@ -684,7 +686,7 @@ static int gg_crc32_initialized = 0; + static void gg_crc32_make_table() + { + uint32_t h = 0; +- int i, j; ++ unsigned int i, j; + + memset(gg_crc32_table, 0, sizeof(gg_crc32_table)); + +@@ -713,6 +715,8 @@ uint32_t gg_crc32(uint32_t crc, const un + { + if (!gg_crc32_initialized) + gg_crc32_make_table(); ++ if (!buf || len < 0) ++ return crc; + + crc ^= 0xffffffffL; + diff --git a/chat/centericq/patches/patch-ag b/chat/centericq/patches/patch-ag new file mode 100644 index 00000000000..bb389286c9d --- /dev/null +++ b/chat/centericq/patches/patch-ag @@ -0,0 +1,16 @@ +$NetBSD: patch-ag,v 1.1 2005/09/19 19:42:11 adrianp Exp $ + +--- libgadu-0.1/dcc.c.orig 2004-01-26 23:49:33.000000000 +0000 ++++ libgadu-0.1/dcc.c +@@ -51,9 +51,9 @@ + * - buf - bufor z danymi + * - size - rozmiar danych + */ +-static void gg_dcc_debug_data(const char *prefix, int fd, const void *buf, int size) ++static void gg_dcc_debug_data(const char *prefix, int fd, const void *buf, unsigned int size) + { +- int i; ++ unsigned int i; + + gg_debug(GG_DEBUG_MISC, "++ gg_dcc %s (fd=%d,len=%d)", prefix, fd, size); + diff --git a/chat/centericq/patches/patch-ah b/chat/centericq/patches/patch-ah new file mode 100644 index 00000000000..c221113feb3 --- /dev/null +++ b/chat/centericq/patches/patch-ah @@ -0,0 +1,161 @@ +$NetBSD: patch-ah,v 1.1 2005/09/19 19:42:11 adrianp Exp $ + +--- libgadu-0.1/events.c.orig 2004-06-10 20:20:08.000000000 +0100 ++++ libgadu-0.1/events.c +@@ -27,6 +27,7 @@ + #include + + #include "libgadu-config.h" ++#include "libgadu.h" + + #include + #ifdef __GG_LIBGADU_HAVE_PTHREAD +@@ -153,7 +154,7 @@ int gg_image_queue_remove(struct gg_sess + * - e - opis zdarzenia + * - + */ +-static void gg_image_queue_parse(struct gg_event *e, char *p, int len, struct gg_session *sess, uin_t sender) ++static void gg_image_queue_parse(struct gg_event *e, char *p, unsigned int len, struct gg_session *sess, uin_t sender) + { + struct gg_msg_image_reply *i = (void*) p; + struct gg_image_queue *q, *qq; +@@ -285,7 +286,7 @@ static int gg_handle_recv_msg(struct gg_ + + count = gg_fix32(m->count); + +- if (p + count * sizeof(uin_t) > packet_end) { ++ if (p + count * sizeof(uin_t) > packet_end || p + count * sizeof(uin_t) < p || count > 0xffff) { + gg_debug(GG_DEBUG_MISC, "// gg_handle_recv_msg() packet out of bounds (1.5)\n"); + goto malformed; + } +@@ -296,8 +297,11 @@ static int gg_handle_recv_msg(struct gg_ + goto fail; + } + +- for (i = 0; i < count; i++, p += sizeof(uin_t)) +- e->event.msg.recipients[i] = gg_fix32(*((uint32_t*) p)); ++ for (i = 0; i < count; i++, p += sizeof(uint32_t)) { ++ uint32_t u; ++ memcpy(&u, p, sizeof(uint32_t)); ++ e->event.msg.recipients[i] = gg_fix32(u); ++ } + + e->event.msg.recipients_count = count; + +@@ -306,15 +310,15 @@ static int gg_handle_recv_msg(struct gg_ + + case 0x02: /* richtext */ + { +- unsigned short len; ++ uint16_t len; + char *buf; + + if (p + 3 > packet_end) { + gg_debug(GG_DEBUG_MISC, "// gg_handle_recv_msg() packet out of bounds (2)\n"); + goto malformed; + } +- +- len = gg_fix16(*((unsigned short*) (p + 1))); ++ memcpy(&len, p + 1, sizeof(uint16_t)); ++ len = gg_fix16(len); + + if (!(buf = malloc(len))) { + gg_debug(GG_DEBUG_MISC, "// gg_handle_recv_msg() not enough memory for richtext data\n"); +@@ -361,12 +365,22 @@ static int gg_handle_recv_msg(struct gg_ + case 0x05: /* image_reply */ + case 0x06: + { +- if (p + sizeof(struct gg_msg_image_reply) + 1 > packet_end) { ++ struct gg_msg_image_reply *rep = (void*)p; ++ ++ if (p + sizeof(struct gg_msg_image_reply) == packet_end) { ++ e->type = GG_EVENT_IMAGE_REPLY; ++ e->event.image_reply.sender = gg_fix32(r->sender); ++ e->event.image_reply.size = 0; ++ e->event.image_reply.crc32 = gg_fix32(rep->crc32); ++ e->event.image_reply.filename = NULL; ++ e->event.image_reply.image = NULL; ++ } else if (p + sizeof(struct gg_msg_image_reply) + 1 > packet_end) { + gg_debug(GG_DEBUG_MISC, "// gg_handle_recv_msg() packet out of bounds (4)\n"); + goto malformed; + } +- +- gg_image_queue_parse(e, p, (int)(packet_end - p), sess, gg_fix32(r->sender)); ++ rep->size = gg_fix32(rep->size); ++ rep->crc32 = gg_fix32(rep->crc32); ++ gg_image_queue_parse(e, p, (unsigned int)(packet_end - p), sess, gg_fix32(r->sender)); + + return 0; + } +@@ -443,7 +457,7 @@ static int gg_watch_fd_connected(struct + case GG_NOTIFY_REPLY: + { + struct gg_notify_reply *n = (void*) p; +- int count, i; ++ unsigned int count, i; + char *tmp; + + gg_debug(GG_DEBUG_MISC, "// gg_watch_fd_connected() received a notify reply\n"); +@@ -454,7 +468,7 @@ static int gg_watch_fd_connected(struct + goto fail; + } + +- if (gg_fix32(n->status) == GG_STATUS_BUSY_DESCR || gg_fix32(n->status == GG_STATUS_NOT_AVAIL_DESCR) || gg_fix32(n->status) == GG_STATUS_AVAIL_DESCR) { ++ if (gg_fix32(n->status) == GG_STATUS_BUSY_DESCR || gg_fix32(n->status) == GG_STATUS_NOT_AVAIL_DESCR || gg_fix32(n->status) == GG_STATUS_AVAIL_DESCR) { + e->type = GG_EVENT_NOTIFY_DESCR; + + if (!(e->event.notify_descr.notify = (void*) malloc(sizeof(*n) * 2))) { +@@ -557,6 +571,8 @@ static int gg_watch_fd_connected(struct + e->event.notify60[i].descr = NULL; + e->event.notify60[i].time = 0; + ++ if (uin & 0x40000000) ++ e->event.notify60[i].version |= GG_HAS_AUDIO_MASK; + if (GG_S_D(n->status)) { + unsigned char descr_len = *((char*) n + sizeof(struct gg_notify_reply60)); + +@@ -628,8 +644,11 @@ static int gg_watch_fd_connected(struct + + e->event.status60.descr = buf; + +- if (len > 4 && p[h->length - 5] == 0) +- e->event.status60.time = *((int*) (p + h->length - 4)); ++ if (len > 4 && p[h->length - 5] == 0) { ++ uint32_t t; ++ memcpy(&t, p + h->length - 4, sizeof(uint32_t)); ++ e->event.status60.time = gg_fix32(t); ++ } + } + + break; +@@ -695,7 +714,7 @@ static int gg_watch_fd_connected(struct + + if (h->length > 1) { + char *tmp; +- int len = (sess->userlist_reply) ? strlen(sess->userlist_reply) : 0; ++ unsigned int len = (sess->userlist_reply) ? strlen(sess->userlist_reply) : 0; + + gg_debug(GG_DEBUG_MISC, "userlist_reply=%p, len=%d\n", sess->userlist_reply, len); + +@@ -1336,7 +1355,11 @@ struct gg_event *gg_watch_fd(struct gg_s + free(sess->password); + sess->password = NULL; + +- gg_debug(GG_DEBUG_MISC, "// gg_watch_fd() gg_dcc_ip = %s\n", inet_ntoa(*((struct in_addr*) &gg_dcc_ip))); ++ { ++ struct in_addr dcc_ip; ++ dcc_ip.s_addr = gg_dcc_ip; ++ gg_debug(GG_DEBUG_MISC, "// gg_watch_fd() gg_dcc_ip = %s\n", inet_ntoa(dcc_ip)); ++ } + + if (gg_dcc_ip == (unsigned long) inet_addr("255.255.255.255")) { + struct sockaddr_in sin; +@@ -1363,7 +1386,7 @@ struct gg_event *gg_watch_fd(struct gg_s + + if (sess->external_addr && sess->external_port > 1023) { + l.external_ip = sess->external_addr; +- l.external_port = sess->external_port; ++ l.external_port = gg_fix16(sess->external_port); + } + + gg_debug(GG_DEBUG_TRAFFIC, "// gg_watch_fd() sending GG_LOGIN60 packet\n"); diff --git a/chat/centericq/patches/patch-ai b/chat/centericq/patches/patch-ai new file mode 100644 index 00000000000..ac708434087 --- /dev/null +++ b/chat/centericq/patches/patch-ai @@ -0,0 +1,31 @@ +$NetBSD: patch-ai,v 1.1 2005/09/19 19:42:11 adrianp Exp $ + +--- libgadu-0.1/http.c.orig 2005-01-23 13:22:37.000000000 +0000 ++++ libgadu-0.1/http.c +@@ -264,7 +264,7 @@ int gg_http_watch_fd(struct gg_http *h) + } + + if (h->state == GG_STATE_SENDING_QUERY) { +- unsigned int res; ++ int res; + + if ((res = write(h->fd, h->query, strlen(h->query))) < 1) { + gg_debug(GG_DEBUG_MISC, "=> http, write() failed (len=%d, res=%d, errno=%d)\n", strlen(h->query), res, errno); +@@ -293,7 +293,7 @@ int gg_http_watch_fd(struct gg_http *h) + + if (h->state == GG_STATE_READING_HEADER) { + char buf[1024], *tmp; +- unsigned int res; ++ int res; + + if ((res = read(h->fd, buf, sizeof(buf))) == -1) { + gg_debug(GG_DEBUG_MISC, "=> http, reading header failed (errno=%d)\n", errno); +@@ -401,7 +401,7 @@ int gg_http_watch_fd(struct gg_http *h) + + if (h->state == GG_STATE_READING_DATA) { + char buf[1024]; +- unsigned int res; ++ int res; + + if ((res = read(h->fd, buf, sizeof(buf))) == -1) { + gg_debug(GG_DEBUG_MISC, "=> http, reading body failed (errno=%d)\n", errno); diff --git a/chat/centericq/patches/patch-aj b/chat/centericq/patches/patch-aj new file mode 100644 index 00000000000..fa9a1d38314 --- /dev/null +++ b/chat/centericq/patches/patch-aj @@ -0,0 +1,83 @@ +$NetBSD: patch-aj,v 1.1 2005/09/19 19:42:11 adrianp Exp $ + +--- libgadu-0.1/libgadu.c.orig 2004-03-30 23:44:07.000000000 +0100 ++++ libgadu-0.1/libgadu.c +@@ -378,7 +378,7 @@ int gg_read(struct gg_session *sess, cha + */ + int gg_write(struct gg_session *sess, const char *buf, int length) + { +- int res; ++ int res = 0; + + #ifdef __GG_LIBGADU_HAVE_OPENSSL + if (sess->ssl) { +@@ -415,7 +415,8 @@ void *gg_recv_packet(struct gg_session * + { + struct gg_header h; + char *buf = NULL; +- int ret = 0, offset, size = 0; ++ int ret = 0; ++ unsigned int offset, size = 0; + + gg_debug(GG_DEBUG_FUNCTION, "** gg_recv_packet(%p);\n", sess); + +@@ -477,7 +478,7 @@ void *gg_recv_packet(struct gg_session * + memcpy(&h, sess->recv_buf, sizeof(h)); + + /* jakieś sensowne limity na rozmiar pakietu */ +- if (h.length < 0 || h.length > 65535) { ++ if (h.length > 65535) { + gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() invalid packet length (%d)\n", h.length); + errno = ERANGE; + return NULL; +@@ -503,11 +504,18 @@ void *gg_recv_packet(struct gg_session * + while (size > 0) { + ret = gg_read(sess, buf + sizeof(h) + offset, size); + gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() body recv(%d,%p,%d) = %d\n", sess->fd, buf + sizeof(h) + offset, size, ret); ++ if (!ret) { ++ gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() failed: connection broken\n"); ++ errno = ECONNRESET; ++ return NULL; ++ } + if (ret > -1 && ret <= size) { + offset += ret; + size -= ret; + } else if (ret == -1) { ++ int errno2 = errno; + gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() body recv() failed (errno=%d, %s)\n", errno, strerror(errno)); ++ errno = errno2; + if (errno == EAGAIN) { + gg_debug(GG_DEBUG_MISC, "// gg_recv_packet() %d bytes received, %d left\n", offset, size); + sess->recv_buf = buf; +@@ -558,9 +566,9 @@ int gg_send_packet(struct gg_session *se + { + struct gg_header *h; + char *tmp; +- int tmp_length; ++ unsigned int tmp_length; + void *payload; +- int payload_length; ++ unsigned int payload_length; + va_list ap; + int res; + +@@ -584,7 +592,9 @@ int gg_send_packet(struct gg_session *se + while (payload) { + char *tmp2; + +- payload_length = va_arg(ap, int); ++ if (payload_length < 0) ++ gg_debug(GG_DEBUG_MISC, "// gg_send_packet() invalid payload length (%d)\n", payload_length); ++ payload_length = va_arg(ap, unsigned int); + + if (payload_length < 0) + gg_debug(GG_DEBUG_MISC, "// gg_send_packet() invalid payload length (%d)\n", payload_length); +@@ -1150,7 +1160,7 @@ int gg_image_reply(struct gg_session *se + struct gg_send_msg s; + const char *tmp; + char buf[1910]; +- int res; ++ int res = -1; + + gg_debug(GG_DEBUG_FUNCTION, "** gg_image_reply(%p, %d, \"%s\", %p, %d);\n", sess, recipient, filename, image, size); + diff --git a/chat/centericq/patches/patch-ak b/chat/centericq/patches/patch-ak new file mode 100644 index 00000000000..daef14e61e4 --- /dev/null +++ b/chat/centericq/patches/patch-ak @@ -0,0 +1,13 @@ +$NetBSD: patch-ak,v 1.1 2005/09/19 19:42:11 adrianp Exp $ + +--- libgadu-0.1/libgadu.h.orig 2004-06-10 20:20:08.000000000 +0100 ++++ libgadu-0.1/libgadu.h +@@ -351,7 +351,7 @@ struct gg_login_params { + int tls; /* czy łączymy po TLS? */ + int image_size; /* maksymalny rozmiar obrazka w KiB */ + +- char dummy[7 * sizeof(int)]; /* miejsce na kolejnych 8 zmiennych, ++ char dummy[6 * sizeof(int)]; /* miejsce na kolejnych 8 zmiennych, + * żeby z dodaniem parametru nie + * zmieniał się rozmiar struktury */ + }; -- cgit v1.2.3