From 6e773a73bf26c32be43e1ce10f3352567b3235d6 Mon Sep 17 00:00:00 2001 From: salo Date: Wed, 10 Aug 2005 16:13:33 +0000 Subject: Security fixes for CAN-2005-2102 and CAN-2005-2103. - An error in the handling of away messages can be exploited to cause a heap-based buffer overflow by sending a specially crafted away message to a user logged into AIM or ICQ. Successful exploitation allows execution of arbitrary code. - An error in the handling of file transfers can be exploited to crash the application by attempting to upload a file with a non-UTF8 filename to a user logged into AIM or ICQ. Patches from RedHat. --- chat/gaim/Makefile | 4 +-- chat/gaim/buildlink3.mk | 4 +-- chat/gaim/distinfo | 4 ++- chat/gaim/patches/patch-af | 78 ++++++++++++++++++++++++++++++++++++++++++++++ chat/gaim/patches/patch-ag | 26 ++++++++++++++++ 5 files changed, 111 insertions(+), 5 deletions(-) create mode 100644 chat/gaim/patches/patch-af create mode 100644 chat/gaim/patches/patch-ag (limited to 'chat/gaim') diff --git a/chat/gaim/Makefile b/chat/gaim/Makefile index 76c7993c881..7d4b5fae442 100644 --- a/chat/gaim/Makefile +++ b/chat/gaim/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.93 2005/08/05 14:33:53 salo Exp $ +# $NetBSD: Makefile,v 1.94 2005/08/10 16:13:33 salo Exp $ DISTNAME= gaim-1.4.0 -PKGREVISION= 1 +PKGREVISION= 2 CATEGORIES= chat x11 MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=gaim/} EXTRACT_SUFX= .tar.bz2 diff --git a/chat/gaim/buildlink3.mk b/chat/gaim/buildlink3.mk index d213606c29e..0bc4e40ad39 100644 --- a/chat/gaim/buildlink3.mk +++ b/chat/gaim/buildlink3.mk @@ -1,4 +1,4 @@ -# $NetBSD: buildlink3.mk,v 1.6 2005/08/05 14:33:53 salo Exp $ +# $NetBSD: buildlink3.mk,v 1.7 2005/08/10 16:13:34 salo Exp $ BUILDLINK_DEPTH:= ${BUILDLINK_DEPTH}+ GAIM_BUILDLINK3_MK:= ${GAIM_BUILDLINK3_MK}+ @@ -12,7 +12,7 @@ BUILDLINK_PACKAGES+= gaim .if !empty(GAIM_BUILDLINK3_MK:M+) BUILDLINK_DEPENDS.gaim+= gaim>=1.1.2 -BUILDLINK_RECOMMENDED.gaim+= gaim>=1.4.0nb1 +BUILDLINK_RECOMMENDED.gaim+= gaim>=1.4.0nb2 BUILDLINK_PKGSRCDIR.gaim?= ../../chat/gaim PRINT_PLIST_AWK+= /^@dirrm lib\/gaim$$/ \ diff --git a/chat/gaim/distinfo b/chat/gaim/distinfo index eb1c261a17c..9a4649d18e0 100644 --- a/chat/gaim/distinfo +++ b/chat/gaim/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.67 2005/08/05 14:33:53 salo Exp $ +$NetBSD: distinfo,v 1.68 2005/08/10 16:13:34 salo Exp $ SHA1 (gaim-1.4.0.tar.bz2) = 49955722104216e6e41757657abaa94388c42249 RMD160 (gaim-1.4.0.tar.bz2) = d12354df0828451d32124750340b759180289591 @@ -6,3 +6,5 @@ Size (gaim-1.4.0.tar.bz2) = 5979303 bytes SHA1 (patch-aa) = 555c394dbb4cd9ef4fea621d30ce72baae309067 SHA1 (patch-ad) = 21ffc478343793ce065c75a24ed0cf58b0677359 SHA1 (patch-ae) = 6c8a5960918ea77a766cdb4f3c2d805a61235771 +SHA1 (patch-af) = 63f14c28109a3515bffbed1ece14ae56f0652d13 +SHA1 (patch-ag) = 145aaa3e990eaada33186a5b13196e613b5aac91 diff --git a/chat/gaim/patches/patch-af b/chat/gaim/patches/patch-af new file mode 100644 index 00000000000..7e0dd28621e --- /dev/null +++ b/chat/gaim/patches/patch-af @@ -0,0 +1,78 @@ +$NetBSD: patch-af,v 1.1 2005/08/10 16:13:34 salo Exp $ + +Fix for CAN-2005-2103, from RedHat. + +--- src/util.c.orig 2005-06-09 06:00:36.000000000 +0200 ++++ src/util.c 2005-08-10 16:35:33.000000000 +0200 +@@ -2129,8 +2129,7 @@ + gaim_str_sub_away_formatters(const char *str, const char *name) + { + char *c; +- gchar *cpy; +- int cnt = 0; ++ GString *cpy; + time_t t; + struct tm *tme; + char tmp[20]; +@@ -2138,12 +2137,12 @@ + g_return_val_if_fail(str != NULL, NULL); + g_return_val_if_fail(name != NULL, NULL); + +- cpy = g_malloc(BUF_LONG); ++ /* Create an empty GString that is hopefully big enough for most messages */ ++ cpy = g_string_sized_new(1024); + + t = time(NULL); + tme = localtime(&t); + +- cpy[0] = '\0'; + c = (char *)str; + while (*c) { + switch (*c) { +@@ -2152,39 +2151,35 @@ + switch (*(c + 1)) { + case 'n': + /* append name */ +- strcpy(cpy + cnt, name); +- cnt += strlen(name); ++ g_string_append(cpy, name); + c++; + break; + case 'd': + /* append date */ + strftime(tmp, 20, "%m/%d/%Y", tme); +- strcpy(cpy + cnt, tmp); +- cnt += strlen(tmp); ++ g_string_append(cpy, tmp); + c++; + break; + case 't': + /* append time */ + strftime(tmp, 20, "%I:%M:%S %p", tme); +- strcpy(cpy + cnt, tmp); +- cnt += strlen(tmp); ++ g_string_append(cpy, tmp); + c++; + break; + default: +- cpy[cnt++] = *c; ++ g_string_append_c(cpy, *c); + } + } else { +- cpy[cnt++] = *c; ++ g_string_append_c(cpy, *c); + } + break; + default: +- cpy[cnt++] = *c; ++ g_string_append_c(cpy, *c); + } + c++; + } +- cpy[cnt] = '\0'; + +- return cpy; ++ return g_string_free(cpy, FALSE); + } + + gchar * diff --git a/chat/gaim/patches/patch-ag b/chat/gaim/patches/patch-ag new file mode 100644 index 00000000000..64ed2fdbdef --- /dev/null +++ b/chat/gaim/patches/patch-ag @@ -0,0 +1,26 @@ +$NetBSD: patch-ag,v 1.1 2005/08/10 16:13:34 salo Exp $ + +Fix for CAN-2005-2102, from RedHat. + +--- src/protocols/oscar/oscar.c.orig 2005-07-02 18:13:14.000000000 +0200 ++++ src/protocols/oscar/oscar.c 2005-08-10 16:37:02.000000000 +0200 +@@ -3455,7 +3455,18 @@ + xfer = gaim_xfer_new(gc->account, GAIM_XFER_RECEIVE, userinfo->sn); + xfer->remote_ip = g_strdup(args->verifiedip); + xfer->remote_port = args->port; +- gaim_xfer_set_filename(xfer, args->info.sendfile.filename); ++ ++ if (g_utf8_validate(args->info.sendfile.filename, -1, ++ NULL)) { ++ gaim_xfer_set_filename(xfer, ++ args->info.sendfile.filename); ++ } else { ++ gchar * utf8_filename = gaim_utf8_salvage( ++ args->info.sendfile.filename); ++ gaim_xfer_set_filename(xfer, utf8_filename); ++ g_free(utf8_filename); ++ } ++ + gaim_xfer_set_size(xfer, args->info.sendfile.totsize); + gaim_xfer_set_message(xfer, message); + -- cgit v1.2.3