From 1c821f570a3889dc130b21363b42e54897341c68 Mon Sep 17 00:00:00 2001 From: lkundrak Date: Thu, 19 Jul 2007 00:43:40 +0000 Subject: Fix horrific number of buffer overflows, CVE-2007-3713. Bump PKGREVISION. --- chat/centericq/Makefile | 4 +- chat/centericq/distinfo | 9 +- chat/centericq/patches/patch-au | 31 ++++++- chat/centericq/patches/patch-av | 41 +++++++++ chat/centericq/patches/patch-aw | 23 +++++ chat/centericq/patches/patch-ax | 194 ++++++++++++++++++++++++++++++++++++++++ chat/centericq/patches/patch-ay | 46 ++++++++++ chat/centericq/patches/patch-az | 108 ++++++++++++++++++++++ 8 files changed, 448 insertions(+), 8 deletions(-) create mode 100644 chat/centericq/patches/patch-av create mode 100644 chat/centericq/patches/patch-aw create mode 100644 chat/centericq/patches/patch-ax create mode 100644 chat/centericq/patches/patch-ay create mode 100644 chat/centericq/patches/patch-az (limited to 'chat') diff --git a/chat/centericq/Makefile b/chat/centericq/Makefile index 5ca4d916f7b..37b3ea424a2 100644 --- a/chat/centericq/Makefile +++ b/chat/centericq/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.66 2007/04/15 20:16:41 wiz Exp $ +# $NetBSD: Makefile,v 1.67 2007/07/19 00:43:40 lkundrak Exp $ # DISTNAME= centericq-4.21.0 -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= chat MASTER_SITES= http://thekonst.net/download/ \ http://centericq.de/archive/source/releases/ diff --git a/chat/centericq/distinfo b/chat/centericq/distinfo index 440b79bf7d1..74eae919f34 100644 --- a/chat/centericq/distinfo +++ b/chat/centericq/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.22 2007/02/20 18:45:00 sborrill Exp $ +$NetBSD: distinfo,v 1.23 2007/07/19 00:43:40 lkundrak Exp $ SHA1 (centericq-4.21.0.tar.bz2) = 26b07c4bdcbe8c6888ceab98140b33007bec8554 RMD160 (centericq-4.21.0.tar.bz2) = 69207fcaf5c90b9ae4609221526b839659c5ccfc @@ -23,4 +23,9 @@ SHA1 (patch-aq) = ce0db172171d874cd35c4b0293ea96f5a580810e SHA1 (patch-ar) = b06ba8fad9a2dbcfacb0c81e2689cca02a38dd01 SHA1 (patch-as) = 55822a88a4fd17e57a06f0f186a6649fe3e4b092 SHA1 (patch-at) = 7dd7158371940522c7d393ea8d9194c2e4154cf8 -SHA1 (patch-au) = 6e33ed258b9762afc0f2bd0e4e726818f8811619 +SHA1 (patch-au) = 3a1bab4ffc13cc75480a6d249185a07e52bcdf6d +SHA1 (patch-av) = bf032d4447349d3b4f75c43f58eca3e0342b9f9d +SHA1 (patch-aw) = 20b682ce67e9d026a1253e2ce7546eea1d924282 +SHA1 (patch-ax) = a96edcc859b30fde6e6577a833005fab8d45eabf +SHA1 (patch-ay) = 46ca8c7a9828c471aa760089f2271f21c9cf0ce6 +SHA1 (patch-az) = 4542871c64fffb311cc464bc0b25fb59ef2db3b3 diff --git a/chat/centericq/patches/patch-au b/chat/centericq/patches/patch-au index 6bf7745e3d9..37c4bf1b39b 100644 --- a/chat/centericq/patches/patch-au +++ b/chat/centericq/patches/patch-au @@ -1,8 +1,19 @@ -$NetBSD: patch-au,v 1.1 2007/02/20 18:45:00 sborrill Exp $ +$NetBSD: patch-au,v 1.2 2007/07/19 00:43:40 lkundrak Exp $ ---- src/hooks/jabberhook.cc.orig 2007-02-20 18:20:36.000000000 +0000 -+++ src/hooks/jabberhook.cc 2007-02-20 18:21:08.000000000 +0000 -@@ -887,11 +887,6 @@ +Part of a fix for CVE-2007-3713. + +--- src/hooks/jabberhook.cc.orig 2007-07-19 02:34:54.000000000 +0200 ++++ src/hooks/jabberhook.cc +@@ -36,6 +36,8 @@ + #define DEFAULT_CONFSERV "conference.jabber.org" + #define PERIOD_KEEPALIVE 30 + ++#define NOTIFBUF 512 ++ + static void jidsplit(const string &jid, string &user, string &host, string &rest) { + int pos; + user = jid; +@@ -887,11 +889,6 @@ void jabberhook::gotsearchresults(xmlnod void jabberhook::gotloggedin() { xmlnode x; @@ -14,3 +25,15 @@ $NetBSD: patch-au,v 1.1 2007/02/20 18:45:00 sborrill Exp $ x = jutil_iqnew(JPACKET__GET, NS_ROSTER); xmlnode_put_attrib(x, "id", "Roster"); jab_send(jc, x); +@@ -1289,8 +1286,9 @@ void jabberhook::gotversion(const imcont + if(vinfo.size() > 128) + vinfo.erase(128); + +- char buf[256]; +- sprintf(buf, _("The remote is using %s"), vinfo.c_str()); ++ char buf[NOTIFBUF]; ++ snprintf(buf, NOTIFBUF, _("The remote is using %s"), vinfo.c_str()); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(ic, buf)); + } + } diff --git a/chat/centericq/patches/patch-av b/chat/centericq/patches/patch-av new file mode 100644 index 00000000000..43045cc7ab3 --- /dev/null +++ b/chat/centericq/patches/patch-av @@ -0,0 +1,41 @@ +$NetBSD: patch-av,v 1.1 2007/07/19 00:43:40 lkundrak Exp $ + +--- src/hooks/abstracthook.cc.orig 2007-07-19 02:24:38.000000000 +0200 ++++ src/hooks/abstracthook.cc +@@ -40,6 +40,8 @@ + + #include + ++#define NOTIFBUF 512 ++ + time_t timer_current = time(0); + + abstracthook::abstracthook(protocolname aproto) +@@ -339,7 +341,7 @@ bool abstracthook::regattempt(unsigned i + + void abstracthook::log(logevent ev, ...) { + va_list ap; +- char buf[512]; ++ char buf[NOTIFBUF]; + static map lst; + + if(lst.empty()) { +@@ -354,7 +356,8 @@ void abstracthook::log(logevent ev, ...) + } + + va_start(ap, ev); +- vsprintf(buf, lst[ev].c_str(), ap); ++ vsnprintf(buf, NOTIFBUF, lst[ev].c_str(), ap); ++ buf[NOTIFBUF-1] = '\0'; + va_end(ap); + + face.log((string) "+ [" + conf.getprotocolname(proto) + "] " + buf); +@@ -751,7 +754,7 @@ string abstracthook::getTimezoneIDtoStri + if(id > 24 || id < -24) { + return "Unspecified"; + } else { +- char buf[32]; ++ static char buf[32]; + sprintf(buf, "GMT %s%d:%s", id > 0 ? "-" : "+", abs(id/2), id % 2 == 0 ? "00" : "30"); + return buf; + } diff --git a/chat/centericq/patches/patch-aw b/chat/centericq/patches/patch-aw new file mode 100644 index 00000000000..bd53677ca06 --- /dev/null +++ b/chat/centericq/patches/patch-aw @@ -0,0 +1,23 @@ +$NetBSD: patch-aw,v 1.1 2007/07/19 00:43:42 lkundrak Exp $ + +--- src/hooks/aimhook.cc.orig 2007-07-19 02:24:38.000000000 +0200 ++++ src/hooks/aimhook.cc +@@ -32,6 +32,8 @@ + #include "imlogger.h" + #include "eventmanager.h" + ++#define NOTIFBUF 512 ++ + aimhook ahook; + + aimhook::aimhook() +@@ -293,7 +295,8 @@ void aimhook::loadprofile() { + + if(access(fname.c_str(), R_OK)) { + char sbuf[512]; +- sprintf(sbuf, _("I do really enjoy the default AIM profile of centericq %s."), VERSION); ++ snprintf(sbuf, 512, _("I do really enjoy the default AIM profile of centericq %s."), VERSION); ++ sbuf[511] = '\0'; + profile.info = sbuf; + saveprofile(); + } diff --git a/chat/centericq/patches/patch-ax b/chat/centericq/patches/patch-ax new file mode 100644 index 00000000000..bc91353ccc8 --- /dev/null +++ b/chat/centericq/patches/patch-ax @@ -0,0 +1,194 @@ +$NetBSD: patch-ax,v 1.1 2007/07/19 00:43:42 lkundrak Exp $ + +Part of a fix for CVE-2007-3713. + +--- src/hooks/irchook.cc.orig 2007-07-19 02:24:38.000000000 +0200 ++++ src/hooks/irchook.cc +@@ -35,6 +35,8 @@ + + #include + ++#define NOTIFBUF 512 ++ + // ---------------------------------------------------------------------------- + + irchook irhook; +@@ -609,11 +611,12 @@ void irchook::rawcommand(const string &c + + void irchook::channelfatal(string room, const char *fmt, ...) { + va_list ap; +- char buf[1024]; ++ char buf[NOTIFBUF]; + vector::iterator i; + + va_start(ap, fmt); +- vsprintf(buf, fmt, ap); ++ vsnprintf(buf, NOTIFBUF, fmt, ap); ++ buf[NOTIFBUF-1] = '\0'; + va_end(ap); + + if(room.substr(0, 1) != "#") +@@ -1196,7 +1199,7 @@ void irchook::errorhandler(void *connect + void irchook::nickchanged(void *connection, void *cli, ...) { + va_list ap; + icqcontact *c; +- char buf[100]; ++ char buf[NOTIFBUF]; + + va_start(ap, cli); + char *oldnick = va_arg(ap, char *); +@@ -1218,7 +1221,8 @@ void irchook::nickchanged(void *connecti + + } + +- sprintf(buf, _("The user has changed their nick from %s to %s"), oldnick, newnick); ++ snprintf(buf, NOTIFBUF, _("The user has changed their nick from %s to %s"), oldnick, newnick); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(c, buf)); + } + } +@@ -1254,18 +1258,20 @@ const char * const command, const char * + + void irchook::subreply(void *conn, void *cli, const char * const nick, + const char * const command, const char * const args) { +- char buf[512]; ++ char buf[NOTIFBUF]; + + if(!strcmp(command, "PING")) { + map::iterator i = irhook.pingtime.find(up(nick)); + + if(i != irhook.pingtime.end()) { +- sprintf(buf, _("PING reply from the user: %d second(s)"), time(0)-i->second); ++ snprintf(buf, NOTIFBUF, _("PING reply from the user: %d second(s)"), time(0)-i->second); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(imcontact(nick, irc), buf)); + } + + } else if(!strcmp(command, "VERSION")) { +- sprintf(buf, _("The remote is using %s"), args); ++ snprintf(buf, NOTIFBUF, _("The remote is using %s"), args); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(imcontact(nick, irc), buf)); + + } +@@ -1378,8 +1384,9 @@ void irchook::chatuserjoined(void *conn, + if(strlen(email)) + uname += (string) " (" + email + ")"; + +- char buf[512]; +- sprintf(buf, _("%s has joined."), uname.c_str()); ++ char buf[NOTIFBUF]; ++ snprintf(buf, NOTIFBUF, _("%s has joined."), uname.c_str()); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(imcontact(room, irc), buf)); + } + } +@@ -1395,14 +1402,16 @@ void irchook::chatuserleft(void *conn, v + + if(conf.getourid(irc).nickname != who) { + string text; +- char buf[512]; ++ char buf[NOTIFBUF]; + +- sprintf(buf, _("%s has left"), who); text = buf; ++ snprintf(buf, NOTIFBUF, _("%s has left"), who); text = buf; ++ buf[NOTIFBUF-1] = '\0'; + + if(reason) + if(strlen(reason)) { + if(strlen(reason) > 450) reason[450] = 0; +- sprintf(buf, _("reason: %s"), reason); ++ snprintf(buf, NOTIFBUF, _("reason: %s"), reason); ++ buf[NOTIFBUF-1] = '\0'; + text += (string) "; " + buf + "."; + } + +@@ -1422,13 +1431,15 @@ void irchook::chatuserkicked(void *conn, + + if(conf.getourid(irc).nickname != who) { + string text; +- char buf[512]; ++ char buf[NOTIFBUF]; + +- sprintf(buf, _("%s has been kicked by %s"), who, by); text = buf; ++ snprintf(buf, NOTIFBUF, _("%s has been kicked by %s"), who, by); text = buf; ++ buf[NOTIFBUF-1] = '\0'; + + if(reason) + if(strlen(reason)) { +- sprintf(buf, _("reason: %s"), reason); ++ snprintf(buf, NOTIFBUF, _("reason: %s"), reason); ++ buf[NOTIFBUF-1] = '\0'; + text += (string) "; " + buf + "."; + } + +@@ -1451,13 +1462,15 @@ void irchook::chatgottopic(void *conn, v + return; + + string text; +- char buf[1024]; +- sprintf(buf, _("Channel topic now is: %s"), topic); ++ char buf[NOTIFBUF]; ++ snprintf(buf, NOTIFBUF, _("Channel topic now is: %s"), topic); ++ buf[NOTIFBUF-1] = '\0'; + text = buf; + + if(author) + if(strlen(author)) { +- sprintf(buf, _("set by %s"), author); ++ snprintf(buf, NOTIFBUF, _("set by %s"), author); ++ buf[NOTIFBUF-1] = '\0'; + text += (string) "; " + buf + "."; + } + +@@ -1474,8 +1487,9 @@ void irchook::chatuseropped(void *conn, + va_end(ap); + + if(by) { +- char buf[512]; +- sprintf(buf, _("%s has been opped by %s."), who, by); ++ char buf[NOTIFBUF]; ++ snprintf(buf, NOTIFBUF, _("%s has been opped by %s."), who, by); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(imcontact(room, irc), buf)); + } + } +@@ -1490,8 +1504,9 @@ void irchook::chatuserdeopped(void *conn + va_end(ap); + + if(by) { +- char buf[512]; +- sprintf(buf, _("%s has been deopped by %s."), who, by); ++ char buf[NOTIFBUF]; ++ snprintf(buf, NOTIFBUF, _("%s has been deopped by %s."), who, by); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(imcontact(room, irc), buf)); + } + } +@@ -1504,10 +1519,10 @@ void irchook::chatopped(void *conn, void + char *by = va_arg(ap, char *); + va_end(ap); + +- char buf[512]; +- if(by) sprintf(buf, _("%s has opped us."), by); +- else strcpy(buf, _("you are an op here")); +- ++ char buf[NOTIFBUF]; ++ if(by) snprintf(buf, NOTIFBUF, _("%s has opped us."), by); ++ else strncpy(buf, _("you are an op here"), NOTIFBUF); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(imcontact(room, irc), buf)); + } + +@@ -1519,8 +1534,9 @@ void irchook::chatdeopped(void *conn, vo + char *by = va_arg(ap, char *); + va_end(ap); + +- char buf[512]; +- sprintf(buf, _("%s has deopped us."), by); ++ char buf[NOTIFBUF]; ++ snprintf(buf, NOTIFBUF, _("%s has deopped us."), by); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(imcontact(room, irc), buf)); + } + diff --git a/chat/centericq/patches/patch-ay b/chat/centericq/patches/patch-ay new file mode 100644 index 00000000000..89cbfca290f --- /dev/null +++ b/chat/centericq/patches/patch-ay @@ -0,0 +1,46 @@ +$NetBSD: patch-ay,v 1.1 2007/07/19 00:43:43 lkundrak Exp $ + +Part of a fix for CVE-2007-3713. + +--- src/hooks/ljhook.cc.orig 2005-01-07 02:27:04.000000000 +0100 ++++ src/hooks/ljhook.cc +@@ -37,6 +37,8 @@ ljhook lhook; + + #define PERIOD_FRIENDS 3600 + ++#define NOTIFBUF 512 ++ + ljhook::ljhook(): abstracthook(livejournal), fonline(false), sdest(0) { + fcapabs.insert(hookcapab::nochat); + } +@@ -654,7 +656,7 @@ void ljhook::messageack_cb(MessageEvent + map nfriendof; + map::const_iterator in; + vector::iterator il; +- char buf[512]; ++ char buf[NOTIFBUF]; + + for(i = 1; i <= count; i++) { + username = params[(string) "friendof_" + i2str(i) + "_user"]; +@@ -669,8 +671,9 @@ void ljhook::messageack_cb(MessageEvent + if(!foempty) { + bd = (string) "http://" + conf.getourid(proto).server + "/users/" + in->first; + +- sprintf(buf, _("The user %s (%s) has added you to his/her friend list\n\nJournal address: %s"), ++ snprintf(buf, NOTIFBUF, _("The user %s (%s) has added you to his/her friend list\n\nJournal address: %s"), + in->first.c_str(), in->second.c_str(), bd.c_str()); ++ buf[NOTIFBUF-1] = '\0'; + + em.store(imnotification(self, buf)); + } +@@ -679,8 +682,9 @@ void ljhook::messageack_cb(MessageEvent + for(il = friendof.begin(); il != friendof.end(); ) { + if(nfriendof.find(*il) == nfriendof.end()) { + bd = (string) "http://" + conf.getourid(proto).server + "/users/" + *il; +- sprintf(buf, _("The user %s has removed you from his/her friend list\n\nJournal address: %s"), ++ snprintf(buf, NOTIFBUF, _("The user %s has removed you from his/her friend list\n\nJournal address: %s"), + il->c_str(), bd.c_str()); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(self, buf)); + friendof.erase(il); + il = friendof.begin(); diff --git a/chat/centericq/patches/patch-az b/chat/centericq/patches/patch-az new file mode 100644 index 00000000000..c17a7fa1491 --- /dev/null +++ b/chat/centericq/patches/patch-az @@ -0,0 +1,108 @@ +$NetBSD: patch-az,v 1.1 2007/07/19 00:43:43 lkundrak Exp $ + +Part of a fix for CVE-2007-3713. + +--- src/hooks/yahoohook.cc.orig 2007-07-19 02:24:38.000000000 +0200 ++++ src/hooks/yahoohook.cc +@@ -47,6 +47,8 @@ + #define PERIOD_REFRESH 60 + #define PERIOD_CLOSE 6 + ++#define NOTIFBUF 512 ++ + int yahoohook::yfd::connection_tags = 0; + + char pager_host[255], pager_port[255], filetransfer_host[255], +@@ -844,7 +846,7 @@ void yahoohook::got_conf_invite(int id, + icqconf::imaccount acc = conf.getourid(yahoo); + string confname = (string) "#" + room, inviter, text; + vector::iterator ic; +- char buf[1024]; ++ char buf[NOTIFBUF]; + int i; + + imcontact cont(confname, yahoo); +@@ -856,10 +858,11 @@ void yahoohook::got_conf_invite(int id, + inviter.erase(i); + } + +- sprintf(buf, _("The user %s has invited you to the %s conference, the topic there is: %s"), ++ snprintf(buf, NOTIFBUF, _("The user %s has invited you to the %s conference, the topic there is: %s"), + yhook.rusconv("wk", inviter).c_str(), + yhook.rusconv("wk", room).c_str(), + yhook.rusconv("wk", msg).c_str()); ++ buf[NOTIFBUF-1] = '\0'; + + text = (string) buf + "\n\n" + _("Current conference members are: "); + yhook.confmembers[room].push_back(inviter); +@@ -888,20 +891,22 @@ void yahoohook::got_conf_invite(int id, + + void yahoohook::conf_userdecline(int id, char *who, char *room, char *msg) { + icqcontact *c = clist.get(imcontact((string) "#" + room, yahoo)); +- char buf[512]; ++ char buf[NOTIFBUF]; + + if(c) { +- sprintf(buf, _("The user %s has declined your invitation to join the conference"), who); ++ snprintf(buf, NOTIFBUF, _("The user %s has declined your invitation to join the conference"), who); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(c, buf)); + } + } + + void yahoohook::conf_userjoin(int id, char *who, char *room) { + icqcontact *c = clist.get(imcontact((string) "#" + room, yahoo)); +- char buf[512]; ++ char buf[NOTIFBUF]; + + if(c) { +- sprintf(buf, _("The user %s has joined the conference"), who); ++ snprintf(buf, NOTIFBUF, _("The user %s has joined the conference"), who); ++ buf[NOTIFBUF-1] = '\0'; + + if(find(yhook.confmembers[room].begin(), yhook.confmembers[room].end(), who) == yhook.confmembers[room].end()) + yhook.confmembers[room].push_back(who); +@@ -912,11 +917,12 @@ void yahoohook::conf_userjoin(int id, ch + + void yahoohook::conf_userleave(int id, char *who, char *room) { + icqcontact *c = clist.get(imcontact((string) "#" + room, yahoo)); +- char buf[512]; ++ char buf[NOTIFBUF]; + vector::iterator im; + + if(c) { +- sprintf(buf, _("The user %s has left the conference"), who); ++ snprintf(buf, NOTIFBUF, _("The user %s has left the conference"), who); ++ buf[NOTIFBUF-1] = '\0'; + em.store(imnotification(c, buf)); + + im = find(yhook.confmembers[room].begin(), yhook.confmembers[room].end(), who); +@@ -981,10 +987,11 @@ void yahoohook::game_notify(int id, char + } + + void yahoohook::mail_notify(int id, char *from, char *subj, int cnt) { +- char buf[1024]; ++ char buf[NOTIFBUF]; + + if(from && subj) { +- sprintf(buf, _("+ [yahoo] e-mail from %s, %s"), from, subj); ++ snprintf(buf, NOTIFBUF, _("+ [yahoo] e-mail from %s, %s"), from, subj); ++ buf[NOTIFBUF-1] = '\0'; + face.log(buf); + clist.get(contactroot)->playsound(imevent::email); + } +@@ -1138,11 +1145,12 @@ void yahoohook::webcam_data_request(int + + int yahoohook::ylog(char *fmt, ...) { + if(conf.getdebug()) { +- char buf[512]; ++ char buf[NOTIFBUF]; + va_list ap; + + va_start(ap, fmt); +- vsprintf(buf, fmt, ap); ++ vsnprintf(buf, NOTIFBUF, fmt, ap); ++ buf[NOTIFBUF-1] = '\0'; + va_end(ap); + + face.log(buf); -- cgit v1.2.3