Bug#686455: unblock: pidgin-latex/1.4.4-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package pidgin-latex
It adds an upstream patch which will be also available in 1.4.5 to fix:
01_security_issue.patch: Insuficient validation on blacklist wich could cause
send user information over messenger network.
--- pidgin-latex-1.4.4/debian/changelog 2011-07-07 10:15:03.000000000 -0500
+++ pidgin-latex-1.4.4/debian/changelog 2012-08-30 19:48:45.000000000 -0500
@@ -1,3 +1,11 @@
+pidgin-latex (1.4.4-2) unstable; urgency=low
+
+ * debian/patches/01_security_issue.patch: Added. (Closes: #685888)
+ + This fix insufficient validation of LaTeX code and avoid
+ access to user local information.
+
+ -- Elías Alejandro Año Mendoza <ealmdz@gmail.com> Thu, 30 Aug 2012 20:39:08 -0500
+
pidgin-latex (1.4.4-1) unstable; urgency=low
* Initial release (Closes: #520658, #609723)
diff -Nru pidgin-latex-1.4.4/debian/patches/01_security_issue.patch pidgin-latex-1.4.4/debian/patches/01_security_issue.patch
--- pidgin-latex-1.4.4/debian/patches/01_security_issue.patch 1969-12-31 19:00:00.000000000 -0500
+++ pidgin-latex-1.4.4/debian/patches/01_security_issue.patch 2012-08-26 16:48:19.000000000 -0500
@@ -0,0 +1,45 @@
+Description: pidgin-latex has a security issue to get into makeatletter-mode.
+ This patch fix insufficient validation of LaTeX code and avoid send
+ messages over a messenger network to a user local system account
+ information.
+
+Author: Benjamin Moll <qjuh@users.sourceforge.net>
+Forwarded: no
+Last-Update: 2012-07-23
+
+--- pidgin-latex-1.4.4.orig/LaTeX.c 2011-01-12 19:28:45.000000000 -0500
++++ pidgin-latex-1.4.4/LaTeX.c 2012-08-25 20:27:55.000000000 -0500
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <errno.h>
++#include <regex.h>
+ #include <sys/types.h>
+
+ #ifndef _WIN32
+@@ -321,14 +322,21 @@
+ static gboolean is_blacklisted(char *message)
+ {
+ char *not_secure[NB_BLACKLIST] = BLACKLIST;
++ int reti;
+ int i;
+ for (i = 0 ; i < NB_BLACKLIST ; i++)
+ {
+- char *begin_not_secure = malloc((strlen(not_secure[i])+9)*sizeof(char));
+- strcpy(begin_not_secure,"\\begin{");
++ regex_t regex;
++ char *begin_not_secure = malloc((strlen(not_secure[i])+18)*sizeof(char));
++ strcpy(begin_not_secure,"\\\\begin\\W*{\\W*");
+ strcat(begin_not_secure,not_secure[i]+0x01);
+- strcat(begin_not_secure,"}");
+- if (strstr(message, not_secure[i]) != NULL || strstr(message, begin_not_secure)) return TRUE;
++ strcat(begin_not_secure,"\\W*}");
++ reti = regcomp(®ex, begin_not_secure, 0);
++purple_debug_info("LaTeX", "RegEx-Comp: %s (%d)\n", begin_not_secure, reti);
++ reti = regexec(®ex, message, 0, NULL, 0);
++ regfree(®ex);
++purple_debug_info("LaTeX", "Blacklist: %s und %s (RegEx-Match: %d)\n", not_secure[i], begin_not_secure, reti);
++ if (strstr(message, not_secure[i]) != NULL || reti!=REG_NOMATCH) return TRUE;
+ }
+ return FALSE;
+ }
diff -Nru pidgin-latex-1.4.4/debian/patches/series pidgin-latex-1.4.4/debian/patches/series
--- pidgin-latex-1.4.4/debian/patches/series 1969-12-31 19:00:00.000000000 -0500
+++ pidgin-latex-1.4.4/debian/patches/series 2012-08-26 16:48:19.000000000 -0500
@@ -0,0 +1 @@
+01_security_issue.patch
unblock pidgin-latex/1.4.4-2
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=es_PE.UTF-8, LC_CTYPE=es_PE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: