pidgin 2.7.3-1+squeeze1
Hi,
I just uploaded a new version of pidgin to t-p-u to fix a few crasher
bugs, including a remote DoS. Attached is the diff from 2.7.3-1.
Thanks,
Ari
diff --git a/debian/changelog b/debian/changelog
index 7630325..5406328 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+pidgin (2.7.3-1+squeeze1) squeeze; urgency=medium
+
+ * baseXX_decode_error_handling_2.patch:
+ - apply fix from upstream to fix remote DoS in base64 code (CVE-2010-3711)
+ * msn_crash.patch:
+ - Apply upstream patch to fix random crashes in MSN (Closes: #594893)
+ * cyrus_sasl_crash.patch:
+ - Fix a crash when multiple accounts are simultaneously performing
+ SASL authentication when built with Cyrus SASL support.
+
+ -- Ari Pollak <ari@debian.org> Sat, 23 Oct 2010 12:03:16 -0400
+
pidgin (2.7.3-1) unstable; urgency=low
* Imported Upstream version 2.7.3
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 326131e..2b2256e 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -5,6 +5,13 @@
pristine-tar = True
# Don't check if debian-branch == current branch
#ignore-branch = True
+# the default branch for upstream sources:
+#upstream-branch = upstream
+# the default branch for the debian patch:
+debian-branch = debian/squeeze
+# the default tag formats used:
+#upstream-tag = upstream/%(version)s
+#debian-tag = debian/%(version)s
# Options only affecting git-buildpackage
[git-buildpackage]
diff --git a/debian/patches/baseXX_decode_error_handling_2.patch b/debian/patches/baseXX_decode_error_handling_2.patch
new file mode 100644
index 0000000..6ae4ad4
--- /dev/null
+++ b/debian/patches/baseXX_decode_error_handling_2.patch
@@ -0,0 +1,197 @@
+Description: Fixes remote DoS in base64 code (CVE-2010-3711)
+#
+# old_revision [e71d42518d6fd45f106f148da376c43e3eb6b294]
+#
+# patch "pidgin/libpurple/ntlm.c"
+# from [979ce84955ca402858c8ef4fdfb3f786da602d98]
+# to [5e2ea0f873201d1fbfbdf92456e17a24c5e584ab]
+#
+# patch "pidgin/libpurple/plugins/perl/common/Util.xs"
+# from [5fba429dad716bc84040920e2431cb52ad0002b9]
+# to [ac3d9ea652a79066c672e262d6f99d5949186a1a]
+#
+# patch "pidgin/libpurple/protocols/jabber/auth_digest_md5.c"
+# from [857c4e8e03d05e94a105e5763b7cd8eb5c758cc6]
+# to [c32a82e931b9ae544229e5ec2d1d9d163ea4ef90]
+#
+# patch "pidgin/libpurple/protocols/msn/slp.c"
+# from [f8ab7fe26bd4244db9b4299ace03320a7ac8a799]
+# to [25c7706a6a5125495ed1ddbf200d5961578c7beb]
+#
+# patch "pidgin/libpurple/protocols/myspace/message.c"
+# from [28bf0b70059bea825c40dd1a643fe2523f8fdd1f]
+# to [ac0c77b3d62b820b3b9a4a74626fa693a8c202ee]
+#
+# patch "pidgin/libpurple/protocols/oscar/clientlogin.c"
+# from [582b716f959a2688537c5d581bf74971c8962a10]
+# to [f66d45ff55ef44bed415ddbd25e47f2d60c8d5ea]
+#
+# patch "pidgin/libpurple/protocols/qq/im.c"
+# from [99d2868d5c8b67ab905ad128d0603f71af8bba50]
+# to [6464068551bb1b7e76badb77a334719a595ebf71]
+#
+# patch "pidgin/libpurple/protocols/yahoo/libymsg.c"
+# from [ede49fc83fb4fba337d5bca27d26fa20595039b8]
+# to [aedcc38fb75b9a99be6cb60666cd72a4e2376158]
+#
+============================================================
+Index: pidgin/libpurple/protocols/yahoo/libymsg.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/yahoo/libymsg.c
++++ pidgin/libpurple/protocols/yahoo/libymsg.c
+@@ -317,7 +317,7 @@ static void yahoo_process_status(PurpleC
+
+ if (pair->value) {
+ decoded = purple_base64_decode(pair->value, &len);
+- if (len) {
++ if (decoded && len > 0) {
+ tmp = purple_str_binary_to_ascii(decoded, len);
+ purple_debug_info("yahoo", "Got key 197, value = %s\n", tmp);
+ g_free(tmp);
+@@ -2863,15 +2863,17 @@ static void yahoo_process_p2p(PurpleConn
+ if (base64) {
+ guint32 ip;
+ YahooFriend *f;
+- char *host_ip;
++ char *host_ip, *tmp;
+ struct yahoo_p2p_data *p2p_data;
+
+ decoded = purple_base64_decode(base64, &len);
+- if (len) {
+- char *tmp = purple_str_binary_to_ascii(decoded, len);
+- purple_debug_info("yahoo", "Got P2P service packet (from server): who = %s, ip = %s\n", who, tmp);
+- g_free(tmp);
++ if (decoded == NULL) {
++ purple_debug_info("yahoo","p2p: Unable to decode base64 IP (%s) \n", base64);
++ return;
+ }
++ tmp = purple_str_binary_to_ascii(decoded, len);
++ purple_debug_info("yahoo", "Got P2P service packet (from server): who = %s, ip = %s\n", who, tmp);
++ g_free(tmp);
+
+ ip = strtol((gchar *)decoded, NULL, 10);
+ g_free(decoded);
+Index: pidgin/libpurple/protocols/msn/slp.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/msn/slp.c
++++ pidgin/libpurple/protocols/msn/slp.c
+@@ -554,7 +554,7 @@ got_sessionreq(MsnSlpCall *slpcall, cons
+ slpcall->slplink->remote_user);
+
+ header = (MsnFileContext *)purple_base64_decode(context, &bin_len);
+- if (bin_len >= sizeof(MsnFileContext) - 1 &&
++ if (header != NULL && bin_len >= sizeof(MsnFileContext) - 1 &&
+ (header->version == 2 ||
+ (header->version == 3 && header->length == sizeof(MsnFileContext) + 63))) {
+ file_size = GUINT64_FROM_LE(header->file_size);
+Index: pidgin/libpurple/plugins/perl/common/Util.xs
+===================================================================
+--- pidgin.orig/libpurple/plugins/perl/common/Util.xs
++++ pidgin/libpurple/plugins/perl/common/Util.xs
+@@ -238,7 +238,7 @@ purple_base16_decode(str)
+ guchar *ret;
+ CODE:
+ ret = purple_base16_decode(str, &len);
+- if(len) {
++ if(ret && len > 0) {
+ RETVAL = newSVpv((gchar *)ret, len);
+ } else {
+ g_free(ret);
+@@ -256,7 +256,7 @@ purple_base64_decode(str)
+ guchar *ret;
+ CODE:
+ ret = purple_base64_decode(str, &len);
+- if(len) {
++ if(ret && len > 0) {
+ RETVAL = newSVpv((gchar *)ret, len);
+ } else {
+ g_free(ret);
+Index: pidgin/libpurple/ntlm.c
+===================================================================
+--- pidgin.orig/libpurple/ntlm.c
++++ pidgin/libpurple/ntlm.c
+@@ -152,9 +152,14 @@ purple_ntlm_parse_type2(const gchar *typ
+ static guint8 nonce[8];
+
+ tmsg = (struct type2_message*)purple_base64_decode(type2, &retlen);
+- memcpy(nonce, tmsg->nonce, 8);
+- if (flags != NULL)
+- *flags = GUINT16_FROM_LE(tmsg->flags);
++ if (tmsg != NULL && retlen >= (sizeof(struct type2_message) - 1)) {
++ memcpy(nonce, tmsg->nonce, 8);
++ if (flags != NULL)
++ *flags = GUINT16_FROM_LE(tmsg->flags);
++ } else {
++ purple_debug_error("ntlm", "Unable to parse type2 message - returning empty nonce.\n");
++ memset(nonce, 0, 8);
++ }
+ g_free(tmsg);
+
+ return nonce;
+Index: pidgin/libpurple/protocols/qq/im.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/qq/im.c
++++ pidgin/libpurple/protocols/qq/im.c
+@@ -547,7 +547,6 @@ qq_im_format *qq_im_fmt_new_by_purple(co
+ const gchar *start, *end, *last;
+ GData *attribs;
+ gchar *tmp;
+- unsigned char *rgb;
+
+ g_return_val_if_fail(msg != NULL, NULL);
+
+@@ -570,8 +569,11 @@ qq_im_format *qq_im_fmt_new_by_purple(co
+
+ tmp = g_datalist_get_data(&attribs, "color");
+ if (tmp && strlen(tmp) > 1) {
+- rgb = purple_base16_decode(tmp + 1, NULL);
+- g_memmove(fmt->rgb, rgb, 3);
++ unsigned char *rgb;
++ gsize rgb_len;
++ rgb = purple_base16_decode(tmp + 1, &rgb_len);
++ if (rgb != NULL && rgb_len >= 3)
++ g_memmove(fmt->rgb, rgb, 3);
+ g_free(rgb);
+ }
+
+Index: pidgin/libpurple/protocols/myspace/message.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/myspace/message.c
++++ pidgin/libpurple/protocols/myspace/message.c
+@@ -1363,7 +1363,7 @@ msim_msg_get_binary_from_element(MsimMes
+ *
+ */
+ *binary_data = (gchar *)purple_base64_decode((const gchar *)elem->data, binary_length);
+- return TRUE;
++ return ((*binary_data) != NULL);
+
+ case MSIM_TYPE_BINARY:
+ gs = (GString *)elem->data;
+Index: pidgin/libpurple/protocols/oscar/clientlogin.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/oscar/clientlogin.c
++++ pidgin/libpurple/protocols/oscar/clientlogin.c
+@@ -272,7 +272,7 @@ static void start_oscar_session_cb(Purpl
+ char *tls_certname = NULL;
+ unsigned short port;
+ guint8 *cookiedata;
+- gsize cookiedata_len;
++ gsize cookiedata_len = 0;
+
+ od = user_data;
+ gc = od->gc;
+Index: pidgin/libpurple/protocols/jabber/auth_digest_md5.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/jabber/auth_digest_md5.c
++++ pidgin/libpurple/protocols/jabber/auth_digest_md5.c
+@@ -182,7 +182,9 @@ digest_md5_handle_challenge(JabberStream
+
+ dec_in = (char *)purple_base64_decode(enc_in, NULL);
+ purple_debug_misc("jabber", "decoded challenge (%"
+- G_GSIZE_FORMAT "): %s\n", strlen(dec_in), dec_in);
++ G_GSIZE_FORMAT "): %s\n",
++ dec_in != NULL ? strlen(dec_in) : 0,
++ dec_in != NULL ? dec_in : "(null)");
+
+ parts = parse_challenge(dec_in);
+
diff --git a/debian/patches/cyrus_sasl_crash.patch b/debian/patches/cyrus_sasl_crash.patch
new file mode 100644
index 0000000..31068b9
--- /dev/null
+++ b/debian/patches/cyrus_sasl_crash.patch
@@ -0,0 +1,76 @@
+Description: Fix a crash when multiple accounts are simultaneously performing
+ SASL authentication when built with Cyrus SASL support.
+#
+#
+# patch "libpurple/protocols/jabber/auth_cyrus.c"
+# from [de85c1d927c318ab37dbaae05f4823749ff6da3b]
+# to [d2bfd74ef5947eedc6fc7b489e53cf43b57f6f41]
+#
+# patch "libpurple/protocols/jabber/jabber.c"
+# from [bad7f0bf46ec064f14facd6a467eb06918bb7d27]
+# to [9c1f4dbfa2d4aec4f3eaa4108bf6661902317394]
+#
+# patch "libpurple/protocols/jabber/jabber.h"
+# from [480e97195d8da8a1120c4f5cb1360b77c9a3d24b]
+# to [1c6cf16631a65e79ba7fff3147fcbfba98ed7c05]
+#
+============================================================
+Index: pidgin/libpurple/protocols/jabber/auth_cyrus.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/jabber/auth_cyrus.c
++++ pidgin/libpurple/protocols/jabber/auth_cyrus.c
+@@ -94,7 +94,6 @@ static int jabber_sasl_cb_secret(sasl_co
+ PurpleAccount *account;
+ const char *pw;
+ size_t len;
+- static sasl_secret_t *x = NULL;
+
+ account = purple_connection_get_account(js->gc);
+ pw = purple_account_get_password(account);
+@@ -103,15 +102,15 @@ static int jabber_sasl_cb_secret(sasl_co
+ return SASL_BADPARAM;
+
+ len = strlen(pw);
+- x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len);
+-
+- if (!x)
++ /* TODO: This can probably be moved to glib's allocator */
++ js->sasl_secret = malloc(sizeof(sasl_secret_t) + len);
++ if (!js->sasl_secret)
+ return SASL_NOMEM;
+
+- x->len = len;
+- strcpy((char*)x->data, pw);
++ js->sasl_secret->len = len;
++ strcpy((char*)js->sasl_secret->data, pw);
+
+- *secret = x;
++ *secret = js->sasl_secret;
+ return SASL_OK;
+ }
+
+Index: pidgin/libpurple/protocols/jabber/jabber.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/jabber/jabber.c
++++ pidgin/libpurple/protocols/jabber/jabber.c
+@@ -1631,6 +1631,8 @@ void jabber_close(PurpleConnection *gc)
+ if(js->sasl_mechs)
+ g_string_free(js->sasl_mechs, TRUE);
+ g_free(js->sasl_cb);
++ /* Note: _not_ g_free. See auth_cyrus.c:jabber_sasl_cb_secret */
++ free(js->sasl_secret);
+ #endif
+ g_free(js->serverFQDN);
+ while(js->commands) {
+Index: pidgin/libpurple/protocols/jabber/jabber.h
+===================================================================
+--- pidgin.orig/libpurple/protocols/jabber/jabber.h
++++ pidgin/libpurple/protocols/jabber/jabber.h
+@@ -206,6 +206,7 @@ struct _JabberStream
+ #ifdef HAVE_CYRUS_SASL
+ sasl_conn_t *sasl;
+ sasl_callback_t *sasl_cb;
++ sasl_secret_t *sasl_secret;
+ const char *current_mech;
+ int auth_fail_count;
+
diff --git a/debian/patches/msn_crash.patch b/debian/patches/msn_crash.patch
new file mode 100644
index 0000000..e55db28
--- /dev/null
+++ b/debian/patches/msn_crash.patch
@@ -0,0 +1,25 @@
+Bug-Debian: http://bugs.debian.org/594893
+#
+#
+# patch "pidgin/libpurple/network.c"
+# from [8c70d2a63b2c464b174ff8cc768e43a6bff9c4cb]
+# to [040edad982c3770eb34822415ad9341218f66fa8]
+#
+============================================================
+Index: pidgin/libpurple/network.c
+===================================================================
+--- pidgin.orig/libpurple/network.c
++++ pidgin/libpurple/network.c
+@@ -1077,12 +1077,10 @@ purple_network_remove_port_mapping(gint
+
+ if (protocol) {
+ purple_network_upnp_mapping_remove(&port, protocol, NULL);
+- g_hash_table_remove(upnp_port_mappings, protocol);
+ } else {
+ protocol = g_hash_table_lookup(nat_pmp_port_mappings, &port);
+ if (protocol) {
+ purple_network_nat_pmp_mapping_remove(&port, protocol, NULL);
+- g_hash_table_remove(nat_pmp_port_mappings, protocol);
+ }
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index f7fc65c..f240bda 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,5 @@
+msn_crash.patch
python26.patch
libnssckbi_path.patch
+baseXX_decode_error_handling_2.patch
+cyrus_sasl_crash.patch
Reply to: