pidgin 2.7.3-1+squeeze1

To: debian-release@lists.debian.org
Subject: pidgin 2.7.3-1+squeeze1
From: Ari Pollak <ari@debian.org>
Date: Sat, 23 Oct 2010 12:39:23 -0400
Message-id: <[🔎] 4CC30FBB.1040709@debian.org>

Hi,

I just uploaded a new version of pidgin to t-p-u to fix a few crasher
bugs, including a remote DoS. Attached is the diff from 2.7.3-1.

Thanks,
Ari

diff --git a/debian/changelog b/debian/changelog
index 7630325..5406328 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+pidgin (2.7.3-1+squeeze1) squeeze; urgency=medium
+
+  * baseXX_decode_error_handling_2.patch:
+    - apply fix from upstream to fix remote DoS in base64 code (CVE-2010-3711)
+  * msn_crash.patch:
+    - Apply upstream patch to fix random crashes in MSN (Closes: #594893)
+  * cyrus_sasl_crash.patch:
+    - Fix a crash when multiple accounts are simultaneously performing
+      SASL authentication when built with Cyrus SASL support. 
+
+ -- Ari Pollak <ari@debian.org>  Sat, 23 Oct 2010 12:03:16 -0400
+
 pidgin (2.7.3-1) unstable; urgency=low
 
   * Imported Upstream version 2.7.3
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 326131e..2b2256e 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -5,6 +5,13 @@
 pristine-tar = True
 # Don't check if debian-branch == current branch
 #ignore-branch = True
+# the default branch for upstream sources:
+#upstream-branch = upstream                                                     
+# the default branch for the debian patch:
+debian-branch = debian/squeeze
+# the default tag formats used:
+#upstream-tag = upstream/%(version)s
+#debian-tag = debian/%(version)s
 
 # Options only affecting git-buildpackage
 [git-buildpackage]
diff --git a/debian/patches/baseXX_decode_error_handling_2.patch b/debian/patches/baseXX_decode_error_handling_2.patch
new file mode 100644
index 0000000..6ae4ad4
--- /dev/null
+++ b/debian/patches/baseXX_decode_error_handling_2.patch
@@ -0,0 +1,197 @@
+Description: Fixes remote DoS in base64 code (CVE-2010-3711)
+#
+# old_revision [e71d42518d6fd45f106f148da376c43e3eb6b294]
+#
+# patch "pidgin/libpurple/ntlm.c"
+#  from [979ce84955ca402858c8ef4fdfb3f786da602d98]
+#    to [5e2ea0f873201d1fbfbdf92456e17a24c5e584ab]
+# 
+# patch "pidgin/libpurple/plugins/perl/common/Util.xs"
+#  from [5fba429dad716bc84040920e2431cb52ad0002b9]
+#    to [ac3d9ea652a79066c672e262d6f99d5949186a1a]
+# 
+# patch "pidgin/libpurple/protocols/jabber/auth_digest_md5.c"
+#  from [857c4e8e03d05e94a105e5763b7cd8eb5c758cc6]
+#    to [c32a82e931b9ae544229e5ec2d1d9d163ea4ef90]
+# 
+# patch "pidgin/libpurple/protocols/msn/slp.c"
+#  from [f8ab7fe26bd4244db9b4299ace03320a7ac8a799]
+#    to [25c7706a6a5125495ed1ddbf200d5961578c7beb]
+# 
+# patch "pidgin/libpurple/protocols/myspace/message.c"
+#  from [28bf0b70059bea825c40dd1a643fe2523f8fdd1f]
+#    to [ac0c77b3d62b820b3b9a4a74626fa693a8c202ee]
+# 
+# patch "pidgin/libpurple/protocols/oscar/clientlogin.c"
+#  from [582b716f959a2688537c5d581bf74971c8962a10]
+#    to [f66d45ff55ef44bed415ddbd25e47f2d60c8d5ea]
+# 
+# patch "pidgin/libpurple/protocols/qq/im.c"
+#  from [99d2868d5c8b67ab905ad128d0603f71af8bba50]
+#    to [6464068551bb1b7e76badb77a334719a595ebf71]
+# 
+# patch "pidgin/libpurple/protocols/yahoo/libymsg.c"
+#  from [ede49fc83fb4fba337d5bca27d26fa20595039b8]
+#    to [aedcc38fb75b9a99be6cb60666cd72a4e2376158]
+#
+============================================================
+Index: pidgin/libpurple/protocols/yahoo/libymsg.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/yahoo/libymsg.c
++++ pidgin/libpurple/protocols/yahoo/libymsg.c
+@@ -317,7 +317,7 @@ static void yahoo_process_status(PurpleC
+ 
+ 			if (pair->value) {
+ 				decoded = purple_base64_decode(pair->value, &len);
+-				if (len) {
++				if (decoded && len > 0) {
+ 					tmp = purple_str_binary_to_ascii(decoded, len);
+ 					purple_debug_info("yahoo", "Got key 197, value = %s\n", tmp);
+ 					g_free(tmp);
+@@ -2863,15 +2863,17 @@ static void yahoo_process_p2p(PurpleConn
+ 	if (base64) {
+ 		guint32 ip;
+ 		YahooFriend *f;
+-		char *host_ip;
++		char *host_ip, *tmp;
+ 		struct yahoo_p2p_data *p2p_data;
+ 
+ 		decoded = purple_base64_decode(base64, &len);
+-		if (len) {
+-			char *tmp = purple_str_binary_to_ascii(decoded, len);
+-			purple_debug_info("yahoo", "Got P2P service packet (from server): who = %s, ip = %s\n", who, tmp);
+-			g_free(tmp);
++		if (decoded == NULL) {
++			purple_debug_info("yahoo","p2p: Unable to decode base64 IP (%s) \n", base64);
++			return;
+ 		}
++		tmp = purple_str_binary_to_ascii(decoded, len);
++		purple_debug_info("yahoo", "Got P2P service packet (from server): who = %s, ip = %s\n", who, tmp);
++		g_free(tmp);
+ 
+ 		ip = strtol((gchar *)decoded, NULL, 10);
+ 		g_free(decoded);
+Index: pidgin/libpurple/protocols/msn/slp.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/msn/slp.c
++++ pidgin/libpurple/protocols/msn/slp.c
+@@ -554,7 +554,7 @@ got_sessionreq(MsnSlpCall *slpcall, cons
+ 							 slpcall->slplink->remote_user);
+ 
+ 		header = (MsnFileContext *)purple_base64_decode(context, &bin_len);
+-		if (bin_len >= sizeof(MsnFileContext) - 1 &&
++		if (header != NULL && bin_len >= sizeof(MsnFileContext) - 1 &&
+ 			(header->version == 2 ||
+ 			 (header->version == 3 && header->length == sizeof(MsnFileContext) + 63))) {
+ 			file_size = GUINT64_FROM_LE(header->file_size);
+Index: pidgin/libpurple/plugins/perl/common/Util.xs
+===================================================================
+--- pidgin.orig/libpurple/plugins/perl/common/Util.xs
++++ pidgin/libpurple/plugins/perl/common/Util.xs
+@@ -238,7 +238,7 @@ purple_base16_decode(str)
+ 	guchar *ret;
+ 	CODE:
+ 		ret = purple_base16_decode(str, &len);
+-		if(len) {
++		if(ret && len > 0) {
+ 			RETVAL = newSVpv((gchar *)ret, len);
+ 		} else {
+ 			g_free(ret);
+@@ -256,7 +256,7 @@ purple_base64_decode(str)
+ 	guchar *ret;
+ 	CODE:
+ 		ret = purple_base64_decode(str, &len);
+-		if(len) {
++		if(ret && len > 0) {
+ 			RETVAL = newSVpv((gchar *)ret, len);
+ 		} else {
+ 			g_free(ret);
+Index: pidgin/libpurple/ntlm.c
+===================================================================
+--- pidgin.orig/libpurple/ntlm.c
++++ pidgin/libpurple/ntlm.c
+@@ -152,9 +152,14 @@ purple_ntlm_parse_type2(const gchar *typ
+ 	static guint8 nonce[8];
+ 
+ 	tmsg = (struct type2_message*)purple_base64_decode(type2, &retlen);
+-	memcpy(nonce, tmsg->nonce, 8);
+-	if (flags != NULL)
+-		*flags = GUINT16_FROM_LE(tmsg->flags);
++	if (tmsg != NULL && retlen >= (sizeof(struct type2_message) - 1)) {
++		memcpy(nonce, tmsg->nonce, 8);
++		if (flags != NULL)
++			*flags = GUINT16_FROM_LE(tmsg->flags);
++	} else {
++		purple_debug_error("ntlm", "Unable to parse type2 message - returning empty nonce.\n");
++		memset(nonce, 0, 8);
++	}
+ 	g_free(tmsg);
+ 
+ 	return nonce;
+Index: pidgin/libpurple/protocols/qq/im.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/qq/im.c
++++ pidgin/libpurple/protocols/qq/im.c
+@@ -547,7 +547,6 @@ qq_im_format *qq_im_fmt_new_by_purple(co
+ 	const gchar *start, *end, *last;
+ 	GData *attribs;
+ 	gchar *tmp;
+-	unsigned char *rgb;
+ 
+ 	g_return_val_if_fail(msg != NULL, NULL);
+ 
+@@ -570,8 +569,11 @@ qq_im_format *qq_im_fmt_new_by_purple(co
+ 
+ 		tmp = g_datalist_get_data(&attribs, "color");
+ 		if (tmp && strlen(tmp) > 1) {
+-			rgb = purple_base16_decode(tmp + 1, NULL);
+-			g_memmove(fmt->rgb, rgb, 3);
++			unsigned char *rgb;
++			gsize rgb_len;
++			rgb = purple_base16_decode(tmp + 1, &rgb_len);
++			if (rgb != NULL && rgb_len >= 3)
++				g_memmove(fmt->rgb, rgb, 3);
+ 			g_free(rgb);
+ 		}
+ 
+Index: pidgin/libpurple/protocols/myspace/message.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/myspace/message.c
++++ pidgin/libpurple/protocols/myspace/message.c
+@@ -1363,7 +1363,7 @@ msim_msg_get_binary_from_element(MsimMes
+ 			 *
+ 			 */
+ 			*binary_data = (gchar *)purple_base64_decode((const gchar *)elem->data, binary_length);
+-			return TRUE;
++			return ((*binary_data) != NULL);
+ 
+ 		case MSIM_TYPE_BINARY:
+ 			gs = (GString *)elem->data;
+Index: pidgin/libpurple/protocols/oscar/clientlogin.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/oscar/clientlogin.c
++++ pidgin/libpurple/protocols/oscar/clientlogin.c
+@@ -272,7 +272,7 @@ static void start_oscar_session_cb(Purpl
+ 	char *tls_certname = NULL;
+ 	unsigned short port;
+ 	guint8 *cookiedata;
+-	gsize cookiedata_len;
++	gsize cookiedata_len = 0;
+ 
+ 	od = user_data;
+ 	gc = od->gc;
+Index: pidgin/libpurple/protocols/jabber/auth_digest_md5.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/jabber/auth_digest_md5.c
++++ pidgin/libpurple/protocols/jabber/auth_digest_md5.c
+@@ -182,7 +182,9 @@ digest_md5_handle_challenge(JabberStream
+ 
+ 	dec_in = (char *)purple_base64_decode(enc_in, NULL);
+ 	purple_debug_misc("jabber", "decoded challenge (%"
+-			G_GSIZE_FORMAT "): %s\n", strlen(dec_in), dec_in);
++			G_GSIZE_FORMAT "): %s\n",
++			dec_in != NULL ? strlen(dec_in) : 0,
++			dec_in != NULL  ? dec_in : "(null)");
+ 
+ 	parts = parse_challenge(dec_in);
+ 
diff --git a/debian/patches/cyrus_sasl_crash.patch b/debian/patches/cyrus_sasl_crash.patch
new file mode 100644
index 0000000..31068b9
--- /dev/null
+++ b/debian/patches/cyrus_sasl_crash.patch
@@ -0,0 +1,76 @@
+Description: Fix a crash when multiple accounts are simultaneously performing
+ SASL authentication when built with Cyrus SASL support.
+#
+#
+# patch "libpurple/protocols/jabber/auth_cyrus.c"
+#  from [de85c1d927c318ab37dbaae05f4823749ff6da3b]
+#    to [d2bfd74ef5947eedc6fc7b489e53cf43b57f6f41]
+# 
+# patch "libpurple/protocols/jabber/jabber.c"
+#  from [bad7f0bf46ec064f14facd6a467eb06918bb7d27]
+#    to [9c1f4dbfa2d4aec4f3eaa4108bf6661902317394]
+# 
+# patch "libpurple/protocols/jabber/jabber.h"
+#  from [480e97195d8da8a1120c4f5cb1360b77c9a3d24b]
+#    to [1c6cf16631a65e79ba7fff3147fcbfba98ed7c05]
+#
+============================================================
+Index: pidgin/libpurple/protocols/jabber/auth_cyrus.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/jabber/auth_cyrus.c
++++ pidgin/libpurple/protocols/jabber/auth_cyrus.c
+@@ -94,7 +94,6 @@ static int jabber_sasl_cb_secret(sasl_co
+ 	PurpleAccount *account;
+ 	const char *pw;
+ 	size_t len;
+-	static sasl_secret_t *x = NULL;
+ 
+ 	account = purple_connection_get_account(js->gc);
+ 	pw = purple_account_get_password(account);
+@@ -103,15 +102,15 @@ static int jabber_sasl_cb_secret(sasl_co
+ 		return SASL_BADPARAM;
+ 
+ 	len = strlen(pw);
+-	x = (sasl_secret_t *) realloc(x, sizeof(sasl_secret_t) + len);
+-
+-	if (!x)
++	/* TODO: This can probably be moved to glib's allocator */
++	js->sasl_secret = malloc(sizeof(sasl_secret_t) + len);
++	if (!js->sasl_secret)
+ 		return SASL_NOMEM;
+ 
+-	x->len = len;
+-	strcpy((char*)x->data, pw);
++	js->sasl_secret->len = len;
++	strcpy((char*)js->sasl_secret->data, pw);
+ 
+-	*secret = x;
++	*secret = js->sasl_secret;
+ 	return SASL_OK;
+ }
+ 
+Index: pidgin/libpurple/protocols/jabber/jabber.c
+===================================================================
+--- pidgin.orig/libpurple/protocols/jabber/jabber.c
++++ pidgin/libpurple/protocols/jabber/jabber.c
+@@ -1631,6 +1631,8 @@ void jabber_close(PurpleConnection *gc)
+ 	if(js->sasl_mechs)
+ 		g_string_free(js->sasl_mechs, TRUE);
+ 	g_free(js->sasl_cb);
++	/* Note: _not_ g_free.  See auth_cyrus.c:jabber_sasl_cb_secret */
++	free(js->sasl_secret);
+ #endif
+ 	g_free(js->serverFQDN);
+ 	while(js->commands) {
+Index: pidgin/libpurple/protocols/jabber/jabber.h
+===================================================================
+--- pidgin.orig/libpurple/protocols/jabber/jabber.h
++++ pidgin/libpurple/protocols/jabber/jabber.h
+@@ -206,6 +206,7 @@ struct _JabberStream
+ #ifdef HAVE_CYRUS_SASL
+ 	sasl_conn_t *sasl;
+ 	sasl_callback_t *sasl_cb;
++	sasl_secret_t *sasl_secret;
+ 	const char *current_mech;
+ 	int auth_fail_count;
+ 
diff --git a/debian/patches/msn_crash.patch b/debian/patches/msn_crash.patch
new file mode 100644
index 0000000..e55db28
--- /dev/null
+++ b/debian/patches/msn_crash.patch
@@ -0,0 +1,25 @@
+Bug-Debian: http://bugs.debian.org/594893
+#
+#
+# patch "pidgin/libpurple/network.c"
+#  from [8c70d2a63b2c464b174ff8cc768e43a6bff9c4cb]
+#    to [040edad982c3770eb34822415ad9341218f66fa8]
+#
+============================================================
+Index: pidgin/libpurple/network.c
+===================================================================
+--- pidgin.orig/libpurple/network.c
++++ pidgin/libpurple/network.c
+@@ -1077,12 +1077,10 @@ purple_network_remove_port_mapping(gint
+ 
+ 	if (protocol) {
+ 		purple_network_upnp_mapping_remove(&port, protocol, NULL);
+-		g_hash_table_remove(upnp_port_mappings, protocol);
+ 	} else {
+ 		protocol = g_hash_table_lookup(nat_pmp_port_mappings, &port);
+ 		if (protocol) {
+ 			purple_network_nat_pmp_mapping_remove(&port, protocol, NULL);
+-			g_hash_table_remove(nat_pmp_port_mappings, protocol);
+ 		}
+ 	}
+ }
diff --git a/debian/patches/series b/debian/patches/series
index f7fc65c..f240bda 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,5 @@
+msn_crash.patch
 python26.patch
 libnssckbi_path.patch
+baseXX_decode_error_handling_2.patch
+cyrus_sasl_crash.patch

Reply to:

Follow-Ups:
- Re: pidgin 2.7.3-1+squeeze1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Importance of partial upgrades
Next by Date: Re: Importance of partial upgrades
Previous by thread: Bug#601125: marked as done (unblock: alsa-driver/1.0.23+dfsg-2)
Next by thread: Re: pidgin 2.7.3-1+squeeze1
Index(es):
- Date
- Thread