Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package ekiga. Version 3.2.7-6 fixes security RC bug #702282. The debdiff is attached. unblock ekiga/3.2.7-6 Cheers, -- .''`. Sébastien Villemot : :' : Debian Developer `. `' http://www.dynare.org/sebastien `- GPG Key: 4096R/381A7594
diff -Nru ekiga-3.2.7/debian/changelog ekiga-3.2.7/debian/changelog
--- ekiga-3.2.7/debian/changelog 2012-05-12 12:31:03.000000000 +0000
+++ ekiga-3.2.7/debian/changelog 2013-03-04 21:38:47.000000000 +0000
@@ -1,3 +1,12 @@
+ekiga (3.2.7-6) unstable; urgency=high
+
+ * Team upload.
+ * debian/patches/validate-utf8-strings.patch: new patch, fixes crash
+ when the other party's names are not UTF-8 valid (CVE-2012-5621).
+ (Closes: #702282)
+
+ -- Sébastien Villemot <sebastien@debian.org> Mon, 04 Mar 2013 22:38:45 +0100
+
ekiga (3.2.7-5) unstable; urgency=high
* ACK NMUs - thanks to Hector and Mehdi for their work!
diff -Nru ekiga-3.2.7/debian/patches/series ekiga-3.2.7/debian/patches/series
--- ekiga-3.2.7/debian/patches/series 2012-05-12 11:27:30.000000000 +0000
+++ ekiga-3.2.7/debian/patches/series 2013-03-04 21:25:23.000000000 +0000
@@ -2,3 +2,4 @@
fix-linux-gnueabihf-build.patch
opal310.patch
gcc47.patch
+validate-utf8-strings.patch
diff -Nru ekiga-3.2.7/debian/patches/validate-utf8-strings.patch ekiga-3.2.7/debian/patches/validate-utf8-strings.patch
--- ekiga-3.2.7/debian/patches/validate-utf8-strings.patch 1970-01-01 00:00:00.000000000 +0000
+++ ekiga-3.2.7/debian/patches/validate-utf8-strings.patch 2013-03-04 21:36:15.000000000 +0000
@@ -0,0 +1,40 @@
+Description: Fix crash when the other party's names are not UTF-8 valid
+ CVE-2012-5621: a remote attacker (other party with an invalid UTF-8 valid name)
+ could use this flaw to cause ekiga executable crash.
+Origin: backport, http://git.gnome.org/browse/ekiga/commit/?id=7d09807257
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=653009
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702282
+Last-Update: 2013-03-04
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/lib/engine/components/opal/opal-call.cpp
++++ b/lib/engine/components/opal/opal-call.cpp
+@@ -282,6 +282,17 @@
+ return outgoing;
+ }
+
++// if the parameter is not valid utf8, remove from it all the chars
++// after the first invalid utf8 char, so that it becomes valid utf8
++static void
++make_valid_utf8 (string & str)
++{
++ const char *pos;
++ if (!g_utf8_validate (str.c_str(), -1, &pos)) {
++ PTRACE (4, "Ekiga\tTrimming invalid UTF-8 string: " << str.c_str());
++ str = str.substr (0, pos - str.c_str()).append ("...");
++ }
++}
+
+ void
+ Opal::Call::parse_info (OpalConnection & connection)
+@@ -316,6 +327,10 @@
+ if (!app.empty ())
+ remote_application = app;
+
++ make_valid_utf8 (remote_party_name);
++ make_valid_utf8 (remote_application);
++ make_valid_utf8 (remote_uri);
++
+ strip_special_chars (remote_party_name, end_special_chars, false);
+ strip_special_chars (remote_application, end_special_chars, false);
+ strip_special_chars (remote_uri, end_special_chars, false);
Attachment:
signature.asc
Description: Digital signature