Bug#702373: marked as done (unblock: ekiga/3.2.7-6)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#702373: marked as done (unblock: ekiga/3.2.7-6)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 05 Mar 2013 20:00:04 +0000
Message-id: <[🔎] handler.702373.D702373.136251340012173.ackdone@bugs.debian.org>
References: <51364DEE.1020606@thykier.net> <[🔎] 20130305194926.GA432@villemot.name>

Your message dated Tue, 05 Mar 2013 20:56:30 +0100
with message-id <51364DEE.1020606@thykier.net>
and subject line Re: Bug#702373: unblock: ekiga/3.2.7-6
has caused the Debian Bug report #702373,
regarding unblock: ekiga/3.2.7-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
702373: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702373
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: ekiga/3.2.7-6
From: Sébastien Villemot <sebastien@debian.org>
Date: Tue, 5 Mar 2013 20:49:30 +0100
Message-id: <[🔎] 20130305194926.GA432@villemot.name>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ekiga. Version 3.2.7-6 fixes security RC bug #702282.
The debdiff is attached.

unblock ekiga/3.2.7-6

Cheers,

-- 
 .''`.    Sébastien Villemot
: :' :    Debian Developer
`. `'     http://www.dynare.org/sebastien
  `-      GPG Key: 4096R/381A7594

diff -Nru ekiga-3.2.7/debian/changelog ekiga-3.2.7/debian/changelog
--- ekiga-3.2.7/debian/changelog	2012-05-12 12:31:03.000000000 +0000
+++ ekiga-3.2.7/debian/changelog	2013-03-04 21:38:47.000000000 +0000
@@ -1,3 +1,12 @@
+ekiga (3.2.7-6) unstable; urgency=high
+
+  * Team upload.
+  * debian/patches/validate-utf8-strings.patch: new patch, fixes crash
+    when the other party's names are not UTF-8 valid (CVE-2012-5621).
+    (Closes: #702282)
+
+ -- Sébastien Villemot <sebastien@debian.org>  Mon, 04 Mar 2013 22:38:45 +0100
+
 ekiga (3.2.7-5) unstable; urgency=high
 
   * ACK NMUs - thanks to Hector and Mehdi for their work!
diff -Nru ekiga-3.2.7/debian/patches/series ekiga-3.2.7/debian/patches/series
--- ekiga-3.2.7/debian/patches/series	2012-05-12 11:27:30.000000000 +0000
+++ ekiga-3.2.7/debian/patches/series	2013-03-04 21:25:23.000000000 +0000
@@ -2,3 +2,4 @@
 fix-linux-gnueabihf-build.patch
 opal310.patch
 gcc47.patch
+validate-utf8-strings.patch
diff -Nru ekiga-3.2.7/debian/patches/validate-utf8-strings.patch ekiga-3.2.7/debian/patches/validate-utf8-strings.patch
--- ekiga-3.2.7/debian/patches/validate-utf8-strings.patch	1970-01-01 00:00:00.000000000 +0000
+++ ekiga-3.2.7/debian/patches/validate-utf8-strings.patch	2013-03-04 21:36:15.000000000 +0000
@@ -0,0 +1,40 @@
+Description: Fix crash when the other party's names are not UTF-8 valid
+ CVE-2012-5621: a remote attacker (other party with an invalid UTF-8 valid name)
+ could use this flaw to cause ekiga executable crash.
+Origin: backport, http://git.gnome.org/browse/ekiga/commit/?id=7d09807257
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=653009
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702282
+Last-Update: 2013-03-04
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/lib/engine/components/opal/opal-call.cpp
++++ b/lib/engine/components/opal/opal-call.cpp
+@@ -282,6 +282,17 @@
+   return outgoing; 
+ }
+ 
++// if the parameter is not valid utf8, remove from it all the chars
++//   after the first invalid utf8 char, so that it becomes valid utf8
++static void
++make_valid_utf8 (string & str)
++{
++  const char *pos;
++  if (!g_utf8_validate (str.c_str(), -1, &pos)) {
++    PTRACE (4, "Ekiga\tTrimming invalid UTF-8 string: " << str.c_str());
++    str = str.substr (0, pos - str.c_str()).append ("...");
++  }
++}
+ 
+ void
+ Opal::Call::parse_info (OpalConnection & connection)
+@@ -316,6 +327,10 @@
+     if (!app.empty ())
+       remote_application = app;
+ 
++    make_valid_utf8 (remote_party_name);
++    make_valid_utf8 (remote_application);
++    make_valid_utf8 (remote_uri);
++
+     strip_special_chars (remote_party_name, end_special_chars, false);
+     strip_special_chars (remote_application, end_special_chars, false);
+     strip_special_chars (remote_uri, end_special_chars, false);

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: SÃ©bastien Villemot <sebastien@debian.org>, 702373-done@bugs.debian.org

Subject: Re: Bug#702373: unblock: ekiga/3.2.7-6

From: Niels Thykier <niels@thykier.net>

Date: Tue, 05 Mar 2013 20:56:30 +0100

Message-id: <51364DEE.1020606@thykier.net>

In-reply-to: <[🔎] 20130305194926.GA432@villemot.name>

References: <[🔎] 20130305194926.GA432@villemot.name>
On 2013-03-05 20:49, Sébastien Villemot wrote:
> Package: release.debian.org Severity: normal User:
> release.debian.org@packages.debian.org Usertags: unblock
> 
> Please unblock package ekiga. Version 3.2.7-6 fixes security RC bug
> #702282. The debdiff is attached.
> 
> unblock ekiga/3.2.7-6
> 
> Cheers,
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#702373: unblock: ekiga/3.2.7-6
  - From: Sébastien Villemot <sebastien@debian.org>

Prev by Date: Bug#702275: unblock: libdatetime-timezone-perl/1.57-1+2013a
Next by Date: Re: fixing bug 700891 acceptable?
Previous by thread: Bug#702373: unblock: ekiga/3.2.7-6
Next by thread: Bug#702373: unblock: ekiga/3.2.7-6
Index(es):
- Date
- Thread