[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/gaim/devel gaim-1.4.0-gadugadu-memory-alignment.patch, NONE, 1.1 gaim-1.4.0-mailto-parse-crash-msn.patch, NONE, 1.1 gaim-1.4.0-mailto-parse-crash-util.c.patch, NONE, 1.1 gaim-1.4.0-mailto-parse-crash-zephyr.patch, NONE, 1.1 gaim-1.4.0-msn-email-corrupt.patch, NONE, 1.1 gaim-1.4.0-rename-group-merge-crash.patch, NONE, 1.1 gaim.spec, 1.91, 1.92 gaim-1.4.0-msn-space-username-disconnect.patch, 1.1, NONE



Author: wtogami

Update of /cvs/dist/rpms/gaim/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv13989

Modified Files:
	gaim.spec 
Added Files:
	gaim-1.4.0-gadugadu-memory-alignment.patch 
	gaim-1.4.0-mailto-parse-crash-msn.patch 
	gaim-1.4.0-mailto-parse-crash-util.c.patch 
	gaim-1.4.0-mailto-parse-crash-zephyr.patch 
	gaim-1.4.0-msn-email-corrupt.patch 
	gaim-1.4.0-rename-group-merge-crash.patch 
Removed Files:
	gaim-1.4.0-msn-space-username-disconnect.patch 
Log Message:
- FC5+ automatic -fstack-protector-all switch
- 150: MSN buddy names with space disconnect and profile corruption
       (supercedes patch 149)
- 151: Gadu Gadu memory alignment crash
- 152: Rename Group Merge crash
- 153: mailto: parse crash (util.c)
- 154: mailto: parse crash (MSN)
- 155: mailto: parse crash (Zephyr)


gaim-1.4.0-gadugadu-memory-alignment.patch:
 libgg.c |   11 +++++++----
 1 files changed, 7 insertions(+), 4 deletions(-)

--- NEW FILE gaim-1.4.0-gadugadu-memory-alignment.patch ---
http://cvs.sourceforge.net/viewcvs.py/gaim/gaim/src/protocols/gg/libgg.c?r1=1.21.2.1&r2=1.21.2.2&diff_format=u
Patch submitted to gaim-devel...

"Marcin Owsiany sent you a draft advisory regarding multiple libgadu
vulnerabilities. "Fortunately" gaim contains an extremely old version of
libgadu and is affected only by memory alignment bug, which cannot be
exploited on x86. No other critical vulnerabilities are known in gaim's
version of libgadu.

You'll find the patch in attachment.

Regards,
Wojtek Kaniewski
ekg/libgadu maintainer"

===================================================================
RCS file: /cvsroot/gaim/gaim/src/protocols/gg/libgg.c,v
retrieving revision 1.21.2.1
retrieving revision 1.21.2.2
diff -u -r1.21.2.1 -r1.21.2.2
--- gaim/gaim/src/protocols/gg/libgg.c	2005/03/02 11:53:57	1.21.2.1
+++ gaim/gaim/src/protocols/gg/libgg.c	2005/07/25 21:21:02	1.21.2.2
@@ -1,4 +1,4 @@
-/* $Id: libgg.c,v 1.21.2.1 2005/03/02 11:53:57 nosnilmot Exp $ */
+/* $Id: libgg.c,v 1.21.2.2 2005/07/25 21:21:02 rlaager Exp $ */
 
 /*
  *  (C) Copyright 2001 Wojtek Kaniewski <wojtekka irc pl>,
@@ -70,7 +70,7 @@
 #ifdef __GNUC__
 __attribute__ ((unused))
 #endif
-= "$Id: libgg.c,v 1.21.2.1 2005/03/02 11:53:57 nosnilmot Exp $";
+= "$Id: libgg.c,v 1.21.2.2 2005/07/25 21:21:02 rlaager Exp $";
 
 #endif 
 
@@ -1098,8 +1098,11 @@
 
 			    e->event.status60.descr = buf;
 
-			    if (len > 4 && p[h->length - 5] == 0)
-				    e->event.status60.time = *((int*) (p + h->length - 4));
+			    if (len > 4 && p[h->length - 5] == 0) {
+				    uint32_t t;
+				    memcpy(&t, p + h->length - 4, sizeof(uint32_t));
+				    e->event.status60.time = t;
+			    }
 		    }
 
 		    break;

gaim-1.4.0-mailto-parse-crash-msn.patch:
 utils.c |   23 +++++++++++++----------
 1 files changed, 13 insertions(+), 10 deletions(-)

--- NEW FILE gaim-1.4.0-mailto-parse-crash-msn.patch ---
http://cvs.sourceforge.net/viewcvs.py/gaim/gaim/src/protocols/msn/utils.c?r1=1.22.2.3&r2=1.22.2.4&diff_format=u
Fix a buglet in auto linkifying mailto: things, which was causing the
MSN prpl to have kittens trying to parse what was being sent.

Also fixup the MSN parsing code to be more accomodating in what it
accepts from the core - as this code was originally borrowed from the
Zephyr prpl, robustify Zephyr in a similar way.

Unfortunately I have no way of testing the Zephyr fixes.

===================================================================
RCS file: /cvsroot/gaim/gaim/src/protocols/msn/utils.c,v
retrieving revision 1.22.2.3
retrieving revision 1.22.2.4
diff -u -r1.22.2.3 -r1.22.2.4
--- gaim/gaim/src/protocols/msn/utils.c	2004/11/27 19:25:43	1.22.2.3
+++ gaim/gaim/src/protocols/msn/utils.c	2005/07/31 15:21:02	1.22.2.4
@@ -221,22 +221,24 @@
 				if (!g_ascii_strncasecmp(c, "mailto:";, 7))
 					c += 7;
 
-				while (g_ascii_strncasecmp(c, "\">", 2))
+				while ((*c != '\0') && g_ascii_strncasecmp(c, "\">", 2))
 					msg[retcount++] = *c++;
 
-				c += 2;
+				if (*c != '\0')
+					c += 2;
 
 				/* ignore descriptive string */
-				while (g_ascii_strncasecmp(c, "</a>", 4))
+				while ((*c != '\0') && g_ascii_strncasecmp(c, "</a>", 4))
 					c++;
 
-				c += 4;
+				if (*c != '\0')
+					c += 4;
 			}
 			else if (!g_ascii_strncasecmp(c + 1, "font", 4))
 			{
 				c += 5;
 
-				while (!g_ascii_strncasecmp(c, " ", 1))
+				while ((*c != '\0') && !g_ascii_strncasecmp(c, " ", 1))
 					c++;
 
 				if (!g_ascii_strncasecmp(c, "color=\"#", 7))
@@ -273,18 +275,19 @@
 				else
 				{
 					/* Drop all unrecognized/misparsed font tags */
-					while (g_ascii_strncasecmp(c, "\">", 2))
+					while ((*c != '\0') && g_ascii_strncasecmp(c, "\">", 2))
 						c++;
 
-					c += 2;
+					if (*c != '\0')
+						c += 2;
 				}
 			}
 			else
 			{
-				while (g_ascii_strncasecmp(c, ">", 1))
+				while ((*c != '\0') && (*c != '>'))
+					c++;
+				if (*c != '\0')
 					c++;
-
-				c++;
 			}
 		}
 		else if (*c == '&')

gaim-1.4.0-mailto-parse-crash-util.c.patch:
 util.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletion(-)

--- NEW FILE gaim-1.4.0-mailto-parse-crash-util.c.patch ---
http://cvs.sourceforge.net/viewcvs.py/gaim/gaim/src/util.c?r1=1.325.2.24&r2=1.325.2.25&diff_format=u
Fix a buglet in auto linkifying mailto: things, which was causing the
MSN prpl to have kittens trying to parse what was being sent.

Also fixup the MSN parsing code to be more accomodating in what it
accepts from the core - as this code was originally borrowed from the
Zephyr prpl, robustify Zephyr in a similar way.

Unfortunately I have no way of testing the Zephyr fixes.

===================================================================
RCS file: /cvsroot/gaim/gaim/src/util.c,v
retrieving revision 1.325.2.24
retrieving revision 1.325.2.25
diff -u -r1.325.2.24 -r1.325.2.25
--- gaim/gaim/src/util.c	2005/07/24 19:27:34	1.325.2.24
+++ gaim/gaim/src/util.c	2005/07/31 15:21:01	1.325.2.25
@@ -1614,7 +1614,9 @@
 				/* iterate backwards grabbing the local part of an email address */
 				g = g_utf8_get_char(t);
 				if (badchar(*t) || (g >= 127) || (*t == '(') ||
-						((*t == ';') && (t > (text+2)) && !g_ascii_strncasecmp(t - 3, "&lt;", 4))) {
+					((*t == ';') && ((t > (text+2) && (!g_ascii_strncasecmp(t - 3, "&lt;", 4) ||
+				                                       !g_ascii_strncasecmp(t - 3, "&gt;", 4))) ||
+				                     (t > (text+4) && (!g_ascii_strncasecmp(t - 5, "&quot;", 6)))))) {
 					/* local part will already be part of ret, strip it out */
 					ret = g_string_truncate(ret, ret->len - (c - t));
 					ret = g_string_append_unichar(ret, g);

gaim-1.4.0-mailto-parse-crash-zephyr.patch:
 zephyr.c |   41 ++++++++++++++++++++++++-----------------
 1 files changed, 24 insertions(+), 17 deletions(-)

--- NEW FILE gaim-1.4.0-mailto-parse-crash-zephyr.patch ---
http://cvs.sourceforge.net/viewcvs.py/gaim/gaim/src/protocols/zephyr/zephyr.c?r1=1.125.2.7&r2=1.125.2.8&diff_format=u
Fix a buglet in auto linkifying mailto: things, which was causing the
MSN prpl to have kittens trying to parse what was being sent.

Also fixup the MSN parsing code to be more accomodating in what it
accepts from the core - as this code was originally borrowed from the
Zephyr prpl, robustify Zephyr in a similar way.

Unfortunately I have no way of testing the Zephyr fixes.

===================================================================
RCS file: /cvsroot/gaim/gaim/src/protocols/zephyr/zephyr.c,v
retrieving revision 1.125.2.7
retrieving revision 1.125.2.8
diff -u -r1.125.2.7 -r1.125.2.8
--- gaim/gaim/src/protocols/zephyr/zephyr.c	2005/07/24 19:27:39	1.125.2.7
+++ gaim/gaim/src/protocols/zephyr/zephyr.c	2005/07/31 15:21:02	1.125.2.8
@@ -379,58 +379,64 @@
 				retcount += 1;
 			} else if (!g_ascii_strncasecmp(message + cnt + 1, "a href=\"mailto:";, 15)) {
 				cnt += 16;
-				while (g_ascii_strncasecmp(message + cnt, "\">", 2) != 0) {
+				while ((message[cnt] != '\0') && g_ascii_strncasecmp(message + cnt, "\">", 2) != 0) {
 					ret[retcount] = message[cnt];
 					retcount++;
 					cnt++;
 				}
-				cnt += 2;
+				if (message[cnt] != '\0')
+					cnt += 2;
 				/* ignore descriptive string */
-				while (g_ascii_strncasecmp(message + cnt, "</a>", 4) != 0) {
+				while ((message[cnt] != '\0') && g_ascii_strncasecmp(message + cnt, "</a>", 4) != 0) {
 					cnt++;
 				}
-				cnt += 4;
+				if (message[cnt] != '\0')
+					cnt += 4;
 			} else if (!g_ascii_strncasecmp(message + cnt + 1, "a href=\"", 8)) {
 				cnt += 9;
-				while (g_ascii_strncasecmp(message + cnt, "\">", 2) != 0) {
+				while ((message[cnt] != '\0') && g_ascii_strncasecmp(message + cnt, "\">", 2) != 0) {
 					ret[retcount] = message[cnt];
 					retcount++;
 					cnt++;
 				}
-				cnt += 2;
+				if (message[cnt] != '\0')
+					cnt += 2;
 				/* ignore descriptive string */
-				while (g_ascii_strncasecmp(message + cnt, "</a>", 4) != 0) {
+				while ((message[cnt] != '\0') && g_ascii_strncasecmp(message + cnt, "</a>", 4) != 0) {
 					cnt++;
 				}
-				cnt += 4;
+				if (message[cnt] != '\0')
+					cnt += 4;
 			} else if (!g_ascii_strncasecmp(message + cnt + 1, "font", 4)) {
 				cnt += 5;
-				while (!g_ascii_strncasecmp(message + cnt, " ", 1))
+				while ((message[cnt] != '\0') && (message[cnt] != ' '))
 					cnt++;
-				if (!g_ascii_strncasecmp(message + cnt, "color=\"", 7)) {
+				if ((message[cnt] != '\0') && !g_ascii_strncasecmp(message + cnt, "color=\"", 7)) {
 					cnt += 7;
 					strncpy(ret + retcount, "@color(", 7);
 					retcount += 7;
-					while (g_ascii_strncasecmp(message + cnt, "\">", 2) != 0) {
+					while ((message[cnt] != '\0') && g_ascii_strncasecmp(message + cnt, "\">", 2) != 0) {
 						ret[retcount] = message[cnt];
 						retcount++;
 						cnt++;
 					}
 					ret[retcount] = ')';
 					retcount++;
-					cnt += 2;
+					if (message[cnt] != '\0')
+						cnt += 2;
 				} else if (!g_ascii_strncasecmp(message + cnt, "face=\"", 6)) {
 					cnt += 6;
 					strncpy(ret + retcount, "@font(", 6);
 					retcount += 6;
-					while (g_ascii_strncasecmp(message + cnt, "\">", 2) != 0) {
+					while ((message[cnt] != '\0') && g_ascii_strncasecmp(message + cnt, "\">", 2) != 0) {
 						ret[retcount] = message[cnt];
 						retcount++;
 						cnt++;
 					}
 					ret[retcount] = ')';
 					retcount++;
-					cnt += 2;
+					if (message[cnt] != '\0')
+						cnt += 2;
 				} else if (!g_ascii_strncasecmp(message + cnt, "size=\"", 6)) {
 					cnt += 6;
 					if ((message[cnt] == '1') || (message[cnt] == '2')) {
@@ -449,10 +455,11 @@
 					cnt += 3;
 				} else {
 					/* Drop all unrecognized/misparsed font tags */
-					while (g_ascii_strncasecmp(message + cnt, "\">", 2) != 0) {
+					while ((message[cnt] != '\0') && g_ascii_strncasecmp(message + cnt, "\">", 2) != 0) {
 						cnt++;
 					}
-					cnt += 2;
+					if (message[cnt] != '\0')
+						cnt += 2;
 				}
 			} else if (!g_ascii_strncasecmp(message + cnt + 1, "/i>", 3)
 				   || !g_ascii_strncasecmp(message + cnt + 1, "/b>", 3)) {
@@ -465,7 +472,7 @@
 				retcount += 12;
 			} else {
 				/* Catch all for all unrecognized/misparsed <foo> tage */
-				while (g_ascii_strncasecmp(message + cnt, ">", 1) != 0) {
+				while ((message[cnt] != '\0') && (message[cnt] != '>')) {
 					ret[retcount] = message[cnt];
 					retcount++;
 					cnt++;

gaim-1.4.0-msn-email-corrupt.patch:
 userlist.c |    9 +++++++++
 1 files changed, 9 insertions(+)

--- NEW FILE gaim-1.4.0-msn-email-corrupt.patch ---
http://cvs.sourceforge.net/viewcvs.py/gaim/gaim/src/protocols/msn/userlist.c?r1=1.16.2.10&r2=1.16.2.11&diff_format=u
I'm applying this to oldstatus now that the string freeze is over:

Patch #1223021 from Jason Roth (jroth2)
Fixes Bug #1222552

"As described in bug report #1222552, gaim will disconnect the current msn session and corrupt blist.xml when you try to add an msn screenname with a space in it" -- jroth2

I reworked this quite a bit.  Stu suggested using gaim_email_valid() rather than just checking for a space.  I took this advice.  I also made it display an error message instead of silently dropping the add request.

===================================================================
RCS file: /cvsroot/gaim/gaim/src/protocols/msn/userlist.c,v
retrieving revision 1.16.2.10
retrieving revision 1.16.2.11
diff -u -r1.16.2.10 -r1.16.2.11
--- gaim/gaim/src/protocols/msn/userlist.c	2005/03/17 05:17:04	1.16.2.10
+++ gaim/gaim/src/protocols/msn/userlist.c	2005/07/08 04:16:17	1.16.2.11
@@ -622,6 +622,15 @@
 
 	group_id = -1;
 
+	if (!gaim_email_is_valid(who))
+	{
+		char *str = g_strdup_printf(_("Unable to add \"%s\"."), who);
+		gaim_notify_error(NULL, NULL, str,
+						  _("The screen name specified is invalid."));
+		g_free(str);
+		return;
+	}
+
 	if (group_name != NULL)
 	{
 		group_id = msn_userlist_find_group_id(userlist, group_name);

gaim-1.4.0-rename-group-merge-crash.patch:
 blist.c |    3 +++
 1 files changed, 3 insertions(+)

--- NEW FILE gaim-1.4.0-rename-group-merge-crash.patch ---
http://cvs.sourceforge.net/viewcvs.py/gaim/gaim/src/blist.c?r1=1.214&r2=1.215&diff_format=u
This fixes a crash when renaming a group causes a merge with an existing group.  It is kind of hackish, but works.

===================================================================
RCS file: /cvsroot/gaim/gaim/src/blist.c,v
retrieving revision 1.214
retrieving revision 1.215
diff -u -r1.214 -r1.215
--- gaim/gaim/src/blist.c	2005/07/07 15:43:48	1.214
+++ gaim/gaim/src/blist.c	2005/07/13 02:52:28	1.215
@@ -1170,6 +1170,9 @@
 			cnode->parent->child = cnode->next;
 
 		ops->remove(gaimbuddylist, cnode);
+		/* ops->remove() cleaned up the cnode's ui_data, so we need to
+		 * reinitialize it */
+		ops->new_node(cnode);
 
 		gaim_blist_schedule_save();
 	}


Index: gaim.spec
===================================================================
RCS file: /cvs/dist/rpms/gaim/devel/gaim.spec,v
retrieving revision 1.91
retrieving revision 1.92
diff -u -r1.91 -r1.92
--- gaim.spec	12 Jul 2005 01:08:21 -0000	1.91
+++ gaim.spec	1 Aug 2005 00:17:01 -0000	1.92
@@ -13,7 +13,7 @@
 
 Name:		gaim
 Version:	1.4.0
-Release:	4.fc5
+Release:	5.fc5
 Epoch:		1
 License:	GPL
 Group:		Applications/Internet
@@ -44,7 +44,14 @@
 
 ## Patches 100-199: Upstream CVS Backports
 Patch148:       gaim-1.4.0-aim-login.crash.patch
-Patch149:       gaim-1.4.0-msn-space-username-disconnect.patch
+#Patch149:       gaim-1.4.0-msn-space-username-disconnect.patch
+#150 supercedes 149 with the better upstream fix
+Patch150: gaim-1.4.0-msn-email-corrupt.patch
+Patch151: gaim-1.4.0-gadugadu-memory-alignment.patch
+Patch152: gaim-1.4.0-rename-group-merge-crash.patch
+Patch153: gaim-1.4.0-mailto-parse-crash-util.c.patch
+Patch154: gaim-1.4.0-mailto-parse-crash-msn.patch
+Patch155: gaim-1.4.0-mailto-parse-crash-zephyr.patch
 
 BuildRoot:	%{_tmppath}/%{name}-%{version}-root
 Summary:	A Gtk+ based multiprotocol instant messaging client
@@ -111,7 +118,13 @@
 
 # CVS backports go here
 %patch148 -p2
-%patch149 -p2
+#%patch149 -p2 superceded by 150, upstream rewrote the fix
+%patch150 -p2
+%patch151 -p2
+%patch152 -p2
+%patch153 -p2
+%patch154 -p2
+%patch155 -p2
 
 # Relabel internal version for support purposes
 sed -i "s/%{version}/%{version}-%{release}/g" configure
@@ -140,6 +153,8 @@
 	WITH_PERL="--disable-perl"
 %endif
 
+# FC5+ automatic -fstack-protector-all switch
+export RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | %{__sed} s/-fstack-protector/-fstack-protector-all/`
 # disable tcl and tk because nobody uses it
 # gnutls is buggy so use mozilla-nss on all distributions
 %configure --disable-tcl --disable-tk --enable-gnutls=no --enable-nss=yes $WITH_KRB $WITH_SILC $WITH_PERL
@@ -207,6 +222,16 @@
 %endif
 
 %changelog
+* Sun Jul 31 2005 Warren Togami <wtogami redhat com> 1:1.4.0-5
+- FC5+ automatic -fstack-protector-all switch
+- 150: MSN buddy names with space disconnect and profile corruption
+       (supercedes patch 149)
+- 151: Gadu Gadu memory alignment crash
+- 152: Rename Group Merge crash
+- 153: mailto: parse crash (util.c)
+- 154: mailto: parse crash (MSN)
+- 155: mailto: parse crash (Zephyr)
+
 * Mon Jul 11 2005 Warren Togami <wtogami redhat com> 1:1.4.0-4
 - 149: MSN username with space disconnect fix
 - Do not own perl dir, remove empty files (#162994 jpo)


--- gaim-1.4.0-msn-space-username-disconnect.patch DELETED ---


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]