Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-im/gaim/files/gaim-0.81-security2.diff
diff options
context:
space:
mode:
Diffstat (limited to 'net-im/gaim/files/gaim-0.81-security2.diff')
-rw-r--r--net-im/gaim/files/gaim-0.81-security2.diff331
1 files changed, 331 insertions, 0 deletions
diff --git a/net-im/gaim/files/gaim-0.81-security2.diff b/net-im/gaim/files/gaim-0.81-security2.diff
new file mode 100644
index 000000000000..c61141c8d354
--- /dev/null
+++ b/net-im/gaim/files/gaim-0.81-security2.diff
@@ -0,0 +1,331 @@
+diff -ruN gaim-0.81/src/gtkprefs.c gaim-0.81-patched/src/gtkprefs.c
+--- gaim-0.81/src/gtkprefs.c 2004-07-27 20:07:02.000000000 -0400
++++ gaim-0.81-patched/src/gtkprefs.c 2004-08-23 22:23:20.464472424 -0400
+@@ -523,7 +523,7 @@
+
+ void theme_install_theme(char *path, char *extn) {
+ #ifndef _WIN32
+- gchar *command;
++ gchar *command, *escaped;
+ #endif
+ gchar *destdir;
+ gchar *tail;
+@@ -544,7 +544,9 @@
+ * other platforms, if need be */
+ if (!g_ascii_strcasecmp(tail, ".gz") || !g_ascii_strcasecmp(tail, ".tgz")) {
+ #ifndef _WIN32
+- command = g_strdup_printf("tar > /dev/null xzf \"%s\" -C %s", path, destdir);
++ escaped = g_shell_quote(path);
++ command = g_strdup_printf("tar > /dev/null xzf %s -C %s", escaped, destdir);
++ g_free(escaped);
+ #else
+ if(!wgaim_gz_untar(path, destdir)) {
+ g_free(destdir);
+diff -ruN gaim-0.81/src/protocols/msn/object.c gaim-0.81-patched/src/protocols/msn/object.c
+--- gaim-0.81/src/protocols/msn/object.c 2004-06-05 23:42:54.000000000 -0400
++++ gaim-0.81-patched/src/protocols/msn/object.c 2004-08-23 22:23:20.465472272 -0400
+@@ -35,11 +35,18 @@
+ if ((tag = strstr(str, id "=\"")) != NULL) \
+ { \
+ char buf[16]; \
++ size_t offset; \
+ tag += strlen(id "=\""); \
+ c = strchr(tag, '"'); \
+- strncpy(buf, tag, c - tag); \
+- buf[c - tag] = '\0'; \
+- obj->field = atoi(buf); \
++ if (c != NULL) \
++ { \
++ memset(buf, 0, sizeof(buf)); \
++ offset = c - tag; \
++ if (offset >= sizeof(buf)) \
++ offset = sizeof(buf) - 1; \
++ strncpy(buf, tag, offset); \
++ obj->field = atoi(buf); \
++ } \
+ }
+
+ static GList *local_objs;
+diff -ruN gaim-0.81/src/protocols/msn/slp.c gaim-0.81-patched/src/protocols/msn/slp.c
+--- gaim-0.81/src/protocols/msn/slp.c 2004-06-14 22:37:25.000000000 -0400
++++ gaim-0.81-patched/src/protocols/msn/slp.c 2004-08-23 22:23:20.465472272 -0400
+@@ -645,8 +645,11 @@
+ if ((c = strchr(status, '\r')) || (c = strchr(status, '\n')) ||
+ (c = strchr(status, '\0')))
+ {
+- strncpy(temp, status, c - status);
+- temp[c - status] = '\0';
++ size_t offset = c - status;
++ if (offset >= sizeof(temp))
++ offset = sizeof(temp) - 1;
++ strncpy(temp, status, offset);
++ temp[offset] = '\0';
+ }
+
+ gaim_debug_error("msn", "Received non-OK result: %s\n", temp);
+diff -ruN gaim-0.81/src/protocols/novell/nmevent.c gaim-0.81-patched/src/protocols/novell/nmevent.c
+--- gaim-0.81/src/protocols/novell/nmevent.c 2004-06-12 11:13:29.000000000 -0400
++++ gaim-0.81-patched/src/protocols/novell/nmevent.c 2004-08-23 22:32:49.957896264 -0400
+@@ -27,6 +27,8 @@
+ #include "nmuserrecord.h"
+ #include "nmrtf.h"
+
++#define MAX_UINT32 0xFFFFFFFF
++
+ struct _NMEvent
+ {
+
+@@ -147,6 +149,8 @@
+
+ /* Read the conference guid */
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+ guid = g_new0(char, size + 1);
+ rc = nm_read_all(conn, guid, size);
+@@ -160,8 +164,9 @@
+ /* Read the message text */
+ if (rc == NM_OK) {
+ rc = nm_read_uint32(conn, &size);
+- if (rc == NM_OK) {
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
+
++ if (rc == NM_OK) {
+ msg = g_new0(char, size + 1);
+ rc = nm_read_all(conn, msg, size);
+
+@@ -265,6 +270,8 @@
+
+ /* Read the conference guid */
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+ guid = g_new0(char, size + 1);
+ rc = nm_read_all(conn, guid, size);
+@@ -273,6 +280,8 @@
+ /* Read the the message */
+ if (rc == NM_OK) {
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+ msg = g_new0(char, size + 1);
+ rc = nm_read_all(conn, msg, size);
+@@ -340,6 +349,8 @@
+
+ /* Read the conference guid */
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+ guid = g_new0(char, size + 1);
+ rc = nm_read_all(conn, guid, size);
+@@ -390,6 +401,8 @@
+
+ /* Read the conference guid */
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+ guid = g_new0(char, size + 1);
+ rc = nm_read_all(conn, guid, size);
+@@ -427,6 +440,8 @@
+
+ /* Read the conference guid */
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+ guid = g_new0(char, size + 1);
+ rc = nm_read_all(conn, guid, size);
+@@ -475,6 +490,8 @@
+
+ /* Read the conference guid */
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+ guid = g_new0(char, size + 1);
+ rc = nm_read_all(conn, guid, size);
+@@ -513,6 +530,8 @@
+
+ /* Read the conference guid */
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+ guid = g_new0(char, size + 1);
+ rc = nm_read_all(conn, guid, size);
+@@ -570,6 +589,8 @@
+
+ /* Read the conference guid */
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+ guid = g_new0(char, size + 1);
+ rc = nm_read_all(conn, guid, size);
+@@ -611,11 +632,11 @@
+
+ /* Read the status text */
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+- if (size > 0) {
+- text = g_new0(char, size + 1);
+- rc = nm_read_all(conn, text, size);
+- }
++ text = g_new0(char, size + 1);
++ rc = nm_read_all(conn, text, size);
+ }
+ }
+
+@@ -649,6 +670,8 @@
+
+ /* Read the conference guid */
+ rc = nm_read_uint32(conn, &size);
++ if (size == MAX_UINT32) return NMERR_PROTOCOL;
++
+ if (rc == NM_OK) {
+ guid = g_new0(char, size + 1);
+ rc = nm_read_all(conn, guid, size);
+diff -ruN gaim-0.81/src/protocols/novell/nmrtf.c gaim-0.81-patched/src/protocols/novell/nmrtf.c
+--- gaim-0.81/src/protocols/novell/nmrtf.c 2004-06-12 11:13:29.000000000 -0400
++++ gaim-0.81-patched/src/protocols/novell/nmrtf.c 2004-08-23 22:31:54.135382576 -0400
+@@ -506,9 +506,9 @@
+ gboolean param_set = FALSE;
+ gboolean is_neg = FALSE;
+ int param = 0;
+- char *pch;
+ char keyword[30];
+ char parameter[20];
++ int i;
+
+ keyword[0] = '\0';
+ parameter[0] = '\0';
+@@ -523,11 +523,11 @@
+ }
+
+ /* parse keyword */
+- for (pch = keyword; isalpha(ch); rtf_get_char(ctx, &ch)) {
+- *pch = (char) ch;
+- pch++;
++ for (i = 0; isalpha(ch) && (i < sizeof(keyword) - 1); rtf_get_char(ctx, &ch)) {
++ keyword[i] = (char) ch;
++ i++;
+ }
+- *pch = '\0';
++ keyword[i] = '\0';
+
+ /* check for '-' indicated a negative parameter value */
+ if (ch == '-') {
+@@ -540,11 +540,11 @@
+ if (isdigit(ch)) {
+
+ param_set = TRUE;
+- for (pch = parameter; isdigit(ch); rtf_get_char(ctx, &ch)) {
+- *pch = (char) ch;
+- pch++;
++ for (i = 0; isdigit(ch) && (i < sizeof(parameter) - 1); rtf_get_char(ctx, &ch)) {
++ parameter[i] = (char) ch;
++ i++;
+ }
+- *pch = '\0';
++ parameter[i] = '\0';
+
+ ctx->param = param = atoi(parameter);
+ if (is_neg)
+diff -ruN gaim-0.81/src/protocols/zephyr/zephyr.c gaim-0.81-patched/src/protocols/zephyr/zephyr.c
+--- gaim-0.81/src/protocols/zephyr/zephyr.c 2004-07-27 20:51:27.000000000 -0400
++++ gaim-0.81-patched/src/protocols/zephyr/zephyr.c 2004-08-23 22:30:38.018954032 -0400
+@@ -67,8 +67,8 @@
+ GSList *subscrips;
+ int last_id;
+ unsigned short port;
+- char ourhost[MAXHOSTNAMELEN];
+- char ourhostcanon[MAXHOSTNAMELEN];
++ char ourhost[HOST_NAME_MAX + 1];
++ char ourhostcanon[HOST_NAME_MAX + 1];
+ };
+
+ /* struct I need for zephyr_to_html */
+@@ -860,19 +860,21 @@
+ /* XXX This code may not be Win32 clean */
+ struct hostent *hent;
+
+- if (gethostname(zephyr->ourhost, sizeof(zephyr->ourhost)-1) == -1) {
++ if (gethostname(zephyr->ourhost, sizeof(zephyr->ourhost)) == -1) {
+ gaim_debug(GAIM_DEBUG_ERROR, "zephyr", "unable to retrieve hostname, %%host%% and %%canon%% will be wrong in subscriptions and have been set to unknown\n");
+- g_stpcpy(zephyr->ourhost,"unknown");
+- g_stpcpy(zephyr->ourhostcanon,"unknown");
++ g_strlcpy(zephyr->ourhost, "unknown", sizeof(zephyr->ourhost));
++ g_strlcpy(zephyr->ourhostcanon, "unknown", sizeof(zephyr->ourhostcanon));
+ return;
+ }
+
+ if (!(hent = gethostbyname(zephyr->ourhost))) {
+ gaim_debug(GAIM_DEBUG_ERROR,"zephyr", "unable to resolve hostname, %%canon%% will be wrong in subscriptions.and has been set to the value of %%host%%, %s\n",zephyr->ourhost);
+- g_stpcpy(zephyr->ourhostcanon,zephyr->ourhost);
++ g_strlcpy(zephyr->ourhostcanon, zephyr->ourhost, sizeof(zephyr->ourhostcanon));
+ return;
+ }
+- g_stpcpy(zephyr->ourhostcanon,hent->h_name);
++
++ g_strlcpy(zephyr->ourhostcanon, hent->h_name, sizeof(zephyr->ourhostcanon));
++
+ return;
+ }
+
+diff -ruN gaim-0.81/src/util.c gaim-0.81-patched/src/util.c
+--- gaim-0.81/src/util.c 2004-08-05 10:17:03.000000000 -0400
++++ gaim-0.81-patched/src/util.c 2004-08-23 22:25:06.069418032 -0400
+@@ -2627,8 +2627,8 @@
+ * if we make sure that there is indeed a \n in our header.
+ */
+ if (p && g_strstr_len(p, data_len - (p - data), "\n")) {
+- sscanf(p, "Content-Length: %d", (int *)&content_len);
+- gaim_debug_misc("parse_content_len", "parsed %d\n", content_len);
++ sscanf(p, "Content-Length: %u", (int *)&content_len);
++ gaim_debug_misc("parse_content_len", "parsed %u\n", content_len);
+ }
+
+ return content_len;
+@@ -2752,7 +2752,14 @@
+
+ /* In with the new. */
+ gfud->data_len = content_len;
+- gfud->webdata = g_malloc(gfud->data_len);
++ gfud->webdata = g_try_malloc(gfud->data_len);
++ if (gfud->webdata == NULL) {
++ gaim_debug_error("gaim_url_fetch", "Failed to allocate %u bytes: %s\n", gfud->data_len, strerror(errno));
++ gaim_input_remove(gfud->inpa);
++ close(sock);
++ gfud->callback(gfud->user_data, NULL, 0);
++ destroy_fetch_url_data(gfud);
++ }
+ }
+ else
+ gfud->newline = TRUE;
+@@ -2839,11 +2846,18 @@
+ static char buf[BUF_LEN];
+ guint i, j = 0;
+ char *bum;
++ char hex[3];
+
+ g_return_val_if_fail(str != NULL, NULL);
+
++ /*
++ * XXX - This check could be removed and buf could be made
++ * dynamically allocated, but this is easier.
++ */
++ if (strlen(str) >= BUF_LEN)
++ return NULL;
++
+ for (i = 0; i < strlen(str); i++) {
+- char hex[3];
+
+ if (str[i] != '%')
+ buf[j++] = str[i];