upgrade to gaim 1.0.2
fixes 2 remote DoS issues and a buffer overflow. CAN-2004-0891
This commit is contained in:
brad
parent
912d78bcc5
commit
76a4c99178
@ -1,10 +1,10 @@
|
||||
# $OpenBSD: Makefile,v 1.67 2004/10/14 03:02:37 brad Exp $
|
||||
# $OpenBSD: Makefile,v 1.68 2004/10/22 19:16:01 brad Exp $
|
||||
|
||||
SHARED_ONLY= Yes
|
||||
|
||||
COMMENT= "Gtk AIM, ICQ, IRC, Jabber, MSN, Yahoo, SILC and Zephyr client"
|
||||
|
||||
DISTNAME= gaim-1.0.1
|
||||
DISTNAME= gaim-1.0.2
|
||||
CATEGORIES= net
|
||||
|
||||
HOMEPAGE= http://gaim.sourceforge.net/
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
MD5 (gaim-1.0.1.tar.gz) = 6ea813767470d1da653d9633cc72890b
|
||||
RMD160 (gaim-1.0.1.tar.gz) = 2a44d5c2c7b583464e1eaca1359dfaa02a0a2cb0
|
||||
SHA1 (gaim-1.0.1.tar.gz) = 7e8c418c438ab511f799a76e36c1b2887db38360
|
||||
MD5 (gaim-1.0.2.tar.gz) = 9b7a8e2f6368ad886123013eddc1d5f2
|
||||
RMD160 (gaim-1.0.2.tar.gz) = 6bca7d81a0e6455b75c4f976411ee0c1a6f1b263
|
||||
SHA1 (gaim-1.0.2.tar.gz) = 43ba73da7b66c8281a8c3613c1d5cdc20c529af9
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
$OpenBSD: patch-src_protocols_msn_slp_c,v 1.4 2004/10/14 03:02:37 brad Exp $
|
||||
--- src/protocols/msn/slp.c.orig Sat Oct 2 07:33:49 2004
|
||||
+++ src/protocols/msn/slp.c Sun Oct 10 23:30:05 2004
|
||||
@@ -235,6 +235,8 @@ send_decline(MsnSlpCall *slpcall, const
|
||||
msn_slplink_queue_slpmsg(slplink, slpmsg);
|
||||
}
|
||||
|
||||
+#define MAX_FILE_NAME_LEN 0x226
|
||||
+
|
||||
static void
|
||||
got_sessionreq(MsnSlpCall *slpcall, const char *branch,
|
||||
const char *euf_guid, const char *context)
|
||||
@@ -318,6 +320,7 @@ got_sessionreq(MsnSlpCall *slpcall, cons
|
||||
int bin_len;
|
||||
guint32 file_size;
|
||||
char *file_name;
|
||||
+ gunichar2 *uni_name;
|
||||
|
||||
account = slpcall->slplink->session->account;
|
||||
|
||||
@@ -331,6 +334,13 @@ got_sessionreq(MsnSlpCall *slpcall, cons
|
||||
|
||||
gaim_base64_decode(context, &bin, &bin_len);
|
||||
file_size = GUINT32_FROM_LE(*((gsize *)bin + 2));
|
||||
+
|
||||
+ uni_name = (gunichar2 *)(bin + 20);
|
||||
+ while(*uni_name != 0 && ((char *)uni_name - (bin + 20)) < MAX_FILE_NAME_LEN) {
|
||||
+ *uni_name = GUINT16_FROM_LE(*uni_name);
|
||||
+ uni_name++;
|
||||
+ }
|
||||
+
|
||||
file_name = g_utf16_to_utf8((const gunichar2 *)(bin + 20), -1,
|
||||
NULL, NULL, NULL);
|
||||
|
||||
@ -1,99 +0,0 @@
|
||||
$OpenBSD: patch-src_protocols_msn_slplink_c,v 1.1 2004/09/22 05:49:56 brad Exp $
|
||||
--- src/protocols/msn/slplink.c.orig Tue Aug 24 21:45:41 2004
|
||||
+++ src/protocols/msn/slplink.c Wed Sep 22 01:23:42 2004
|
||||
@@ -571,24 +571,34 @@ typedef struct
|
||||
#define MAX_FILE_NAME_LEN 0x226
|
||||
|
||||
static char *
|
||||
-gen_context(const char *file_name)
|
||||
+gen_context(const char *file_name, const char *file_path)
|
||||
{
|
||||
struct stat st;
|
||||
gsize size = 0;
|
||||
MsnContextHeader header;
|
||||
- gchar *u8;
|
||||
+ gchar *u8 = NULL;
|
||||
gchar *base, *n;
|
||||
- gunichar2 *uni;
|
||||
- glong uni_len;
|
||||
+ gunichar2 *uni = NULL;
|
||||
+ glong currentChar = 0;
|
||||
+ glong uni_len = 0;
|
||||
gsize len;
|
||||
|
||||
if (stat(file_name, &st) == 0)
|
||||
size = st.st_size;
|
||||
|
||||
- u8 = gaim_utf8_try_convert(g_basename(file_name));
|
||||
- uni = g_utf8_to_utf16(u8, -1, NULL, &uni_len, NULL);
|
||||
- g_free(u8);
|
||||
+ if(!file_name) {
|
||||
+ u8 = gaim_utf8_try_convert(g_basename(file_path));
|
||||
+ file_name = u8;
|
||||
+ }
|
||||
|
||||
+ uni = g_utf8_to_utf16(file_name, -1, NULL, &uni_len, NULL);
|
||||
+
|
||||
+ if(u8) {
|
||||
+ g_free(u8);
|
||||
+ file_name = NULL;
|
||||
+ u8 = NULL;
|
||||
+ }
|
||||
+
|
||||
len = sizeof(MsnContextHeader) + MAX_FILE_NAME_LEN + 4;
|
||||
|
||||
header.length = GUINT32_TO_LE(len);
|
||||
@@ -596,21 +606,23 @@ gen_context(const char *file_name)
|
||||
header.file_size = GUINT32_TO_LE(size);
|
||||
header.unk2 = GUINT32_TO_LE(0);
|
||||
header.unk3 = GUINT32_TO_LE(0);
|
||||
+
|
||||
+ base = g_malloc(len + 1);
|
||||
+ n = base;
|
||||
|
||||
- base = n = g_malloc(len + 1);
|
||||
-
|
||||
memcpy(n, &header, sizeof(MsnContextHeader));
|
||||
n += sizeof(MsnContextHeader);
|
||||
|
||||
memset(n, 0x00, MAX_FILE_NAME_LEN);
|
||||
- memcpy(n, uni, uni_len * 2);
|
||||
+ for(currentChar = 0; currentChar < uni_len; currentChar++) {
|
||||
+ *((gunichar2 *)n + currentChar) = GUINT16_TO_LE(uni[currentChar]);
|
||||
+ }
|
||||
n += MAX_FILE_NAME_LEN;
|
||||
|
||||
memset(n, 0xFF, 4);
|
||||
n += 4;
|
||||
-
|
||||
+
|
||||
g_free(uni);
|
||||
-
|
||||
return gaim_base64_encode(base, len);
|
||||
}
|
||||
|
||||
@@ -620,11 +632,13 @@ msn_slplink_request_ft(MsnSlpLink *slpli
|
||||
MsnSlpCall *slpcall;
|
||||
char *context;
|
||||
const char *fn;
|
||||
+ const char *fp;
|
||||
|
||||
- fn = gaim_xfer_get_local_filename(xfer);
|
||||
+ fn = gaim_xfer_get_filename(xfer);
|
||||
+ fp = gaim_xfer_get_local_filename(xfer);
|
||||
|
||||
g_return_if_fail(slplink != NULL);
|
||||
- g_return_if_fail(fn != NULL);
|
||||
+ g_return_if_fail(fp != NULL);
|
||||
|
||||
slpcall = msn_slp_call_new(slplink);
|
||||
msn_slp_call_init(slpcall, MSN_SLPCALL_DC);
|
||||
@@ -639,7 +653,7 @@ msn_slplink_request_ft(MsnSlpLink *slpli
|
||||
|
||||
xfer->data = slpcall;
|
||||
|
||||
- context = gen_context(fn);
|
||||
+ context = gen_context(fn, fp);
|
||||
|
||||
msn_slp_call_invite(slpcall, "5D3E02AB-6190-11D3-BBBB-00C04F795683", 2,
|
||||
context);
|
||||
Loading…
Reference in New Issue
Block a user