/pidgin/main: 77664079d0f0: Merge with a fair number of conflict...
Mark Doliner
mark at kingant.net
Tue Jan 28 10:38:14 EST 2014
Changeset: 77664079d0f0da186b404af46b0ca064c283daa8
Author: Mark Doliner <mark at kingant.net>
Date: 2014-01-20 00:02 -0800
Branch: default
URL: https://hg.pidgin.im/pidgin/main/rev/77664079d0f0
Description:
Merge with a fair number of conflicts. Nothing too crazy.
I didn't merge a lot of changes from 07e827917960
libpurple/protocols/gg/gg.c I think maybe that code has either been
removed or changed significantly in main.
diffstat:
COPYRIGHT | 1 +
ChangeLog | 70 +++++-
libpurple/conversationtypes.c | 8 +
libpurple/log.c | 8 +-
libpurple/protocols/gg/lib/http.c | 7 +
libpurple/protocols/irc/irc.c | 22 +-
libpurple/protocols/irc/msgs.c | 136 ++-------
libpurple/protocols/irc/parse.c | 166 +++++++-----
libpurple/protocols/jabber/iq.c | 71 ++++-
libpurple/protocols/jabber/iq.h | 2 +
libpurple/protocols/jabber/jabber.c | 2 +-
libpurple/protocols/jabber/jutil.c | 52 ++++
libpurple/protocols/jabber/jutil.h | 11 +
libpurple/protocols/msn/msg.c | 24 +-
libpurple/protocols/msn/oim.c | 39 +-
libpurple/protocols/msn/soap.c | 13 +-
libpurple/protocols/mxit/markup.c | 13 +-
libpurple/protocols/oscar/odc.c | 8 +-
libpurple/protocols/simple/simple.c | 2 +-
libpurple/protocols/simple/sipmsg.c | 12 +
libpurple/protocols/yahoo/libymsg.c | 369 ++++++++++++++++++++++------
libpurple/protocols/yahoo/util.c | 44 ++-
libpurple/protocols/yahoo/yahoo_aliases.c | 19 +-
libpurple/protocols/yahoo/yahoo_filexfer.c | 120 ++++++++-
libpurple/protocols/yahoo/yahoo_friend.c | 7 +-
libpurple/protocols/yahoo/yahoo_picture.c | 35 ++-
libpurple/protocols/yahoo/yahoochat.c | 82 +++++-
libpurple/proxy.c | 20 +-
libpurple/server.c | 16 +
libpurple/util.c | 20 +-
libpurple/win32/global.mak | 2 +-
pidgin/gtkimhtml.c | 18 +-
pidgin/gtknotify.c | 366 +++++++++++++++++-----------
pidgin/gtkutils.c | 57 ++--
share/ca-certs/CAcert_Class3.pem | 73 +++--
share/ca-certs/Entrust.net_2048.pem | 27 ++
share/ca-certs/Makefile.am | 4 +-
share/ca-certs/StartCom_Free_SSL_CA.pem | 30 --
38 files changed, 1349 insertions(+), 627 deletions(-)
diffs (truncated from 3505 to 300 lines):
diff --git a/COPYRIGHT b/COPYRIGHT
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -350,6 +350,7 @@ Mihály Mészáros
Robert Mibus
David Michael
Lars T. Mikkelsen
+Mantas MikulÄ—nas
Benjamin Miller
Kevin Miller
Paul Miller
diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -67,30 +67,80 @@ version 2.10.8:
Python 3. (Ashish Gupta) (#15624)
libpurple:
+ * Fix potential crash if libpurple gets an error attempting to read a
+ reply from a STUN server. (Discovered by Coverity static analysis)
+ (CVE-2013-6484)
+ * Fix potential crash parsing a malformed HTTP response. (Discovered by
+ Jacob Appelbaum of the Tor Project) (CVE-2013-6479)
+ * Fix buffer overflow when parsing a malformed HTTP response with
+ chunked Transfer-Encoding. (Discovered by Matt Jones, Volvent)
+ (CVE-2013-6485)
+ * Better handling of HTTP proxy responses with negative Content-Lengths.
+ (Discovered by Matt Jones, Volvent)
* Fix handling of SSL certificates without subjects when using libnss.
* Fix handling of SSL certificates with timestamps in the distant future
when using libnss. (#15586)
+ * Impose maximum download size for all HTTP fetches.
Pidgin:
+ * Fix crash displaying tooltip of long URLs. (CVE-2013-6478)
* Better handling of URLs longer than 1000 letters.
* Fix handling of multibyte UTF-8 characters in smiley themes. (#15756)
Windows-Specific Changes:
+ * When clicking file:// links, show the file in Explorer rather than
+ attempting to run the file. This reduces the chances of a user
+ clicking on a link and mistakenly running a malicious file.
+ (Originally discovered by James Burton, Insomnia Security. Rediscovered
+ by Yves Younan of Sourcefire VRT.) (CVE-2013-6486)
* Fix Tcl scripts. (#15520)
* Fix crash-on-startup when ASLR is always on. (#15521)
* Updates to dependencies:
- * NSS 3.15.3 and NSPR 4.10.2
+ * NSS 3.15.4 and NSPR 4.10.2
+
+ AIM:
+ * Fix untrusted certificate error.
+
+ AIM and ICQ:
+ * Fix a possible crash when receiving a malformed message in a Direct IM
+ session.
Gadu-Gadu:
+ * Fix buffer overflow with remote code execution potential. Only
+ triggerable by a Gadu-Gadu server or a man-in-the-middle.
+ (Discovered by Yves Younan and Ryan Pentney of Sourcefire VRT)
+ (CVE-2013-6487)
* Disabled buddy list import/export from/to server (it didn't work
anymore). Buddy list synchronization will be implemented in 3.0.0.
+ * Disabled new account registration and password change options, as it
+ didn't work either. Account registration also caused a crash. Both
+ functions are available using official Gadu-Gadu website.
IRC:
+ * Fix bug where a malicious server or man-in-the-middle could trigger
+ a crash by not sending enough arguments with various messages.
+ (Discovered by Daniel Atallah) (CVE-2014-0020)
* Fix bug where initial IRC status would not be set correctly.
* Fix bug where IRC wasn't available when libpurple was compiled with
Cyrus SASL support. (#15517)
+ MSN:
+ * Fix NULL pointer dereference parsing headers in MSN.
+ (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+ University of Goettingen) (CVE-2013-6482)
+ * Fix NULL pointer dereference parsing OIM data in MSN.
+ (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+ University of Goettingen) (CVE-2013-6482)
+ * Fix NULL pointer dereference parsing SOAP data in MSN.
+ (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+ University of Goettingen) (CVE-2013-6482)
+ * Fix possible crash when sending very long messages. Not
+ remotely-triggerable. (Discovered by Matt Jones, Volvent)
+
MXit:
+ * Fix buffer overflow with remote code execution potential.
+ (Discovered by Yves Younan and Pawel Janic of Sourcefire VRT)
+ (CVE-2013-6487)
* Fix sporadic crashes that can happen after user is disconnected.
* Fix crash when attempting to add a contact via search results.
* Show error message if file transfer fails.
@@ -100,7 +150,17 @@ version 2.10.8:
SILC:
* Correctly set whiteboard dimensions in whiteboard sessions.
+ SIMPLE:
+ * Fix buffer overflow with remote code execution potential.
+ (Discovered by Yves Younan of Sourcefire VRT) (CVE-2013-6487)
+
XMPP:
+ * Prevent spoofing of iq replies by verifying that the 'from' address
+ matches the 'to' address of the iq request. (Discovered by Fabian
+ Yamaguchi and Christian Wressnegger of the University of Goettingen)
+ (CVE-2013-6483)
+ * Fix crash on some systems when receiving fake delay timestamps with
+ extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477)
* Fix possible crash or other erratic behavior when selecting a very
small file for your own buddy icon.
* Fix crash if the user tries to initiate a voice/video session with a
@@ -108,6 +168,14 @@ version 2.10.8:
* Fix login errors when the first two available auth mechanisms fail but
a subsequent mechanism would otherwise work when using Cyrus SASL.
(#15524)
+ * Fix dropping incoming stanzas on BOSH connections when we receive
+ multiple HTTP responses at once. (#15684)
+
+ Yahoo!:
+ * Fix possible crashes handling incoming strings that are not UTF-8.
+ (Discovered by Thijs Alkemade and Robert Vehse) (CVE-2012-6152)
+ * Fix a bug reading a peer to peer message where a remote user could
+ trigger a crash. (CVE-2013-6481)
Plugins:
* Fix crash in contact availability plugin.
diff --git a/libpurple/conversationtypes.c b/libpurple/conversationtypes.c
--- a/libpurple/conversationtypes.c
+++ b/libpurple/conversationtypes.c
@@ -809,6 +809,14 @@ chat_conversation_write_message(PurpleCo
if (purple_chat_conversation_is_ignored_user(PURPLE_CHAT_CONVERSATION(conv), who))
return;
+ if (mtime < 0) {
+ purple_debug_error("conversation",
+ "purple_conv_chat_write ignoring negative timestamp\n");
+ /* TODO: Would be more appropriate to use a value that indicates
+ that the timestamp is unknown, and surface that in the UI. */
+ mtime = time(NULL);
+ }
+
if (!(flags & PURPLE_MESSAGE_WHISPER)) {
const char *str;
diff --git a/libpurple/log.c b/libpurple/log.c
--- a/libpurple/log.c
+++ b/libpurple/log.c
@@ -779,7 +779,7 @@ static char *log_get_timestamp(PurpleLog
{
gboolean show_date;
char *date;
- struct tm tm;
+ struct tm *tm;
show_date = (log->type == PURPLE_LOG_SYSTEM) || (time(NULL) > when + 20*60);
@@ -789,11 +789,11 @@ static char *log_get_timestamp(PurpleLog
if (date != NULL)
return date;
- tm = *(localtime(&when));
+ tm = localtime(&when);
if (show_date)
- return g_strdup(purple_date_format_long(&tm));
+ return g_strdup(purple_date_format_long(tm));
else
- return g_strdup(purple_time_format(&tm));
+ return g_strdup(purple_time_format(tm));
}
/* NOTE: This can return msg (which you may or may not want to g_free())
diff --git a/libpurple/protocols/gg/lib/http.c b/libpurple/protocols/gg/lib/http.c
--- a/libpurple/protocols/gg/lib/http.c
+++ b/libpurple/protocols/gg/lib/http.c
@@ -39,6 +39,8 @@
#include <string.h>
#include <unistd.h>
+#define GG_HTTP_MAX_LENGTH 1000000000
+
/**
* Rozpoczyna poÅ‚Ä
czenie HTTP.
*
@@ -356,6 +358,11 @@ int gg_http_watch_fd(struct gg_http *h)
h->body_size = left;
}
+ if (h->body_size > GG_HTTP_MAX_LENGTH) {
+ gg_debug(GG_DEBUG_MISC, "=> http, content-length too big\n");
+ h->body_size = GG_HTTP_MAX_LENGTH;
+ }
+
if (left > h->body_size) {
gg_debug(GG_DEBUG_MISC, "=> http, oversized reply (%d bytes needed, %d bytes left)\n", h->body_size, left);
h->body_size = left;
diff --git a/libpurple/protocols/irc/irc.c b/libpurple/protocols/irc/irc.c
--- a/libpurple/protocols/irc/irc.c
+++ b/libpurple/protocols/irc/irc.c
@@ -396,7 +396,7 @@ static void irc_login(PurpleAccount *acc
static gboolean do_login(PurpleConnection *gc) {
char *buf, *tmp = NULL;
char *server;
- const char *username, *realname;
+ const char *nickname, *identname, *realname;
struct irc_conn *irc = purple_connection_get_protocol_data(gc);
const char *pass = purple_connection_get_password(gc);
#ifdef HAVE_CYRUS_SASL
@@ -418,14 +418,14 @@ static gboolean do_login(PurpleConnectio
}
realname = purple_account_get_string(irc->account, "realname", "");
- username = purple_account_get_string(irc->account, "username", "");
+ identname = purple_account_get_string(irc->account, "username", "");
- if (username == NULL || *username == '\0') {
- username = g_get_user_name();
+ if (identname == NULL || *identname == '\0') {
+ identname = g_get_user_name();
}
- if (username != NULL && strchr(username, ' ') != NULL) {
- tmp = g_strdup(username);
+ if (identname != NULL && strchr(identname, ' ') != NULL) {
+ tmp = g_strdup(identname);
while ((buf = strchr(tmp, ' ')) != NULL) {
*buf = '_';
}
@@ -438,7 +438,7 @@ static gboolean do_login(PurpleConnectio
server = g_strdup(irc->server);
}
- buf = irc_format(irc, "vvvv:", "USER", tmp ? tmp : username, "*", server,
+ buf = irc_format(irc, "vvvv:", "USER", tmp ? tmp : identname, "*", server,
strlen(realname) ? realname : IRC_DEFAULT_ALIAS);
g_free(tmp);
g_free(server);
@@ -447,9 +447,9 @@ static gboolean do_login(PurpleConnectio
return FALSE;
}
g_free(buf);
- username = purple_connection_get_display_name(gc);
- buf = irc_format(irc, "vn", "NICK", username);
- irc->reqnick = g_strdup(username);
+ nickname = purple_connection_get_display_name(gc);
+ buf = irc_format(irc, "vn", "NICK", nickname);
+ irc->reqnick = g_strdup(nickname);
irc->nickused = FALSE;
if (irc_send(irc, buf) < 0) {
g_free(buf);
@@ -1068,7 +1068,7 @@ static void _init_plugin(PurplePlugin *p
option = purple_account_option_bool_new(_("Auto-detect incoming UTF-8"), "autodetect_utf8", IRC_DEFAULT_AUTODETECT);
prpl_info.protocol_options = g_list_append(prpl_info.protocol_options, option);
- option = purple_account_option_string_new(_("Username"), "username", "");
+ option = purple_account_option_string_new(_("Ident name"), "username", "");
prpl_info.protocol_options = g_list_append(prpl_info.protocol_options, option);
option = purple_account_option_string_new(_("Real name"), "realname", "");
diff --git a/libpurple/protocols/irc/msgs.c b/libpurple/protocols/irc/msgs.c
--- a/libpurple/protocols/irc/msgs.c
+++ b/libpurple/protocols/irc/msgs.c
@@ -20,6 +20,12 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA
*/
+/*
+ * Note: If you change any of these functions to use additional args you
+ * MUST ensure the arg count is correct in parse.c. Otherwise it may be
+ * possible for a malicious server or man-in-the-middle to trigger a crash.
+ */
+
#include "internal.h"
#include "conversation.h"
@@ -201,9 +207,6 @@ void irc_msg_features(struct irc_conn *i
gchar **features;
int i;
- if (!args || !args[0] || !args[1])
- return;
-
features = g_strsplit(args[1], " ", -1);
for (i = 0; features[i]; i++) {
char *val;
@@ -218,9 +221,6 @@ void irc_msg_features(struct irc_conn *i
void irc_msg_luser(struct irc_conn *irc, const char *name, const char *from, char **args)
{
- if (!args || !args[0])
- return;
-
if (!strcmp(name, "251")) {
/* 251 is required, so we pluck our nick from here and
* finalize connection */
@@ -236,9 +236,6 @@ void irc_msg_away(struct irc_conn *irc,
PurpleConnection *gc;
char *msg;
More information about the Commits
mailing list