/soc/2013/ankitkv/gobjectification: 48f85579cc4c: Merged default...

Ankit Vani a at nevitus.org
Tue Jan 28 14:01:47 EST 2014


Changeset: 48f85579cc4cd9905898eec00479b68156911c25
Author:	 Ankit Vani <a at nevitus.org>
Date:	 2014-01-29 00:28 +0530
Branch:	 soc.2013.gobjectification.plugins
URL: https://hg.pidgin.im/soc/2013/ankitkv/gobjectification/rev/48f85579cc4c

Description:

Merged default branch

diffstat:

 .hgtags                                    |      1 +
 AUTHORS                                    |     29 +-
 COPYRIGHT                                  |      2 +
 ChangeLog                                  |     74 +-
 configure.ac                               |      6 +-
 libpurple/conversationtypes.c              |      8 +
 libpurple/glibcompat.h                     |      4 +
 libpurple/log.c                            |      8 +-
 libpurple/protocols/gg/lib/http.c          |      7 +
 libpurple/protocols/irc/irc.c              |     22 +-
 libpurple/protocols/irc/irc.h              |      8 +-
 libpurple/protocols/irc/msgs.c             |    166 +-
 libpurple/protocols/irc/parse.c            |    167 +-
 libpurple/protocols/jabber/iq.c            |     71 +-
 libpurple/protocols/jabber/iq.h            |      2 +
 libpurple/protocols/jabber/jabber.c        |      2 +-
 libpurple/protocols/jabber/jutil.c         |     52 +
 libpurple/protocols/jabber/jutil.h         |     11 +
 libpurple/protocols/msn/msg.c              |     24 +-
 libpurple/protocols/msn/oim.c              |     39 +-
 libpurple/protocols/msn/soap.c             |     13 +-
 libpurple/protocols/mxit/markup.c          |     13 +-
 libpurple/protocols/oscar/family_icq.c     |      5 +-
 libpurple/protocols/oscar/odc.c            |      8 +-
 libpurple/protocols/simple/simple.c        |      2 +-
 libpurple/protocols/simple/sipmsg.c        |     12 +
 libpurple/protocols/yahoo/util.c           |     60 +-
 libpurple/protocols/yahoo/yahoo_aliases.c  |     19 +-
 libpurple/protocols/yahoo/yahoo_filexfer.c |    134 +-
 libpurple/protocols/yahoo/yahoo_friend.c   |      7 +-
 libpurple/protocols/yahoo/yahoo_picture.c  |     35 +-
 libpurple/protocols/yahoo/yahoochat.c      |    109 +-
 libpurple/protocols/yahoo/ycht.c           |      8 +-
 libpurple/protocols/yahoo/ymsg.c           |    469 +-
 libpurple/protocols/yahoo/ymsg.h           |     12 +-
 libpurple/proxy.c                          |     20 +-
 libpurple/server.c                         |     16 +
 libpurple/tests/test_util.c                |     11 +-
 libpurple/util.c                           |     22 +-
 libpurple/win32/global.mak                 |      2 +-
 pidgin/gtkconv.c                           |      3 +-
 pidgin/gtkdialogs.c                        |      1 +
 pidgin/gtkimhtml.c                         |     18 +-
 pidgin/gtknotify.c                         |    364 +-
 pidgin/gtkutils.c                          |     57 +-
 po/ChangeLog                               |     22 +
 po/POTFILES.in                             |      1 +
 po/POTFILES.skip                           |      3 +-
 po/ast.po                                  |  14484 +++++++++++++++++++++++++++
 po/da.po                                   |   6790 ++++++------
 po/el.po                                   |    256 +-
 po/et.po                                   |    797 +-
 po/fa.po                                   |   8797 ++++------------
 po/ga.po                                   |    265 +-
 po/he.po                                   |    289 +-
 po/lt.po                                   |    250 +-
 po/my_MM.po                                |    245 +-
 po/nl.po                                   |    254 +-
 po/nn.po                                   |    248 +-
 po/pa.po                                   |    243 +-
 po/pl.po                                   |    279 +-
 po/pt.po                                   |    246 +-
 po/ru.po                                   |   1107 +-
 po/sl.po                                   |    983 +-
 po/sq.po                                   |   3270 +----
 share/ca-certs/CAcert_Class3.pem           |     73 +-
 share/ca-certs/Entrust.net_2048.pem        |     27 +
 share/ca-certs/Makefile.am                 |      4 +-
 share/ca-certs/StartCom_Free_SSL_CA.pem    |     30 -
 69 files changed, 24874 insertions(+), 16212 deletions(-)

diffs (truncated from 63736 to 300 lines):

diff --git a/.hgtags b/.hgtags
--- a/.hgtags
+++ b/.hgtags
@@ -87,3 +87,4 @@ 1d00b9e4aa6add6dca97cca4ac614d63bd105dfd
 a3d157700972b48cf0a23b300261a5ab0c6e165b v2.10.5
 4992bd90d8ad78ebdd324dd90d3e9d443f7dd002 v2.10.6
 ad7e7fb98db3bbd7bf9ab49072fd34cd4fa25dd9 v2.10.7
+5010e6877abce3bfc2a4912e6b38fed7d6d3df19 v2.10.8
diff --git a/AUTHORS b/AUTHORS
--- a/AUTHORS
+++ b/AUTHORS
@@ -7,15 +7,11 @@ We've got an IRC room now too, #pidgin o
 
 Current Developers:
 ------------------
-
 Daniel 'datallah' Atallah - Developer
 Paul 'darkrain42' Aurich - Developer
-John 'rekkanoryo' Bailey - Developer
 Ethan 'Paco-Paco' Blanton - Developer
 Sadrul Habib Chowdhury - Developer
 Mark 'KingAnt' Doliner - Developer
-Casey Harkins - Developer
-Ivan Komarov - Developer
 Gary 'grim' Kramlich - Developer
 Richard 'rlaager' Laager - Developer
 Marcus 'malu' Lundblad - Developer
@@ -30,17 +26,18 @@ Kevin 'SimGuy' Stange - Developer & Webm
 Will 'resiak' Thompson - Developer
 Stu 'nosnilmot' Tomlinson - Developer
 Jorge 'Masca' Villaseñor - Developer
+Tomasz Wasilczyk - Developer
 
 Crazy Patch Writers:
 -------------------
 Jakub 'haakon' Adam
 Krzysztof Klinikowski
-Peter 'Fmoo' Ruibal
-Gabriel 'Nix' Schulhof
-Tomasz Wasilczyk
+Eion Robb
+Ankit Vani
 
 Retired Developers:
 ------------------
+John 'rekkanoryo' Bailey - Developer
 Herman Bloggs - Win32 Port
 Thomas Butter - Developer
 Ka-Hing Cheung - Developer
@@ -49,6 +46,8 @@ Sean Egan - Developer
 Rob Flynn <gaim at robflynn.com> - maintainer
 Adam Fritzler - libfaim maintainer
 Christian 'ChipX86' Hammond - Developer & Webmaster
+Casey Harkins - Developer
+Ivan Komarov - Developer
 Syd Logan - hacker and designated driver [lazy bum]
 Christopher 'siege' O'Brien - Developer
 Bartosz Oler - Developer
@@ -67,6 +66,8 @@ Dennis 'EvilDennisR' Ristuccia - Senior 
 Peter 'Bleeter' Lawler
 Robert 'Robot101' McQueen
 Benjamin Miller
+Peter 'Fmoo' Ruibal
+Gabriel 'Nix' Schulhof
 
 Artists:
 -------
@@ -74,8 +75,8 @@ Hylke Bons - Icons
 
 Other Contributions:
 -------------------
-Much thanks to Evan Martin <martine at cs.washington.edu> for writing 
-GtkSpell <http://gtkspell.sourceforge.net> responsible for the 
+Much thanks to Evan Martin <martine at cs.washington.edu> for writing
+GtkSpell <http://gtkspell.sourceforge.net> responsible for the
 "Highlight misspelled words" feature and for gtk-nativewin
 <http://bunny.darktech.org/cvs/gtk-nativewin/> the default GTK+-2.0
 engine originally used in our win32 port.
@@ -83,11 +84,11 @@ engine originally used in our win32 port
 ** ORIGINAL LOGO DESIGNED BY: Naru Sundar **
 
 Peter Teichiman <peter at helixcode.com>
-Larry Ewing 
+Larry Ewing
 Jeramey A. Crawford
 	Thanks to these boys.  Peter and Larry managed to stomp
 	out a large list of Mem Leaks.  Jeramey found the remaining
-	onees and pointed me to those.  Props to the boys at 
+	onees and pointed me to those.  Props to the boys at
 	Helix Code.  Thanks guys.
 
 Nathan Walp
@@ -98,15 +99,15 @@ Neil Sanchala
 
 Arkadiusz Miskiewicz
 	Wrote the Gadu-Gadu plugin
-	
-David Prater    <IM: dRaven43>          draven at tcsx.net   
+
+David Prater    <IM: dRaven43>          draven at tcsx.net
 	Log and Colour Button Images
 
 Sébastien Carpe <IM: Seb Carpe>
 	Base HTTP Proxy Support
 
 Ari Pollak      <IM: Ari Pollak>	compwiz.dhs.org
-	Resize conversation window patch   
+	Resize conversation window patch
 
 Decklin Foster
 	Many GUI improvements, other nifty additions and fixes
diff --git a/COPYRIGHT b/COPYRIGHT
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -208,6 +208,7 @@ Ian Goldberg
 Jon Goldberg
 Matthew Goldstein
 Michael Golden
+Issa Gorissen
 Charlie Gordon
 Ryan C. Gordon
 Konrad Gräfe
@@ -350,6 +351,7 @@ Mihály Mészáros
 Robert Mibus
 David Michael
 Lars T. Mikkelsen
+Mantas MikulÄ—nas
 Benjamin Miller
 Kevin Miller
 Paul Miller
diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -79,36 +79,88 @@ version 3.0.0 (??/??/????):
 	  non-native plugin support.
 	* Doxygen has been replaced by gtk-doc for generating documentation.
 
-version 2.10.8:
+version 2.10.8 (1/28/2014):
 	General:
 	* Python build scripts and example plugins are now compatible with
 	  Python 3. (Ashish Gupta) (#15624)
 
 	libpurple:
+	* Fix potential crash if libpurple gets an error attempting to read a
+	  reply from a STUN server. (Discovered by Coverity static analysis)
+	  (CVE-2013-6484)
+	* Fix potential crash parsing a malformed HTTP response. (Discovered by
+	  Jacob Appelbaum of the Tor Project) (CVE-2013-6479)
+	* Fix buffer overflow when parsing a malformed HTTP response with
+	  chunked Transfer-Encoding. (Discovered by Matt Jones, Volvent)
+	  (CVE-2013-6485)
+	* Better handling of HTTP proxy responses with negative Content-Lengths.
+	  (Discovered by Matt Jones, Volvent)
 	* Fix handling of SSL certificates without subjects when using libnss.
 	* Fix handling of SSL certificates with timestamps in the distant future
 	  when using libnss. (#15586)
+	* Impose maximum download size for all HTTP fetches.
 
 	Pidgin:
+	* Fix crash displaying tooltip of long URLs. (CVE-2013-6478)
 	* Better handling of URLs longer than 1000 letters.
 	* Fix handling of multibyte UTF-8 characters in smiley themes. (#15756)
 
 	Windows-Specific Changes:
+	* When clicking file:// links, show the file in Explorer rather than
+	  attempting to run the file. This reduces the chances of a user
+	  clicking on a link and mistakenly running a malicious file.
+	  (Originally discovered by James Burton, Insomnia Security. Rediscovered
+	  by Yves Younan of Sourcefire VRT.) (CVE-2013-6486)
 	* Fix Tcl scripts. (#15520)
 	* Fix crash-on-startup when ASLR is always on. (#15521)
 	* Updates to dependencies:
-		* NSS 3.15.3 and NSPR 4.10.2
+		* NSS 3.15.4 and NSPR 4.10.2
+		* Pango 1.29.4-1daa
+			Patched for https://bugzilla.gnome.org/show_bug.cgi?id=668154
+
+	AIM:
+	* Fix untrusted certificate error.
+
+	AIM and ICQ:
+	* Fix a possible crash when receiving a malformed message in a Direct IM
+	  session.
 
 	Gadu-Gadu:
+	* Fix buffer overflow with remote code execution potential. Only
+	  triggerable by a Gadu-Gadu server or a man-in-the-middle.
+	  (Discovered by Yves Younan and Ryan Pentney of Sourcefire VRT)
+	  (CVE-2013-6487)
 	* Disabled buddy list import/export from/to server (it didn't work
 	  anymore). Buddy list synchronization will be implemented in 3.0.0.
+	* Disabled new account registration and password change options, as it
+	  didn't work either. Account registration also caused a crash. Both
+	  functions are available using official Gadu-Gadu website.
 
 	IRC:
+	* Fix bug where a malicious server or man-in-the-middle could trigger
+	  a crash by not sending enough arguments with various messages.
+	  (Discovered by Daniel Atallah) (CVE-2014-0020)
 	* Fix bug where initial IRC status would not be set correctly.
 	* Fix bug where IRC wasn't available when libpurple was compiled with
 	  Cyrus SASL support. (#15517)
 
+	MSN:
+	* Fix NULL pointer dereference parsing headers in MSN.
+	  (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+	  University of Goettingen) (CVE-2013-6482)
+	* Fix NULL pointer dereference parsing OIM data in MSN.
+	  (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+	  University of Goettingen) (CVE-2013-6482)
+	* Fix NULL pointer dereference parsing SOAP data in MSN.
+	  (Discovered by Fabian Yamaguchi and Christian Wressnegger of the
+	  University of Goettingen) (CVE-2013-6482)
+	* Fix possible crash when sending very long messages. Not
+	  remotely-triggerable. (Discovered by Matt Jones, Volvent)
+
 	MXit:
+	* Fix buffer overflow with remote code execution potential.
+	  (Discovered by Yves Younan and Pawel Janic of Sourcefire VRT)
+	  (CVE-2013-6489)
 	* Fix sporadic crashes that can happen after user is disconnected.
 	* Fix crash when attempting to add a contact via search results.
 	* Show error message if file transfer fails.
@@ -118,7 +170,17 @@ version 2.10.8:
 	SILC:
 	* Correctly set whiteboard dimensions in whiteboard sessions.
 
+	SIMPLE:
+	* Fix buffer overflow with remote code execution potential.
+	  (Discovered by Yves Younan of Sourcefire VRT) (CVE-2013-6490)
+
 	XMPP:
+	* Prevent spoofing of iq replies by verifying that the 'from' address
+	  matches the 'to' address of the iq request. (Discovered by Fabian
+	  Yamaguchi and Christian Wressnegger of the University of Goettingen,
+	  fixed by Thijs Alkemade) (CVE-2013-6483)
+	* Fix crash on some systems when receiving fake delay timestamps with
+	  extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477)
 	* Fix possible crash or other erratic behavior when selecting a very
 	  small file for your own buddy icon.
 	* Fix crash if the user tries to initiate a voice/video session with a
@@ -126,6 +188,14 @@ version 2.10.8:
 	* Fix login errors when the first two available auth mechanisms fail but
 	  a subsequent mechanism would otherwise work when using Cyrus SASL.
 	  (#15524)
+	* Fix dropping incoming stanzas on BOSH connections when we receive
+	  multiple HTTP responses at once. (Issa Gorissen) (#15684)
+
+	Yahoo!:
+	* Fix possible crashes handling incoming strings that are not UTF-8.
+	  (Discovered by Thijs Alkemade and Robert Vehse) (CVE-2012-6152)
+	* Fix a bug reading a peer to peer message where a remote user could
+	  trigger a crash. (CVE-2013-6481)
 
 	Plugins:
 	* Fix crash in contact availability plugin.
diff --git a/configure.ac b/configure.ac
--- a/configure.ac
+++ b/configure.ac
@@ -306,7 +306,7 @@ if test x$enable_i18n = xyes; then
 	GETTEXT_PACKAGE=pidgin
 	AC_SUBST(GETTEXT_PACKAGE)
 
-	ALL_LINGUAS="af am ar az be at latin bg bn bn_IN bs ca ca at valencia cs da de dz el en_AU en_CA en_GB eo es et eu fa fi fr ga gl gu he hi hr hu hy id it ja ka km kn ko ku lo lt mai mhr mk mn mr ms_MY my_MM nb ne nl nn oc or pa pl pt_BR pt ps ro ru si sk sl sq sr sr at latin sv sw ta te th tr uk ur vi xh zh_CN zh_HK zh_TW"
+	ALL_LINGUAS="af am ar ast az be at latin bg bn bn_IN bs ca ca at valencia cs da de dz el en_AU en_CA en_GB eo es et eu fa fi fr ga gl gu he hi hr hu hy id it ja ka km kn ko ku lo lt mai mhr mk mn mr ms_MY my_MM nb ne nl nn oc or pa pl pt_BR pt ps ro ru si sk sl sq sr sr at latin sv sw ta te th tr uk ur vi xh zh_CN zh_HK zh_TW"
 	AM_GLIB_GNU_GETTEXT
 
 	dnl If we don't have msgfmt, then po/ is going to fail -- ensure that
@@ -829,10 +829,10 @@ dnl ####################################
 dnl # Check for JSON-GLib (required)
 dnl #######################################################################
 
-PKG_CHECK_MODULES([JSON], [json-glib-1.0 >= 0.10.0], , [
+PKG_CHECK_MODULES([JSON], [json-glib-1.0 >= 0.14.0], , [
 	AC_MSG_RESULT(no)
 	AC_MSG_ERROR([
-You must have JSON-GLib >= 0.10.0 development headers installed to build.
+You must have JSON-GLib >= 0.14.0 development headers installed to build.
 ])])
 
 AC_SUBST(JSON_CFLAGS)
diff --git a/libpurple/conversationtypes.c b/libpurple/conversationtypes.c
--- a/libpurple/conversationtypes.c
+++ b/libpurple/conversationtypes.c
@@ -808,6 +808,14 @@ chat_conversation_write_message(PurpleCo
 	if (purple_chat_conversation_is_ignored_user(PURPLE_CHAT_CONVERSATION(conv), who))
 		return;
 
+	if (mtime < 0) {
+		purple_debug_error("conversation",
+				"purple_conv_chat_write ignoring negative timestamp\n");
+		/* TODO: Would be more appropriate to use a value that indicates
+		   that the timestamp is unknown, and surface that in the UI. */
+		mtime = time(NULL);
+	}
+
 	if (!(flags & PURPLE_MESSAGE_WHISPER)) {
 		const char *str;
 



More information about the Commits mailing list