libpurple 32529:c8e809dffa1d: Merged v2.10.7 into adium.

commits at adium.im commits at adium.im
Thu Feb 21 22:10:54 UTC 2013 

details:	http://hg.adium.im/libpurple/rev/c8e809dffa1d
revision:	32529:c8e809dffa1d
branch:		adium
author:		Thijs Alkemade <me at thijsalkema.de>
date:		Thu Feb 21 23:07:08 2013 +0100

Merged v2.10.7 into adium.

diffs (188 lines):

diff -r 4dac888f3d5e -r c8e809dffa1d ChangeLog
--- a/ChangeLog	Tue Feb 12 13:57:27 2013 +0100
+++ b/ChangeLog	Thu Feb 21 23:07:08 2013 +0100
@@ -10,6 +10,8 @@
 	  --with-dynamic-prpls arguments. (Michael Fiedler) (#15316)
 
 	libpurple:
+	* Fix a crash when receiving UPnP responses with abnormally long values.
+	  (CVE-2013-0274)
 	* Don't link directly to libgcrypt when building with GnuTLS support.
 	  (Bartosz Brachaczek) (#15329)
 	* Fix UPnP mappings on routers that return empty <URLBase/> elements
@@ -37,6 +39,11 @@
 	  Barfield) (#15217)
 
 	MXit:
+	* Fix a bug where a remote MXit user could possibly specify a local
+	  file path to be written to. (CVE-2013-0271)
+	* Fix a bug where the MXit server or a man-in-the-middle could
+	  potentially send specially crafted data that could overflow a buffer
+	  and lead to a crash or remote code execution. (CVE-2013-0272)
 	* Display farewell messages in a different colour to distinguish
 	  them from normal messages.
 	* Add support for typing notification.
@@ -50,6 +57,10 @@
 	* Increase the maximum file size that can be transferred to 1 MB.
 	* When setting an avatar image, no longer downscale it to 96x96.
 
+	Sametime:
+	* Fix a crash in Sametime when a malicious server sends us an abnormally
+	  long user ID. (CVE-2013-0273)
+
 	Yahoo!:
 	* Fix a double-free in profile/picture loading code. (Mihai Serban)
 	  (#15053)
diff -r 4dac888f3d5e -r c8e809dffa1d libpurple/protocols/mxit/formcmds.c
--- a/libpurple/protocols/mxit/formcmds.c	Tue Feb 12 13:57:27 2013 +0100
+++ b/libpurple/protocols/mxit/formcmds.c	Thu Feb 21 23:07:08 2013 +0100
@@ -405,19 +405,29 @@
 		guchar*		rawimg;
 		gsize		rawimglen;
 		char*		dir;
+		char*		escfrom;
+		char*		escname;
+		char*		escvalidator;
 		char*		filename;
 
 		/* base64 decode the image data */
 		rawimg = purple_base64_decode(tmp, &rawimglen);
 
 		/* save it to a file */
-		dir = g_strdup_printf("%s/mxit/imagestrips", purple_user_dir());
+		dir = g_build_filename(purple_user_dir(), "mxit", "imagestrips", NULL);
 		purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR);		/* ensure directory exists */
 
-		filename = g_strdup_printf("%s/%s-%s-%s.png", dir, from, name, validator);
+		escfrom = g_strdup(purple_escape_filename(from));
+		escname = g_strdup(purple_escape_filename(name));
+		escvalidator = g_strdup(purple_escape_filename(validator));
+		filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s-%s-%s.png", dir, escfrom, escname, escvalidator);
+
 		purple_util_write_data_to_file_absolute(filename, (char*) rawimg, rawimglen);
 
 		g_free(dir);
+		g_free(escfrom);
+		g_free(escname);
+		g_free(escvalidator);
 		g_free(filename);
 	}
 
diff -r 4dac888f3d5e -r c8e809dffa1d libpurple/protocols/mxit/http.c
--- a/libpurple/protocols/mxit/http.c	Tue Feb 12 13:57:27 2013 +0100
+++ b/libpurple/protocols/mxit/http.c	Thu Feb 21 23:07:08 2013 +0100
@@ -116,11 +116,12 @@
 		buflen = session->rx_i;
 
 		/* read bytes from the socket */
-		len = read( session->fd, buf + buflen, sizeof( buf ) - buflen );
+		len = read( session->fd, buf + buflen, sizeof( buf ) - ( buflen + 1 ) );
 		if ( len <= 0 ) {
 			/* connection has been terminated, or error occurred */
 			goto done;
 		}
+		buf[buflen+len] = '\0';
 
 //nextpacket:
 
@@ -181,7 +182,11 @@
 		g_free( tmp );
 		tmp = NULL;
 
-		if ( buflen > ( ( body - buf ) + bodylen ) ) {
+		if ( buflen + bodylen >= CP_MAX_PACKET ) {
+			/* this packet is way to big */
+			goto done;
+		}
+		else if ( buflen > ( ( body - buf ) + bodylen ) ) {
 			/* we have a second packet here */
 			next = body + bodylen;
 			session->rx_res = 0;
diff -r 4dac888f3d5e -r c8e809dffa1d libpurple/protocols/mxit/splashscreen.c
--- a/libpurple/protocols/mxit/splashscreen.c	Tue Feb 12 13:57:27 2013 +0100
+++ b/libpurple/protocols/mxit/splashscreen.c	Thu Feb 21 23:07:08 2013 +0100
@@ -121,10 +121,10 @@
 	splash_remove(session);
 
 	/* Save the new splash image */
-	dir = g_strdup_printf("%s/mxit",  purple_user_dir());
+	dir = g_strdup_printf("%s" G_DIR_SEPARATOR_S "mxit",  purple_user_dir());
 	purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR);		/* ensure directory exists */
 
-	filename = g_strdup_printf("%s/%s.png", dir, splashId);
+	filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s.png", dir, purple_escape_filename(splashId));
 	if (purple_util_write_data_to_file_absolute(filename, data, datalen)) {
 		/* Store new splash-screen ID to settings */
 		purple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, splashId);
diff -r 4dac888f3d5e -r c8e809dffa1d libpurple/protocols/sametime/sametime.c
--- a/libpurple/protocols/sametime/sametime.c	Tue Feb 12 13:57:27 2013 +0100
+++ b/libpurple/protocols/sametime/sametime.c	Thu Feb 21 23:07:08 2013 +0100
@@ -4977,7 +4977,7 @@
      data. wtf? */
 
   static char buf[BUF_LEN];
-  strncpy(buf, id, sizeof(buf));
+  g_strlcpy(buf, id, sizeof(buf));
   return buf;
 }
 
diff -r 4dac888f3d5e -r c8e809dffa1d libpurple/upnp.c
--- a/libpurple/upnp.c	Tue Feb 12 13:57:27 2013 +0100
+++ b/libpurple/upnp.c	Thu Feb 21 23:07:08 2013 +0100
@@ -409,7 +409,7 @@
 		: PURPLE_UPNP_STATUS_UNABLE_TO_DISCOVER;
 	control_info.lookup_time = time(NULL);
 	control_info.control_url = control_url;
-	strncpy(control_info.service_type, dd->service_type,
+	g_strlcpy(control_info.service_type, dd->service_type,
 		sizeof(control_info.service_type));
 
 	fire_discovery_callbacks(control_url != NULL);
@@ -601,9 +601,9 @@
 		sentSuccess = FALSE;
 
 		if((dd->retry_count % 2) == 0) {
-			strncpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
+			g_strlcpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
 		} else {
-			strncpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
+			g_strlcpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
 		}
 
 		sendMessage = g_strdup_printf(SEARCH_REQUEST_STRING, dd->service_type);
@@ -787,7 +787,7 @@
 	}
 	*temp2 = '\0';
 
-	strncpy(control_info.publicip, temp + 1,
+	g_strlcpy(control_info.publicip, temp + 1,
 			sizeof(control_info.publicip));
 
 	purple_debug_info("upnp", "NAT Returned IP: %s\n", control_info.publicip);
@@ -822,7 +822,7 @@
 looked_up_internal_ip_cb(gpointer data, gint source, const gchar *error_message)
 {
 	if (source != -1) {
-		strncpy(control_info.internalip,
+		g_strlcpy(control_info.internalip,
 			purple_network_get_local_system_ip(source),
 			sizeof(control_info.internalip));
 		purple_debug_info("upnp", "Local IP: %s\n",
@@ -975,7 +975,7 @@
 	ar->cb_data = cb_data;
 	ar->add = TRUE;
 	ar->portmap = portmap;
-	strncpy(ar->protocol, protocol, sizeof(ar->protocol));
+	g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
 
 	/* If we're waiting for a discovery, add to the callbacks list */
 	if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {
@@ -1022,7 +1022,7 @@
 	ar->cb_data = cb_data;
 	ar->add = FALSE;
 	ar->portmap = portmap;
-	strncpy(ar->protocol, protocol, sizeof(ar->protocol));
+	g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
 
 	/* If we're waiting for a discovery, add to the callbacks list */
 	if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {

More information about the commits mailing list