rpms/centericq/devel centericq-4.21.0-overflows.patch, NONE, 1.1 centericq.spec, 1.31, 1.32
Lubomir Kundrak (lkundrak)
fedora-extras-commits at redhat.com
Thu Jul 19 00:09:58 UTC 2007
Author: lkundrak
Update of /cvs/extras/rpms/centericq/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16695
Modified Files:
centericq.spec
Added Files:
centericq-4.21.0-overflows.patch
Log Message:
Fix CVE-2007-3713 multiple buffer overflows (#247979)
centericq-4.21.0-overflows.patch:
--- NEW FILE centericq-4.21.0-overflows.patch ---
Fixes CVE-2007-0160 and CVE-2007-3713 buffer overflows,
some of them remotely exploitable. (Lubomir Kundrak <lkundrak at redhat.com>)
diff -urp centericq-4.21.0.orig/src/hooks/abstracthook.cc centericq-4.21.0/src/hooks/abstracthook.cc
--- centericq-4.21.0.orig/src/hooks/abstracthook.cc 2007-07-19 01:22:28.000000000 +0200
+++ centericq-4.21.0/src/hooks/abstracthook.cc 2007-07-19 01:22:55.000000000 +0200
@@ -40,6 +40,8 @@
#include <time.h>
+#define NOTIFBUF 512
+
time_t timer_current = time(0);
abstracthook::abstracthook(protocolname aproto)
@@ -339,7 +341,7 @@ bool abstracthook::regattempt(unsigned i
void abstracthook::log(logevent ev, ...) {
va_list ap;
- char buf[512];
+ char buf[NOTIFBUF];
static map<logevent, string> lst;
if(lst.empty()) {
@@ -354,7 +356,8 @@ void abstracthook::log(logevent ev, ...)
}
va_start(ap, ev);
- vsprintf(buf, lst[ev].c_str(), ap);
+ vsnprintf(buf, NOTIFBUF, lst[ev].c_str(), ap);
+ buf[NOTIFBUF-1] = '\0';
va_end(ap);
face.log((string) "+ [" + conf.getprotocolname(proto) + "] " + buf);
@@ -751,7 +754,7 @@ string abstracthook::getTimezoneIDtoStri
if(id > 24 || id < -24) {
return "Unspecified";
} else {
- char buf[32];
+ static char buf[32];
sprintf(buf, "GMT %s%d:%s", id > 0 ? "-" : "+", abs(id/2), id % 2 == 0 ? "00" : "30");
return buf;
}
diff -urp centericq-4.21.0.orig/src/hooks/aimhook.cc centericq-4.21.0/src/hooks/aimhook.cc
--- centericq-4.21.0.orig/src/hooks/aimhook.cc 2007-07-19 01:22:28.000000000 +0200
+++ centericq-4.21.0/src/hooks/aimhook.cc 2007-07-19 01:22:55.000000000 +0200
@@ -32,6 +32,8 @@
#include "imlogger.h"
#include "eventmanager.h"
+#define NOTIFBUF 512
+
aimhook ahook;
aimhook::aimhook()
@@ -293,7 +295,8 @@ void aimhook::loadprofile() {
if(access(fname.c_str(), R_OK)) {
char sbuf[512];
- sprintf(sbuf, _("I do really enjoy the default AIM profile of centericq %s."), VERSION);
+ snprintf(sbuf, 512, _("I do really enjoy the default AIM profile of centericq %s."), VERSION);
+ sbuf[511] = '\0';
profile.info = sbuf;
saveprofile();
}
diff -urp centericq-4.21.0.orig/src/hooks/irchook.cc centericq-4.21.0/src/hooks/irchook.cc
--- centericq-4.21.0.orig/src/hooks/irchook.cc 2007-07-19 01:22:28.000000000 +0200
+++ centericq-4.21.0/src/hooks/irchook.cc 2007-07-19 01:22:55.000000000 +0200
@@ -35,6 +35,8 @@
#include <iterator>
+#define NOTIFBUF 512
+
// ----------------------------------------------------------------------------
irchook irhook;
@@ -609,11 +611,12 @@ void irchook::rawcommand(const string &c
void irchook::channelfatal(string room, const char *fmt, ...) {
va_list ap;
- char buf[1024];
+ char buf[NOTIFBUF];
vector<channelInfo>::iterator i;
va_start(ap, fmt);
- vsprintf(buf, fmt, ap);
+ vsnprintf(buf, NOTIFBUF, fmt, ap);
+ buf[NOTIFBUF-1] = '\0';
va_end(ap);
if(room.substr(0, 1) != "#")
@@ -1196,7 +1199,7 @@ void irchook::errorhandler(void *connect
void irchook::nickchanged(void *connection, void *cli, ...) {
va_list ap;
icqcontact *c;
- char buf[100];
+ char buf[NOTIFBUF];
va_start(ap, cli);
char *oldnick = va_arg(ap, char *);
@@ -1218,7 +1221,8 @@ void irchook::nickchanged(void *connecti
}
- sprintf(buf, _("The user has changed their nick from %s to %s"), oldnick, newnick);
+ snprintf(buf, NOTIFBUF, _("The user has changed their nick from %s to %s"), oldnick, newnick);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(c, buf));
}
}
@@ -1254,18 +1258,20 @@ const char * const command, const char *
void irchook::subreply(void *conn, void *cli, const char * const nick,
const char * const command, const char * const args) {
- char buf[512];
+ char buf[NOTIFBUF];
if(!strcmp(command, "PING")) {
map<string, time_t>::iterator i = irhook.pingtime.find(up(nick));
if(i != irhook.pingtime.end()) {
- sprintf(buf, _("PING reply from the user: %d second(s)"), time(0)-i->second);
+ snprintf(buf, NOTIFBUF, _("PING reply from the user: %d second(s)"), time(0)-i->second);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(nick, irc), buf));
}
} else if(!strcmp(command, "VERSION")) {
- sprintf(buf, _("The remote is using %s"), args);
+ snprintf(buf, NOTIFBUF, _("The remote is using %s"), args);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(nick, irc), buf));
}
@@ -1378,8 +1384,9 @@ void irchook::chatuserjoined(void *conn,
if(strlen(email))
uname += (string) " (" + email + ")";
- char buf[512];
- sprintf(buf, _("%s has joined."), uname.c_str());
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("%s has joined."), uname.c_str());
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(room, irc), buf));
}
}
@@ -1395,14 +1402,16 @@ void irchook::chatuserleft(void *conn, v
if(conf.getourid(irc).nickname != who) {
string text;
- char buf[512];
+ char buf[NOTIFBUF];
- sprintf(buf, _("%s has left"), who); text = buf;
+ snprintf(buf, NOTIFBUF, _("%s has left"), who); text = buf;
+ buf[NOTIFBUF-1] = '\0';
if(reason)
if(strlen(reason)) {
if(strlen(reason) > 450) reason[450] = 0;
- sprintf(buf, _("reason: %s"), reason);
+ snprintf(buf, NOTIFBUF, _("reason: %s"), reason);
+ buf[NOTIFBUF-1] = '\0';
text += (string) "; " + buf + ".";
}
@@ -1422,13 +1431,15 @@ void irchook::chatuserkicked(void *conn,
if(conf.getourid(irc).nickname != who) {
string text;
- char buf[512];
+ char buf[NOTIFBUF];
- sprintf(buf, _("%s has been kicked by %s"), who, by); text = buf;
+ snprintf(buf, NOTIFBUF, _("%s has been kicked by %s"), who, by); text = buf;
+ buf[NOTIFBUF-1] = '\0';
if(reason)
if(strlen(reason)) {
- sprintf(buf, _("reason: %s"), reason);
+ snprintf(buf, NOTIFBUF, _("reason: %s"), reason);
+ buf[NOTIFBUF-1] = '\0';
text += (string) "; " + buf + ".";
}
@@ -1451,13 +1462,15 @@ void irchook::chatgottopic(void *conn, v
return;
string text;
- char buf[1024];
- sprintf(buf, _("Channel topic now is: %s"), topic);
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("Channel topic now is: %s"), topic);
+ buf[NOTIFBUF-1] = '\0';
text = buf;
if(author)
if(strlen(author)) {
- sprintf(buf, _("set by %s"), author);
+ snprintf(buf, NOTIFBUF, _("set by %s"), author);
+ buf[NOTIFBUF-1] = '\0';
text += (string) "; " + buf + ".";
}
@@ -1474,8 +1487,9 @@ void irchook::chatuseropped(void *conn,
va_end(ap);
if(by) {
- char buf[512];
- sprintf(buf, _("%s has been opped by %s."), who, by);
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("%s has been opped by %s."), who, by);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(room, irc), buf));
}
}
@@ -1490,8 +1504,9 @@ void irchook::chatuserdeopped(void *conn
va_end(ap);
if(by) {
- char buf[512];
- sprintf(buf, _("%s has been deopped by %s."), who, by);
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("%s has been deopped by %s."), who, by);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(room, irc), buf));
}
}
@@ -1504,10 +1519,10 @@ void irchook::chatopped(void *conn, void
char *by = va_arg(ap, char *);
va_end(ap);
- char buf[512];
- if(by) sprintf(buf, _("%s has opped us."), by);
- else strcpy(buf, _("you are an op here"));
-
+ char buf[NOTIFBUF];
+ if(by) snprintf(buf, NOTIFBUF, _("%s has opped us."), by);
+ else strncpy(buf, _("you are an op here"), NOTIFBUF);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(room, irc), buf));
}
@@ -1519,8 +1534,9 @@ void irchook::chatdeopped(void *conn, vo
char *by = va_arg(ap, char *);
va_end(ap);
- char buf[512];
- sprintf(buf, _("%s has deopped us."), by);
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("%s has deopped us."), by);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(room, irc), buf));
}
diff -urp centericq-4.21.0.orig/src/hooks/jabberhook.cc centericq-4.21.0/src/hooks/jabberhook.cc
--- centericq-4.21.0.orig/src/hooks/jabberhook.cc 2007-07-19 01:22:28.000000000 +0200
+++ centericq-4.21.0/src/hooks/jabberhook.cc 2007-07-19 01:22:55.000000000 +0200
@@ -36,6 +36,8 @@
#define DEFAULT_CONFSERV "conference.jabber.org"
#define PERIOD_KEEPALIVE 30
+#define NOTIFBUF 512
+
static void jidsplit(const string &jid, string &user, string &host, string &rest) {
int pos;
user = jid;
@@ -1290,8 +1292,9 @@ void jabberhook::gotversion(const imcont
if(vinfo.size() > 128)
vinfo.erase(128);
- char buf[256];
- sprintf(buf, _("The remote is using %s"), vinfo.c_str());
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("The remote is using %s"), vinfo.c_str());
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(ic, buf));
}
}
diff -urp centericq-4.21.0.orig/src/hooks/ljhook.cc centericq-4.21.0/src/hooks/ljhook.cc
--- centericq-4.21.0.orig/src/hooks/ljhook.cc 2007-07-19 01:26:38.000000000 +0200
+++ centericq-4.21.0/src/hooks/ljhook.cc 2007-07-19 01:28:07.000000000 +0200
@@ -37,6 +37,8 @@ ljhook lhook;
#define PERIOD_FRIENDS 3600
+#define NOTIFBUF 512
+
ljhook::ljhook(): abstracthook(livejournal), fonline(false), sdest(0) {
fcapabs.insert(hookcapab::nochat);
}
@@ -655,7 +657,7 @@ void ljhook::messageack_cb(MessageEvent
map<string, string> nfriendof;
map<string, string>::const_iterator in;
vector<string>::iterator il;
- char buf[512];
+ char buf[NOTIFBUF];
for(i = 1; i <= count; i++) {
username = params[(string) "friendof_" + i2str(i) + "_user"];
@@ -670,8 +672,9 @@ void ljhook::messageack_cb(MessageEvent
if(!foempty) {
bd = (string) "http://" + conf.getourid(proto).server + "/users/" + in->first;
- sprintf(buf, _("The user %s (%s) has added you to his/her friend list\n\nJournal address: %s"),
+ snprintf(buf, NOTIFBUF, _("The user %s (%s) has added you to his/her friend list\n\nJournal address: %s"),
in->first.c_str(), in->second.c_str(), bd.c_str());
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(self, buf));
}
@@ -680,8 +683,9 @@ void ljhook::messageack_cb(MessageEvent
for(il = friendof.begin(); il != friendof.end(); ) {
if(nfriendof.find(*il) == nfriendof.end()) {
bd = (string) "http://" + conf.getourid(proto).server + "/users/" + *il;
- sprintf(buf, _("The user %s has removed you from his/her friend list\n\nJournal address: %s"),
+ snprintf(buf, NOTIFBUF, _("The user %s has removed you from his/her friend list\n\nJournal address: %s"),
il->c_str(), bd.c_str());
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(self, buf));
friendof.erase(il);
il = friendof.begin();
diff -urp centericq-4.21.0.orig/src/hooks/yahoohook.cc centericq-4.21.0/src/hooks/yahoohook.cc
--- centericq-4.21.0.orig/src/hooks/yahoohook.cc 2007-07-19 01:22:28.000000000 +0200
+++ centericq-4.21.0/src/hooks/yahoohook.cc 2007-07-19 01:22:55.000000000 +0200
@@ -47,6 +47,8 @@
#define PERIOD_REFRESH 60
#define PERIOD_CLOSE 6
+#define NOTIFBUF 512
+
int yahoohook::yfd::connection_tags = 0;
char pager_host[255], pager_port[255], filetransfer_host[255],
@@ -844,7 +846,7 @@ void yahoohook::got_conf_invite(int id,
icqconf::imaccount acc = conf.getourid(yahoo);
string confname = (string) "#" + room, inviter, text;
vector<string>::iterator ic;
- char buf[1024];
+ char buf[NOTIFBUF];
int i;
imcontact cont(confname, yahoo);
@@ -856,10 +858,11 @@ void yahoohook::got_conf_invite(int id,
inviter.erase(i);
}
- sprintf(buf, _("The user %s has invited you to the %s conference, the topic there is: %s"),
+ snprintf(buf, NOTIFBUF, _("The user %s has invited you to the %s conference, the topic there is: %s"),
yhook.rusconv("wk", inviter).c_str(),
yhook.rusconv("wk", room).c_str(),
yhook.rusconv("wk", msg).c_str());
+ buf[NOTIFBUF-1] = '\0';
text = (string) buf + "\n\n" + _("Current conference members are: ");
yhook.confmembers[room].push_back(inviter);
@@ -888,20 +891,22 @@ void yahoohook::got_conf_invite(int id,
void yahoohook::conf_userdecline(int id, char *who, char *room, char *msg) {
icqcontact *c = clist.get(imcontact((string) "#" + room, yahoo));
- char buf[512];
+ char buf[NOTIFBUF];
if(c) {
- sprintf(buf, _("The user %s has declined your invitation to join the conference"), who);
+ snprintf(buf, NOTIFBUF, _("The user %s has declined your invitation to join the conference"), who);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(c, buf));
}
}
void yahoohook::conf_userjoin(int id, char *who, char *room) {
icqcontact *c = clist.get(imcontact((string) "#" + room, yahoo));
- char buf[512];
+ char buf[NOTIFBUF];
if(c) {
- sprintf(buf, _("The user %s has joined the conference"), who);
+ snprintf(buf, NOTIFBUF, _("The user %s has joined the conference"), who);
+ buf[NOTIFBUF-1] = '\0';
if(find(yhook.confmembers[room].begin(), yhook.confmembers[room].end(), who) == yhook.confmembers[room].end())
yhook.confmembers[room].push_back(who);
@@ -912,11 +917,12 @@ void yahoohook::conf_userjoin(int id, ch
void yahoohook::conf_userleave(int id, char *who, char *room) {
icqcontact *c = clist.get(imcontact((string) "#" + room, yahoo));
- char buf[512];
+ char buf[NOTIFBUF];
vector<string>::iterator im;
if(c) {
- sprintf(buf, _("The user %s has left the conference"), who);
+ snprintf(buf, NOTIFBUF, _("The user %s has left the conference"), who);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(c, buf));
im = find(yhook.confmembers[room].begin(), yhook.confmembers[room].end(), who);
@@ -981,10 +987,11 @@ void yahoohook::game_notify(int id, char
}
void yahoohook::mail_notify(int id, char *from, char *subj, int cnt) {
- char buf[1024];
+ char buf[NOTIFBUF];
if(from && subj) {
- sprintf(buf, _("+ [yahoo] e-mail from %s, %s"), from, subj);
+ snprintf(buf, NOTIFBUF, _("+ [yahoo] e-mail from %s, %s"), from, subj);
+ buf[NOTIFBUF-1] = '\0';
face.log(buf);
clist.get(contactroot)->playsound(imevent::email);
}
@@ -1138,11 +1145,12 @@ void yahoohook::webcam_data_request(int
int yahoohook::ylog(char *fmt, ...) {
if(conf.getdebug()) {
- char buf[512];
+ char buf[NOTIFBUF];
va_list ap;
va_start(ap, fmt);
- vsprintf(buf, fmt, ap);
+ vsnprintf(buf, NOTIFBUF, fmt, ap);
+ buf[NOTIFBUF-1] = '\0';
va_end(ap);
face.log(buf);
Index: centericq.spec
===================================================================
RCS file: /cvs/extras/rpms/centericq/devel/centericq.spec,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- centericq.spec 3 Jun 2007 15:02:14 -0000 1.31
+++ centericq.spec 19 Jul 2007 00:09:25 -0000 1.32
@@ -1,6 +1,6 @@
Name: centericq
Version: 4.21.0
-Release: 12%{?dist}
+Release: 13%{?dist}
Summary: Text mode menu- and window-driven IM
@@ -25,7 +25,10 @@
# CVE-2007-0160
# http://mailman.linuxpl.org/pipermail/cicq/2007-January/004866.html
# see redhat bugzilla #227791
-Patch7: centericq-ijhook.patch
+#Patch7: centericq-ijhook.patch
+# CVE-2007-3713, overlaps with the above
+Patch7: centericq-4.21.0-overflows.patch
+
Patch8: centericq-libjab-segv.patch
## feature fixes
@@ -111,6 +114,9 @@
%exclude %{_includedir}/msn
%changelog
+* Thu Jul 19 2007 Lubomir Kundrak <lkundrak at redhat.com>
+- fix CVE-2007-3713 multiple buffer overflows (#247979)
+
* Sun Jun 03 2007 Andreas Bierfert <andreas.bierfert[AT]lowlatency.de>
- fix #242344
More information about the scm-commits
mailing list