[logjam] fix format-security issues
Tom Callaway
spot at fedoraproject.org
Wed Dec 4 21:43:32 UTC 2013
commit e44d7b462cc7315b6808c5ab7a1308b5b7649acd
Author: Tom Callaway <spot at fedoraproject.org>
Date: Wed Dec 4 16:43:29 2013 -0500
fix format-security issues
logjam-4.6.2-format-security-fix.patch | 111 ++++++++++++++++++++++++++++++++
logjam.spec | 8 ++-
2 files changed, 117 insertions(+), 2 deletions(-)
---
diff --git a/logjam-4.6.2-format-security-fix.patch b/logjam-4.6.2-format-security-fix.patch
new file mode 100644
index 0000000..4cfe54c
--- /dev/null
+++ b/logjam-4.6.2-format-security-fix.patch
@@ -0,0 +1,111 @@
+diff -up logjam-4.6.2/protocol/liblivejournal/livejournal/entry.c.format-security logjam-4.6.2/protocol/liblivejournal/livejournal/entry.c
+--- logjam-4.6.2/protocol/liblivejournal/livejournal/entry.c.format-security 2011-06-06 18:21:55.000000000 -0400
++++ logjam-4.6.2/protocol/liblivejournal/livejournal/entry.c 2013-12-04 16:41:56.507890402 -0500
+@@ -419,7 +419,7 @@ lj_entry_new_single_from_result(LJResult
+ }
+
+ if (errs) {
+- g_set_error(err, 0, 0, errs->str);
++ g_set_error_literal(err, 0, 0, errs->str);
+ g_string_free(errs, TRUE);
+ }
+
+@@ -847,7 +847,7 @@ lj_entry_from_user_editor(const char *fi
+ /* g_spawn* would do no good: it disassociates the tty. viva fork! */
+ pid = fork();
+ if (pid < 0) { /* fork error */
+- g_set_error(err, G_SPAWN_ERROR, G_SPAWN_ERROR_FORK,
++ g_set_error_literal(err, G_SPAWN_ERROR, G_SPAWN_ERROR_FORK,
+ g_strerror(errno));
+ return NULL;
+ }
+@@ -862,7 +862,7 @@ lj_entry_from_user_editor(const char *fi
+
+ /* parent */
+ if (wait(NULL) != pid) {
+- g_set_error(err, G_SPAWN_ERROR, G_SPAWN_ERROR_FAILED,
++ g_set_error_literal(err, G_SPAWN_ERROR, G_SPAWN_ERROR_FAILED,
+ g_strerror(errno));
+ return NULL;
+ }
+diff -up logjam-4.6.2/src/cmdline.c.format-security logjam-4.6.2/src/cmdline.c
+--- logjam-4.6.2/src/cmdline.c.format-security 2011-06-05 11:30:32.000000000 -0400
++++ logjam-4.6.2/src/cmdline.c 2013-12-04 16:41:56.507890402 -0500
+@@ -676,7 +676,7 @@ command_dispatch(Cmdline *cmdline, Comma
+ return;
+
+ if (g_ascii_strcasecmp(cmdname, "help") == 0) {
+- g_print(help);
++ g_print("%s", help);
+ exit(EXIT_SUCCESS);
+ }
+ for (i = 0; commands && commands[i].cmdname; i++) {
+diff -up logjam-4.6.2/src/login.c.format-security logjam-4.6.2/src/login.c
+--- logjam-4.6.2/src/login.c.format-security 2011-06-05 11:30:32.000000000 -0400
++++ logjam-4.6.2/src/login.c 2013-12-04 16:41:56.507890402 -0500
+@@ -310,7 +310,7 @@ login_check_lastupdate(GtkWindow *parent
+ }
+ dlg = gtk_message_dialog_new(parent, GTK_DIALOG_DESTROY_WITH_PARENT,
+ GTK_MESSAGE_QUESTION, GTK_BUTTONS_YES_NO,
+- msg);
++ "%s", msg);
+ g_free(msg);
+ if (gtk_dialog_run(GTK_DIALOG(dlg)) == GTK_RESPONSE_YES)
+ ret = login_run(GTK_WINDOW(dlg), acclj);
+diff -up logjam-4.6.2/src/music.c.format-security logjam-4.6.2/src/music.c
+--- logjam-4.6.2/src/music.c.format-security 2010-12-02 06:57:07.000000000 -0500
++++ logjam-4.6.2/src/music.c 2013-12-04 16:41:56.507890402 -0500
+@@ -68,7 +68,7 @@ music_command_detect(const char *command
+ return NULL;
+
+ if (exit_status != 0) {
+- g_set_error(err, MUSIC_ERROR, MUSIC_COMMAND_ERROR, std_err);
++ g_set_error_literal(err, MUSIC_ERROR, MUSIC_COMMAND_ERROR, std_err);
+ g_free(std_err);
+ return NULL;
+ }
+diff -up logjam-4.6.2/src/network-fork.c.format-security logjam-4.6.2/src/network-fork.c
+--- logjam-4.6.2/src/network-fork.c.format-security 2011-06-05 11:30:32.000000000 -0400
++++ logjam-4.6.2/src/network-fork.c 2013-12-04 16:41:56.507890402 -0500
+@@ -113,7 +113,7 @@ pipe_cb(ForkData *forkdata, gint pipe, G
+ waitpid(forkdata->pid, NULL, 0);
+ forkdata->pid = 0;
+ close(pipe);
+- g_set_error(forkdata->err, NET_ERROR, NET_ERROR_GENERIC, buf);
++ g_set_error_literal(forkdata->err, NET_ERROR, NET_ERROR_GENERIC, buf);
+ g_free(buf);
+ gtk_main_quit();
+ break;
+diff -up logjam-4.6.2/src/network-soup.c.format-security logjam-4.6.2/src/network-soup.c
+--- logjam-4.6.2/src/network-soup.c.format-security 2013-12-04 16:42:31.744850663 -0500
++++ logjam-4.6.2/src/network-soup.c 2013-12-04 16:42:39.871841419 -0500
+@@ -82,7 +82,7 @@ net_post_blocking(const char *url, GSLis
+
+ status = soup_session_send_message(session, req);
+ if (status != SOUP_STATUS_OK) {
+- g_set_error(err, NET_ERROR, NET_ERROR_GENERIC,
++ g_set_error_literal(err, NET_ERROR, NET_ERROR_GENERIC,
+ req->reason_phrase);
+ goto out;
+ }
+diff -up logjam-4.6.2/src/util-gtk.c.format-security logjam-4.6.2/src/util-gtk.c
+--- logjam-4.6.2/src/util-gtk.c.format-security 2011-06-05 11:30:32.000000000 -0400
++++ logjam-4.6.2/src/util-gtk.c 2013-12-04 16:41:56.507890402 -0500
+@@ -151,7 +151,7 @@ jam_confirm(GtkWindow *parent, const cha
+ dlg = gtk_message_dialog_new(GTK_WINDOW(parent), 0,
+ GTK_MESSAGE_QUESTION,
+ GTK_BUTTONS_YES_NO,
+- msg);
++ "%s", msg);
+ jam_window_init(GTK_WINDOW(dlg), parent, title, -1, -1);
+ res = (gtk_dialog_run(GTK_DIALOG(dlg)) == GTK_RESPONSE_YES);
+ gtk_widget_destroy(dlg);
+@@ -309,7 +309,7 @@ jam_message_va(GtkWindow *parent, Messag
+ /* TODO: switch to jam_dialogs, which are prettier */
+ dlg = gtk_message_dialog_new(parent, 0, msgtype,
+ buttontype,
+- fullmsg);
++ "%s", fullmsg);
+ gtk_window_set_title(GTK_WINDOW(dlg), title);
+ gtk_window_set_transient_for(GTK_WINDOW(dlg), GTK_WINDOW(parent));
+
diff --git a/logjam.spec b/logjam.spec
index 0caf5d2..ae84d5d 100644
--- a/logjam.spec
+++ b/logjam.spec
@@ -2,7 +2,7 @@
Name: logjam
Version: 4.6.2
-Release: 7%{?dist}
+Release: 8%{?dist}
Epoch: 1
Summary: GTK2 client for LiveJournal
License: GPLv2+
@@ -26,6 +26,7 @@ BuildRequires: dbus-devel, dbus-glib-devel, perl(YAML)
Obsoletes: loserjabber, logjam-gnome
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch1: logjam-4.4.1-fedora-desktop.patch
+Patch2: logjam-4.6.2-format-security-fix.patch
%description
This is the new GTK2 client for LiveJournal (http://www.livejournal.com).
@@ -45,7 +46,7 @@ current music from XMMS.
%prep
%setup -q
%patch1 -p1 -b .desktop
-
+%patch2 -p1 -b .format-security
%build
touch NEWS README AUTHORS
@@ -89,6 +90,9 @@ desktop-file-install \
rm -rf $RPM_BUILD_ROOT
%changelog
+* Wed Dec 04 2013 Tom Callaway <spot at fedoraproject.org> - 1:4.6.2-8
+- fix format-security issues
+
* Sat Aug 03 2013 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1:4.6.2-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
More information about the scm-commits
mailing list