Bugzilla – Attachment 22900 Details for
Bug 59194
VUL-0: CVE-2004-2589: new gaim issues
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
patch for 0.67 (9.0)
44194-0.67.diff (text/plain), 4.18 KB, created by
Ludwig Nussel
on 2004-08-25 20:39:28 UTC
(
hide
)
Description:
patch for 0.67 (9.0)
Filename:
MIME Type:
Creator:
Ludwig Nussel
Created:
2004-08-25 20:39:28 UTC
Size:
4.18 KB
patch
obsolete
>Index: gaim-0.67/src/protocols/zephyr/ZInit.c >=================================================================== >--- gaim-0.67.orig/src/protocols/zephyr/ZInit.c >+++ gaim-0.67/src/protocols/zephyr/ZInit.c >@@ -32,7 +32,7 @@ Code_t ZInitialize() > { > struct servent *hmserv; > struct hostent *hostent; >- char addr[4], hostname[MAXHOSTNAMELEN]; >+ char addr[4], hostname[MAXHOSTNAMELEN+1]; > struct in_addr servaddr; > struct sockaddr_in sin; > int s, sinsize = sizeof(sin); >@@ -134,6 +134,7 @@ Code_t ZInitialize() > * is a pretty broken thing to do, and unfortunately what we > * always do on server machines.) */ > if (gethostname(hostname, sizeof(hostname)) == 0) { >+ hostname[sizeof(hostname)-1] = '\0'; > hostent = gethostbyname(hostname); > if (hostent && hostent->h_addrtype == AF_INET) > memcpy(&__My_addr, hostent->h_addr, sizeof(__My_addr)); >Index: gaim-0.67/src/protocols/msn/utils.c >=================================================================== >--- gaim-0.67.orig/src/protocols/msn/utils.c >+++ gaim-0.67/src/protocols/msn/utils.c >@@ -30,7 +30,7 @@ msn_url_decode(const char *str) > > g_return_val_if_fail(str != NULL, NULL); > >- for (i = 0; i < strlen(str); i++) { >+ for (i = 0; i < strlen(str) && j < sizeof(buf)-2; i++) { > char hex[3]; > > if (str[i] != '%') >@@ -67,9 +67,12 @@ msn_url_encode(const char *str) > g_return_val_if_fail(str != NULL, NULL); > > for (i = 0; i < strlen(str); i++) { >- if (isalnum(str[i])) >+ if (isalnum(str[i])) { >+ if(j+1 >= sizeof(buf)-1) break; > buf[j++] = str[i]; >+ } > else { >+ if(j+3 >= sizeof(buf)-1) break; > sprintf(buf + j, "%%%02x", (unsigned char)str[i]); > j += 3; > } >Index: gaim-0.67/src/html.c >=================================================================== >--- gaim-0.67.orig/src/html.c >+++ gaim-0.67/src/html.c >@@ -192,8 +192,28 @@ static size_t > parse_content_len(const char *data, size_t data_len) > { > size_t content_len = 0; >+ const char *p = NULL; > >- sscanf(data, "Content-Length: %d", &content_len); >+ /* This is still technically wrong, since headers are case-insensitive >+ * [RFC 2616, section 4.2], though this ought to catch the normal case. >+ * Note: data is _not_ nul-terminated. >+ */ >+ if (data_len > 16) { >+ p = strncmp(data, "Content-Length: ", 16) == 0? data: NULL; >+ if (!p) { >+ p = g_strstr_len(data, data_len, "\nContent-Length: "); >+ if (p) >+ p += 1; >+ } >+ } >+ >+ /* If we can find a Content-Length header at all, try to sscanf it. >+ * Response headers should end with at least \r\n, so sscanf is safe, >+ * if we make sure that there is indeed a \n in our header. >+ */ >+ if (p && g_strstr_len(p, data_len - (p - data), "\n")) { >+ sscanf(p, "Content-Length: %u", (int *)&content_len); >+ } > > return content_len; > } >@@ -272,7 +292,18 @@ static void grab_url_callback(gpointer d > > /* In with the new. */ > gunk->data_len = content_len; >- gunk->webdata = g_malloc(gunk->data_len); >+ gunk->webdata = g_try_malloc(gunk->data_len); >+ if (gunk->webdata == NULL) { >+ gaim_debug(GAIM_DEBUG_ERROR, "gaim_url_fetch", "Failed to allocate %u bytes: %s\n", gunk->data_len, strerror(errno)); >+ gaim_input_remove(gunk->inpa); >+ close(sock); >+ gunk->callback(gunk->data, NULL, 0); >+ g_free(gunk->webdata); >+ g_free(gunk->website); >+ g_free(gunk->url); >+ g_free(gunk); >+ } >+ > } > else > gunk->newline = TRUE; >Index: gaim-0.67/src/gtkprefs.c >=================================================================== >--- gaim-0.67.orig/src/gtkprefs.c >+++ gaim-0.67/src/gtkprefs.c >@@ -449,7 +449,7 @@ GtkTreePath *theme_refresh_theme_list() > > void theme_install_theme(char *path, char *extn) { > #ifndef _WIN32 >- gchar *command; >+ gchar *command, *escaped; > #endif > gchar *destdir; > gchar *tail; >@@ -469,7 +469,9 @@ void theme_install_theme(char *path, cha > * other platforms, if need be */ > if (!g_ascii_strcasecmp(tail, ".gz") || !g_ascii_strcasecmp(tail, ".tgz")) { > #ifndef _WIN32 >- command = g_strdup_printf("tar > /dev/null xzf \"%s\" -C %s", path, destdir); >+ escaped = g_shell_quote(path); >+ command = g_strdup_printf("tar > /dev/null xzf %s -C %s", escaped, destdir); >+ g_free(escaped); > #else > if(!wgaim_gz_untar(path, destdir)) { > g_free(destdir);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=22900">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 59194
:
22895
|
22896
|
22899
| 22900 |
22902
|
22904