# HG changeset patch # User vijay # Date 1099057549 0 # Node ID 9f3f4ab3575f20be6fd1c4db1ccf90e797484784 # Parent 99180b1f375ea00f75573958cacf4419de7c2745 2004-10-29 Vijaykumar Patwari * gaim.spec: Update. * patches/gaim-12-msn-security-fix.diff: Fixes msn security issues. Fixes bug #5100703. Patch reviewed and approved by Stephen Browne. diff -r 99180b1f375e -r 9f3f4ab3575f ChangeLog --- a/ChangeLog Fri Oct 29 13:39:47 2004 +0000 +++ b/ChangeLog Fri Oct 29 13:45:49 2004 +0000 @@ -1,3 +1,9 @@ +2004-10-29 Vijaykumar Patwari + + * gaim.spec: Update. + * patches/gaim-12-msn-security-fix.diff: + Fixes msn security issues. Fixes bug #5100703. + 2004-10-29 Narayana Pattipati * gnome-vfs.spec: Updated diff -r 99180b1f375e -r 9f3f4ab3575f gaim.spec --- a/gaim.spec Fri Oct 29 13:39:47 2004 +0000 +++ b/gaim.spec Fri Oct 29 13:45:49 2004 +0000 @@ -5,7 +5,7 @@ # Name: gaim Version: 0.82.1 -Release: 21 +Release: 22 License: GPL Group: Applications/Internet Distribution: Cinnabar @@ -25,6 +25,7 @@ Patch9: gaim-09-ebook-checks.diff Patch10: gaim-10-docs.diff Patch11: gaim-11-sound_errors.diff +Patch12: gaim-12-msn-security-fix.diff URL: http://gaim.sourceforge.net/ BuildRoot: %{_tmppath}/%{name}-%{version}-build Docdir: %{_defaultdocdir}/gaim @@ -69,6 +70,7 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 %build %ifos linux @@ -135,6 +137,9 @@ rm -r $RPM_BUILD_ROOT %changelog +* Fri Oct 29 2004 - vijaykumar.patwari@wipro.com +- Fixes msn security issues. + * Thu Oct 21 2004 - alvaro.lopez@sun.com - Added patch #11. Fixes #5101982 diff -r 99180b1f375e -r 9f3f4ab3575f patches/gaim-12-msn-security-fix.diff --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/gaim-12-msn-security-fix.diff Fri Oct 29 13:45:49 2004 +0000 @@ -0,0 +1,75 @@ +--- gaim-0.82.1/src/protocols/msn/slplink.h 2004-06-06 09:12:54.000000000 +0530 ++++ gaim-0.82.1-new/src/protocols/msn/slplink.h 2004-10-28 19:47:10.571442704 +0530 +@@ -70,7 +70,7 @@ void msn_slplink_send_slpmsg(MsnSlpLink + void msn_slplink_unleash(MsnSlpLink *slplink); + void msn_slplink_send_ack(MsnSlpLink *slplink, MsnMessage *msg); + void msn_slplink_process_msg(MsnSlpLink *slplink, MsnMessage *msg); +-MsnSlpMessage *msn_slplink_message_find(MsnSlpLink *slplink, long id); ++MsnSlpMessage *msn_slplink_message_find(MsnSlpLink *slplink, long session_id, long id); + void msn_slplink_append_slp_msg(MsnSlpLink *slplink, MsnSlpMessage *slpmsg); + void msn_slplink_remove_slp_msg(MsnSlpLink *slplink, + MsnSlpMessage *slpmsg); +--- gaim-0.82.1/src/protocols/msn/slplink.c 2004-08-25 07:15:41.000000000 +0530 ++++ gaim-0.82.1-new/src/protocols/msn/slplink.c 2004-10-28 19:57:59.909728280 +0530 +@@ -447,7 +447,6 @@ msn_slplink_process_msg(MsnSlpLink *slpl + slpmsg->session_id = msg->msnslp_header.session_id; + slpmsg->size = msg->msnslp_header.total_size; + slpmsg->flags = msg->msnslp_header.flags; +- slpmsg->buffer = g_malloc(slpmsg->size); + + if (slpmsg->session_id) + { +@@ -471,10 +470,19 @@ msn_slplink_process_msg(MsnSlpLink *slpl + } + } + } ++ if (!slpmsg->fp) ++ { ++ slpmsg->buffer = g_try_malloc(slpmsg->size); ++ if (slpmsg->buffer == NULL) ++ { ++ gaim_debug_error("msn", "Failed to allocate buffer for slpmsg\n"); ++ return; ++ } ++ } + } + else + { +- slpmsg = msn_slplink_message_find(slplink, msg->msnslp_header.id); ++ slpmsg = msn_slplink_message_find(slplink, msg->msnslp_header.session_id, msg->msnslp_header.id); + } + + if (slpmsg != NULL) +@@ -486,7 +494,13 @@ msn_slplink_process_msg(MsnSlpLink *slpl + } + else + { +- memcpy(slpmsg->buffer + offset, data, len); ++ if ((offset + len) > slpmsg->size) ++ { ++ gaim_debug_error("msn", "Oversized slpmsg\n"); ++ g_return_if_reached(); ++ } ++ else ++ memcpy(slpmsg->buffer + offset, data, len); + } + } + else +@@ -544,7 +558,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl + } + + MsnSlpMessage * +-msn_slplink_message_find(MsnSlpLink *slplink, long id) ++msn_slplink_message_find(MsnSlpLink *slplink, long session_id, long id) + { + GList *e; + +@@ -552,7 +566,7 @@ msn_slplink_message_find(MsnSlpLink *slp + { + MsnSlpMessage *slpmsg = e->data; + +- if (slpmsg->id == id) ++ if ((slpmsg->session_id == session_id) && (slpmsg->id == id)) + return slpmsg; + } +