2004-10-29 Vijaykumar Patwari <
[email protected]>
* gaim.spec: Update.
* patches/gaim-12-msn-security-fix.diff:
Fixes msn security issues. Fixes bug #5100703.
Patch reviewed and approved by Stephen Browne.
--- a/ChangeLog Fri Oct 29 13:39:47 2004 +0000
+++ b/ChangeLog Fri Oct 29 13:45:49 2004 +0000
@@ -1,3 +1,9 @@
+2004-10-29 Vijaykumar Patwari <[email protected]>
+
+ * gaim.spec: Update.
+ * patches/gaim-12-msn-security-fix.diff:
+ Fixes msn security issues. Fixes bug #5100703.
+
2004-10-29 Narayana Pattipati <[email protected]>
* gnome-vfs.spec: Updated
--- a/gaim.spec Fri Oct 29 13:39:47 2004 +0000
+++ b/gaim.spec Fri Oct 29 13:45:49 2004 +0000
@@ -5,7 +5,7 @@
#
Name: gaim
Version: 0.82.1
-Release: 21
+Release: 22
License: GPL
Group: Applications/Internet
Distribution: Cinnabar
@@ -25,6 +25,7 @@
Patch9: gaim-09-ebook-checks.diff
Patch10: gaim-10-docs.diff
Patch11: gaim-11-sound_errors.diff
+Patch12: gaim-12-msn-security-fix.diff
URL: http://gaim.sourceforge.net/
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Docdir: %{_defaultdocdir}/gaim
@@ -69,6 +70,7 @@
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
%build
%ifos linux
@@ -135,6 +137,9 @@
rm -r $RPM_BUILD_ROOT
%changelog
+* Fri Oct 29 2004 - [email protected]
+- Fixes msn security issues.
+
* Thu Oct 21 2004 - [email protected]
- Added patch #11. Fixes #5101982
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/gaim-12-msn-security-fix.diff Fri Oct 29 13:45:49 2004 +0000
@@ -0,0 +1,75 @@
+--- gaim-0.82.1/src/protocols/msn/slplink.h 2004-06-06 09:12:54.000000000 +0530
++++ gaim-0.82.1-new/src/protocols/msn/slplink.h 2004-10-28 19:47:10.571442704 +0530
+@@ -70,7 +70,7 @@ void msn_slplink_send_slpmsg(MsnSlpLink
+ void msn_slplink_unleash(MsnSlpLink *slplink);
+ void msn_slplink_send_ack(MsnSlpLink *slplink, MsnMessage *msg);
+ void msn_slplink_process_msg(MsnSlpLink *slplink, MsnMessage *msg);
+-MsnSlpMessage *msn_slplink_message_find(MsnSlpLink *slplink, long id);
++MsnSlpMessage *msn_slplink_message_find(MsnSlpLink *slplink, long session_id, long id);
+ void msn_slplink_append_slp_msg(MsnSlpLink *slplink, MsnSlpMessage *slpmsg);
+ void msn_slplink_remove_slp_msg(MsnSlpLink *slplink,
+ MsnSlpMessage *slpmsg);
+--- gaim-0.82.1/src/protocols/msn/slplink.c 2004-08-25 07:15:41.000000000 +0530
++++ gaim-0.82.1-new/src/protocols/msn/slplink.c 2004-10-28 19:57:59.909728280 +0530
+@@ -447,7 +447,6 @@ msn_slplink_process_msg(MsnSlpLink *slpl
+ slpmsg->session_id = msg->msnslp_header.session_id;
+ slpmsg->size = msg->msnslp_header.total_size;
+ slpmsg->flags = msg->msnslp_header.flags;
+- slpmsg->buffer = g_malloc(slpmsg->size);
+
+ if (slpmsg->session_id)
+ {
+@@ -471,10 +470,19 @@ msn_slplink_process_msg(MsnSlpLink *slpl
+ }
+ }
+ }
++ if (!slpmsg->fp)
++ {
++ slpmsg->buffer = g_try_malloc(slpmsg->size);
++ if (slpmsg->buffer == NULL)
++ {
++ gaim_debug_error("msn", "Failed to allocate buffer for slpmsg\n");
++ return;
++ }
++ }
+ }
+ else
+ {
+- slpmsg = msn_slplink_message_find(slplink, msg->msnslp_header.id);
++ slpmsg = msn_slplink_message_find(slplink, msg->msnslp_header.session_id, msg->msnslp_header.id);
+ }
+
+ if (slpmsg != NULL)
+@@ -486,7 +494,13 @@ msn_slplink_process_msg(MsnSlpLink *slpl
+ }
+ else
+ {
+- memcpy(slpmsg->buffer + offset, data, len);
++ if ((offset + len) > slpmsg->size)
++ {
++ gaim_debug_error("msn", "Oversized slpmsg\n");
++ g_return_if_reached();
++ }
++ else
++ memcpy(slpmsg->buffer + offset, data, len);
+ }
+ }
+ else
+@@ -544,7 +558,7 @@ msn_slplink_process_msg(MsnSlpLink *slpl
+ }
+
+ MsnSlpMessage *
+-msn_slplink_message_find(MsnSlpLink *slplink, long id)
++msn_slplink_message_find(MsnSlpLink *slplink, long session_id, long id)
+ {
+ GList *e;
+
+@@ -552,7 +566,7 @@ msn_slplink_message_find(MsnSlpLink *slp
+ {
+ MsnSlpMessage *slpmsg = e->data;
+
+- if (slpmsg->id == id)
++ if ((slpmsg->session_id == session_id) && (slpmsg->id == id))
+ return slpmsg;
+ }
+