CVE-2017-2640: Out-of-bounds write when stripping xml
---
main/pidgin/APKBUILD | 17 ++++++++++---
main/pidgin/CVE-2017-2640.patch | 55 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 68 insertions(+), 4 deletions(-)
create mode 100644 main/pidgin/CVE-2017-2640.patch
diff --git a/main/pidgin/APKBUILD b/main/pidgin/APKBUILD
index 79e97e572c..b0ecf4efcd 100644
--- a/main/pidgin/APKBUILD
+++ b/main/pidgin/APKBUILD
@@ -1,7 +1,8 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=pidgin
pkgver=2.11.0
-pkgrel=0
+pkgrel=1
pkgdesc="graphical multi-protocol instant messaging client for X"
url="http://pidgin.im/"
arch="all"
@@ -20,8 +21,13 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang
"
source="http://downloads.sourceforge.net/pidgin/pidgin-$pkgver.tar.bz2
http://downloads.sourceforge.net/project/pidgin/Pidgin/$pkgver/pidgin-$pkgver.tar.bz2
+ CVE-2017-2640.patch
"
+# secfixes:
+# 2.11.0-r1:
+# - CVE-2017-2640
+
_builddir="$srcdir"/$pkgname-$pkgver
prepare() {
cd "$_builddir"
@@ -110,8 +116,11 @@ _xmpp() {
}
md5sums="7b167474db669aab2f71fa46835fb83f pidgin-2.11.0.tar.bz2
-7b167474db669aab2f71fa46835fb83f pidgin-2.11.0.tar.bz2"
+7b167474db669aab2f71fa46835fb83f pidgin-2.11.0.tar.bz2
+5f73efce4145ce85cc51f45c49886d9f CVE-2017-2640.patch"
sha256sums="f72613440586da3bdba6d58e718dce1b2c310adf8946de66d8077823e57b3333 pidgin-2.11.0.tar.bz2
-f72613440586da3bdba6d58e718dce1b2c310adf8946de66d8077823e57b3333 pidgin-2.11.0.tar.bz2"
+f72613440586da3bdba6d58e718dce1b2c310adf8946de66d8077823e57b3333 pidgin-2.11.0.tar.bz2
+a3a5a99fb8b94fe4e578aed7415f3190c0c1c8fe0327a94c4248471d9410fd41 CVE-2017-2640.patch"
sha512sums="d6a9bb8075b475e5204d730075b432ca0f1cb91b6337f98e506587132581e6928a826b47e0b94fb9eaedc79c5be0a8237c4671fc26dba97dedad1adb74c9abfa pidgin-2.11.0.tar.bz2
-d6a9bb8075b475e5204d730075b432ca0f1cb91b6337f98e506587132581e6928a826b47e0b94fb9eaedc79c5be0a8237c4671fc26dba97dedad1adb74c9abfa pidgin-2.11.0.tar.bz2"
+d6a9bb8075b475e5204d730075b432ca0f1cb91b6337f98e506587132581e6928a826b47e0b94fb9eaedc79c5be0a8237c4671fc26dba97dedad1adb74c9abfa pidgin-2.11.0.tar.bz2
+94be94ffe2665a4c0870138eeeabba3cf13693877fb7ba751e516b581840b2c6b0111faaab7613d49ae0abbc95e2ccc832c46e44ccadf25dadc521853d1560f9 CVE-2017-2640.patch"
diff --git a/main/pidgin/CVE-2017-2640.patch b/main/pidgin/CVE-2017-2640.patch
new file mode 100644
index 0000000000..158e52fa4b
--- /dev/null
+++ b/main/pidgin/CVE-2017-2640.patch
@@ -0,0 +1,55 @@
+Patch was adjusted to be applied to pidgin 2.11.0
+Original:
+https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9
+https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9bf6bffcafa156c14a4c7b3640837/raw
+
+# HG changeset patch
+# User Eion Robb <eionrobb@gmail.com>
+# Date 1487624732 0
+# Branch EionRobb/fix-for-crash-when-sending-invalid-xml-e-1487474010880
+# Node ID b2fc9e774cb9bf6bffcafa156c14a4c7b3640837
+# Parent 6745ecd124da91d6711ebab8812247bcd785939a
+Use the more robust entity processing that @dequisdequis came up with
+
+diff --git a/libpurple/util.c b/libpurple/util.c
+--- a/libpurple/util.c
++++ b/libpurple/util.c
+@@ -978,18 +978,29 @@
+ pln = "\302\256"; /* or use g_unichar_to_utf8(0xae); */
+ else if(IS_ENTITY("'"))
+ pln = "\'";
+- else if(*(text+1) == '#' &&
+- (sscanf(text, "&#%u%1[;]", £, temp) == 2 ||
+- sscanf(text, "&#x%x%1[;]", £, temp) == 2) &&
+- pound != 0) {
++ else if(text[1] == '#' && g_ascii_isxdigit(text[2])) {
+ static char buf[7];
+- int buflen = g_unichar_to_utf8((gunichar)pound, buf);
++ const char *start = text + 2;
++ char *end;
++ guint64 pound;
++ int base = 10;
++ int buflen;
++
++ if (*start == 'x') {
++ base = 16;
++ start++;
++ }
++
++ pound = g_ascii_strtoull(start, &end, base);
++ if (pound == 0 || pound > INT_MAX || *end != ';') {
++ return NULL;
++ }
++
++ len = (end - text) + 1;
++
++ buflen = g_unichar_to_utf8((gunichar)pound, buf);
+ buf[buflen] = '\0';
+ pln = buf;
+-
+- len = (*(text+2) == 'x' ? 3 : 2);
+- while(isxdigit((gint) text[len])) len++;
+- if(text[len] == ';') len++;
+ }
+ else
+ return NULL;
--
2.11.1
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---