X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mail-lf0-f66.google.com (mail-lf0-f66.google.com [209.85.215.66])
	by lists.alpinelinux.org (Postfix) with ESMTP id 8C6C15C524B
	for <alpine-aports@lists.alpinelinux.org>; Mon,  3 Apr 2017 11:07:43 +0000 (GMT)
Received: by mail-lf0-f66.google.com with SMTP id v2so12522759lfi.2
        for <alpine-aports@lists.alpinelinux.org>; Mon, 03 Apr 2017 04:07:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=xVlWBM0YjowVBHxvoy5PgIgqfmC5z9yr1hXbO1gd4ic=;
        b=MWTDhQ+GPuQ2DfA/rd7AslNh4P3Deb7lwMTkB7sZaSNfZPYd9l8WzGT03IXHJKGWlL
         5PIrFBUf0wSbB+Cy5LDSh8LhsvkjZIRTh2YS6sLEKMzwbn2aI6nWkuQKiY5nMjnlHeO7
         3O8o9ZXsk/AwLOFmyuY36A46vC6SSCtT1gFC7bpk/lnGRK/4WIUVDlNq7bKL1OjfcALe
         NGNsRcLXkS7nMvqTA7YDAHdmgVC9uK3NhXhlHO8lQYg49mnu8Qy9gPLFTDGDfBioUByg
         anS6aGdXl40fbQCW21k4/pVZh8KKrAturWBT7qGSxuQz2e0RZijg6/x4pwmULW2gmWEi
         PvXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=xVlWBM0YjowVBHxvoy5PgIgqfmC5z9yr1hXbO1gd4ic=;
        b=Xt71tTfoosPc3DYcKp0mLm3tqA7Du2csg+lFvjO1oL0HXkdqFwGGxBuRZYXXQVMjhV
         xC0siOja3rxYSF9FZFdbmcNe1qGDCBVcaLdmv1gt0M2yEmbFXnbhkV9ACHHlOzmiVSy6
         +GW/hBxZlRiwQ5YbGLr3dTZdMRxBi4w8+QYL6rMy1x20QjqRvA5GJ7lQJHHTJv8NR4NP
         dVaW2WPJKkY6FAtYuAgeNH0yfz0kUtgOmCTOp9No3oHVUJlN4TMNdlxGJMv5RwDVxX4C
         k+2Z+vSIqsTGzRPtdZjKgwyy94uEFykOoe3G8W5gosUy6W6cQw+v90fnSuQBeMarvYqq
         gkIQ==
X-Gm-Message-State: AFeK/H09mx+MYAgcCrR4mSSYnC2JMfF1EGhj/0AF40Njq8sV2voWThy8rx9aM7Oi/u3b8g==
X-Received: by 10.25.234.219 with SMTP id y88mr5034255lfi.35.1491217662629;
        Mon, 03 Apr 2017 04:07:42 -0700 (PDT)
Received: from v3-5.util.wtbts.net ([83.145.235.199])
        by smtp.gmail.com with ESMTPSA id 30sm2471473lju.53.2017.04.03.04.07.41
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 03 Apr 2017 04:07:41 -0700 (PDT)
From: Sergei Lukin <sergej.lukin@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Cc: Sergei Lukin <sergej.lukin@gmail.com>
Subject: [alpine-aports] [PATCH v3.5] main/pidgin: security fixes #7001
Date: Mon,  3 Apr 2017 11:07:31 +0000
Message-Id: <20170403110731.13786-1-sergej.lukin@gmail.com>
X-Mailer: git-send-email 2.11.1
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

CVE-2017-2640: Out-of-bounds write when stripping xml
---
 main/pidgin/APKBUILD            | 17 ++++++++++---
 main/pidgin/CVE-2017-2640.patch | 55 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 68 insertions(+), 4 deletions(-)
 create mode 100644 main/pidgin/CVE-2017-2640.patch

diff --git a/main/pidgin/APKBUILD b/main/pidgin/APKBUILD
index 79e97e572c..b0ecf4efcd 100644
--- a/main/pidgin/APKBUILD
+++ b/main/pidgin/APKBUILD
@@ -1,7 +1,8 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=pidgin
 pkgver=2.11.0
-pkgrel=0
+pkgrel=1
 pkgdesc="graphical multi-protocol instant messaging client for X"
 url="http://pidgin.im/"
 arch="all"
@@ -20,8 +21,13 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang
 	"
 source="http://downloads.sourceforge.net/pidgin/pidgin-$pkgver.tar.bz2
 	http://downloads.sourceforge.net/project/pidgin/Pidgin/$pkgver/pidgin-$pkgver.tar.bz2
+	CVE-2017-2640.patch
 	"
 
+# secfixes:
+#   2.11.0-r1:
+#   - CVE-2017-2640
+
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	cd "$_builddir"
@@ -110,8 +116,11 @@ _xmpp() {
 }
 
 md5sums="7b167474db669aab2f71fa46835fb83f  pidgin-2.11.0.tar.bz2
-7b167474db669aab2f71fa46835fb83f  pidgin-2.11.0.tar.bz2"
+7b167474db669aab2f71fa46835fb83f  pidgin-2.11.0.tar.bz2
+5f73efce4145ce85cc51f45c49886d9f  CVE-2017-2640.patch"
 sha256sums="f72613440586da3bdba6d58e718dce1b2c310adf8946de66d8077823e57b3333  pidgin-2.11.0.tar.bz2
-f72613440586da3bdba6d58e718dce1b2c310adf8946de66d8077823e57b3333  pidgin-2.11.0.tar.bz2"
+f72613440586da3bdba6d58e718dce1b2c310adf8946de66d8077823e57b3333  pidgin-2.11.0.tar.bz2
+a3a5a99fb8b94fe4e578aed7415f3190c0c1c8fe0327a94c4248471d9410fd41  CVE-2017-2640.patch"
 sha512sums="d6a9bb8075b475e5204d730075b432ca0f1cb91b6337f98e506587132581e6928a826b47e0b94fb9eaedc79c5be0a8237c4671fc26dba97dedad1adb74c9abfa  pidgin-2.11.0.tar.bz2
-d6a9bb8075b475e5204d730075b432ca0f1cb91b6337f98e506587132581e6928a826b47e0b94fb9eaedc79c5be0a8237c4671fc26dba97dedad1adb74c9abfa  pidgin-2.11.0.tar.bz2"
+d6a9bb8075b475e5204d730075b432ca0f1cb91b6337f98e506587132581e6928a826b47e0b94fb9eaedc79c5be0a8237c4671fc26dba97dedad1adb74c9abfa  pidgin-2.11.0.tar.bz2
+94be94ffe2665a4c0870138eeeabba3cf13693877fb7ba751e516b581840b2c6b0111faaab7613d49ae0abbc95e2ccc832c46e44ccadf25dadc521853d1560f9  CVE-2017-2640.patch"
diff --git a/main/pidgin/CVE-2017-2640.patch b/main/pidgin/CVE-2017-2640.patch
new file mode 100644
index 0000000000..158e52fa4b
--- /dev/null
+++ b/main/pidgin/CVE-2017-2640.patch
@@ -0,0 +1,55 @@
+Patch was adjusted to be applied to pidgin 2.11.0
+Original:
+https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9
+https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9bf6bffcafa156c14a4c7b3640837/raw
+
+# HG changeset patch
+# User Eion Robb <eionrobb@gmail.com>
+# Date 1487624732 0
+# Branch EionRobb/fix-for-crash-when-sending-invalid-xml-e-1487474010880
+# Node ID b2fc9e774cb9bf6bffcafa156c14a4c7b3640837
+# Parent  6745ecd124da91d6711ebab8812247bcd785939a
+Use the more robust entity processing that @dequisdequis came up with
+
+diff --git a/libpurple/util.c b/libpurple/util.c
+--- a/libpurple/util.c
++++ b/libpurple/util.c
+@@ -978,18 +978,29 @@
+ 		pln = "\302\256";      /* or use g_unichar_to_utf8(0xae); */
+ 	else if(IS_ENTITY("&apos;"))
+ 		pln = "\'";
+-	else if(*(text+1) == '#' &&
+-			(sscanf(text, "&#%u%1[;]", &pound, temp) == 2 ||
+-			 sscanf(text, "&#x%x%1[;]", &pound, temp) == 2) &&
+-			pound != 0) {
++	else if(text[1] == '#' && g_ascii_isxdigit(text[2])) {
+ 		static char buf[7];
+-		int buflen = g_unichar_to_utf8((gunichar)pound, buf);
++		const char *start = text + 2;
++		char *end;
++		guint64 pound;
++		int base = 10;
++		int buflen;
++
++		if (*start == 'x') {
++			base = 16;
++			start++;
++		}
++
++		pound = g_ascii_strtoull(start, &end, base);
++		if (pound == 0 || pound > INT_MAX || *end != ';') {
++			return NULL;
++		}
++
++		len = (end - text) + 1;
++
++		buflen = g_unichar_to_utf8((gunichar)pound, buf);
+ 		buf[buflen] = '\0';
+ 		pln = buf;
+-
+-		len = (*(text+2) == 'x' ? 3 : 2);
+-		while(isxdigit((gint) text[len])) len++;
+-		if(text[len] == ';') len++;
+ 	}
+ 	else
+ 		return NULL;
-- 
2.11.1



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---