head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.40 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.38 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.36 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.34 pkgsrc-2011Q2-base:1.2 pkgsrc-2009Q4:1.2.0.32 pkgsrc-2009Q4-base:1.2 pkgsrc-2008Q4:1.2.0.30 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.28 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.26 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.24 pkgsrc-2008Q2-base:1.2 pkgsrc-2008Q1:1.2.0.22 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.20 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.18 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.2.0.16 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.2.0.14 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.12 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.2.0.10 pkgsrc-2006Q3-base:1.2 pkgsrc-2006Q2:1.2.0.8 pkgsrc-2006Q2-base:1.2 pkgsrc-2006Q1:1.2.0.6 pkgsrc-2006Q1-base:1.2 pkgsrc-2005Q4:1.2.0.4 pkgsrc-2005Q4-base:1.2 pkgsrc-2005Q3:1.2.0.2 pkgsrc-2005Q3-base:1.2 pkgsrc-2005Q2:1.1.0.2; locks; strict; comment @# @; 1.2 date 2005.08.12.17.52.16; author reed; state dead; branches; next 1.1; 1.1 date 2005.08.10.16.13.34; author salo; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2005.08.10.16.13.34; author snj; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2005.08.10.18.28.45; author snj; state Exp; branches; next ; desc @@ 1.2 log @Update to 1.5.0 from maintainer, Matthew Luckie, via PR #30974. "this release of gaim has a few security fixes which mirror the effects of patch-ae patch-af patch-ag" ChangeLog says: version 1.5.0 (8/11/2005): * Ability to set IRC quit message (Lalo Martins) * OSCAR file transfers now work for 2 users behind the same NAT (Jonathan Clark) * Yahoo! buddy requests to add you to their buddy list now prompt for authorization * Added a /clear command for conversations/chats * Fixed ICQ encoding for messages with offline ICQ users (Ilya Konstantinov, SF Bug #1179452) * Default Yahoo! chat roomlist locale to 'us' @ text @$NetBSD: patch-ag,v 1.1 2005/08/10 16:13:34 salo Exp $ Fix for CAN-2005-2102, from RedHat. --- src/protocols/oscar/oscar.c.orig 2005-07-02 18:13:14.000000000 +0200 +++ src/protocols/oscar/oscar.c 2005-08-10 16:37:02.000000000 +0200 @@@@ -3455,7 +3455,18 @@@@ xfer = gaim_xfer_new(gc->account, GAIM_XFER_RECEIVE, userinfo->sn); xfer->remote_ip = g_strdup(args->verifiedip); xfer->remote_port = args->port; - gaim_xfer_set_filename(xfer, args->info.sendfile.filename); + + if (g_utf8_validate(args->info.sendfile.filename, -1, + NULL)) { + gaim_xfer_set_filename(xfer, + args->info.sendfile.filename); + } else { + gchar * utf8_filename = gaim_utf8_salvage( + args->info.sendfile.filename); + gaim_xfer_set_filename(xfer, utf8_filename); + g_free(utf8_filename); + } + gaim_xfer_set_size(xfer, args->info.sendfile.totsize); gaim_xfer_set_message(xfer, message); @ 1.1 log @Security fixes for CAN-2005-2102 and CAN-2005-2103. - An error in the handling of away messages can be exploited to cause a heap-based buffer overflow by sending a specially crafted away message to a user logged into AIM or ICQ. Successful exploitation allows execution of arbitrary code. - An error in the handling of file transfers can be exploited to crash the application by attempting to upload a file with a non-UTF8 filename to a user logged into AIM or ICQ. Patches from RedHat. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-ag was added on branch pkgsrc-2005Q2 on 2005-08-10 16:13:34 +0000 @ text @d1 26 @ 1.1.2.2 log @Pullup ticket 672 - requested by Lubomir Sedlacik security fixes for gaim Revisions pulled up: - pkgsrc/chat/gaim/Makefile 1.94 - pkgsrc/chat/gaim/buildlink3.mk 1.7 - pkgsrc/chat/gaim/distinfo 1.68 - pkgsrc/chat/gaim/patches/patch-af 1.1 - pkgsrc/chat/gaim/patches/patch-ag 1.1 Module Name: pkgsrc Committed By: salo Date: Wed Aug 10 16:13:34 UTC 2005 Modified Files: pkgsrc/chat/gaim: Makefile buildlink3.mk distinfo Added Files: pkgsrc/chat/gaim/patches: patch-af patch-ag Log Message: Security fixes for CAN-2005-2102 and CAN-2005-2103. - An error in the handling of away messages can be exploited to cause a heap-based buffer overflow by sending a specially crafted away message to a user logged into AIM or ICQ. Successful exploitation allows execution of arbitrary code. - An error in the handling of file transfers can be exploited to crash the application by attempting to upload a file with a non-UTF8 filename to a user logged into AIM or ICQ. Patches from RedHat. @ text @a0 26 $NetBSD: patch-ag,v 1.1.2.1 2005/08/10 18:28:45 snj Exp $ Fix for CAN-2005-2102, from RedHat. --- src/protocols/oscar/oscar.c.orig 2005-07-02 18:13:14.000000000 +0200 +++ src/protocols/oscar/oscar.c 2005-08-10 16:37:02.000000000 +0200 @@@@ -3455,7 +3455,18 @@@@ xfer = gaim_xfer_new(gc->account, GAIM_XFER_RECEIVE, userinfo->sn); xfer->remote_ip = g_strdup(args->verifiedip); xfer->remote_port = args->port; - gaim_xfer_set_filename(xfer, args->info.sendfile.filename); + + if (g_utf8_validate(args->info.sendfile.filename, -1, + NULL)) { + gaim_xfer_set_filename(xfer, + args->info.sendfile.filename); + } else { + gchar * utf8_filename = gaim_utf8_salvage( + args->info.sendfile.filename); + gaim_xfer_set_filename(xfer, utf8_filename); + g_free(utf8_filename); + } + gaim_xfer_set_size(xfer, args->info.sendfile.totsize); gaim_xfer_set_message(xfer, message); @