main/pidgin: security fixes #7001

CVE-2017-2640: Out-of-bounds write when stripping xml

2 files changed, 68 insertions, 4 deletions

diff --git a/main/pidgin/APKBUILD b/main/pidgin/APKBUILD
index 79e97e572c..b0ecf4efcd 100644
--- a/main/pidgin/APKBUILD
+++ b/main/pidgin/APKBUILD
@@ -1,7 +1,8 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=pidgin
 pkgver=2.11.0
-pkgrel=0
+pkgrel=1
 pkgdesc="graphical multi-protocol instant messaging client for X"
 url="http://pidgin.im/"
 arch="all"
@@ -20,8 +21,13 @@ subpackages="$pkgname-dev $pkgname-doc $pkgname-lang
 	"
 source="http://downloads.sourceforge.net/pidgin/pidgin-$pkgver.tar.bz2
 	http://downloads.sourceforge.net/project/pidgin/Pidgin/$pkgver/pidgin-$pkgver.tar.bz2
+	CVE-2017-2640.patch
 	"
 
+# secfixes:
+#   2.11.0-r1:
+#   - CVE-2017-2640
+
 _builddir="$srcdir"/$pkgname-$pkgver
 prepare() {
 	cd "$_builddir"
@@ -110,8 +116,11 @@ _xmpp() {
 }
 
 md5sums="7b167474db669aab2f71fa46835fb83f  pidgin-2.11.0.tar.bz2
-7b167474db669aab2f71fa46835fb83f  pidgin-2.11.0.tar.bz2"
+7b167474db669aab2f71fa46835fb83f  pidgin-2.11.0.tar.bz2
+5f73efce4145ce85cc51f45c49886d9f  CVE-2017-2640.patch"
 sha256sums="f72613440586da3bdba6d58e718dce1b2c310adf8946de66d8077823e57b3333  pidgin-2.11.0.tar.bz2
-f72613440586da3bdba6d58e718dce1b2c310adf8946de66d8077823e57b3333  pidgin-2.11.0.tar.bz2"
+f72613440586da3bdba6d58e718dce1b2c310adf8946de66d8077823e57b3333  pidgin-2.11.0.tar.bz2
+a3a5a99fb8b94fe4e578aed7415f3190c0c1c8fe0327a94c4248471d9410fd41  CVE-2017-2640.patch"
 sha512sums="d6a9bb8075b475e5204d730075b432ca0f1cb91b6337f98e506587132581e6928a826b47e0b94fb9eaedc79c5be0a8237c4671fc26dba97dedad1adb74c9abfa  pidgin-2.11.0.tar.bz2
-d6a9bb8075b475e5204d730075b432ca0f1cb91b6337f98e506587132581e6928a826b47e0b94fb9eaedc79c5be0a8237c4671fc26dba97dedad1adb74c9abfa  pidgin-2.11.0.tar.bz2"
+d6a9bb8075b475e5204d730075b432ca0f1cb91b6337f98e506587132581e6928a826b47e0b94fb9eaedc79c5be0a8237c4671fc26dba97dedad1adb74c9abfa  pidgin-2.11.0.tar.bz2
+94be94ffe2665a4c0870138eeeabba3cf13693877fb7ba751e516b581840b2c6b0111faaab7613d49ae0abbc95e2ccc832c46e44ccadf25dadc521853d1560f9  CVE-2017-2640.patch"
diff --git a/main/pidgin/CVE-2017-2640.patch b/main/pidgin/CVE-2017-2640.patch
new file mode 100644
index 0000000000..158e52fa4b
--- /dev/null
+++ b/main/pidgin/CVE-2017-2640.patch
@@ -0,0 +1,55 @@
+Patch was adjusted to be applied to pidgin 2.11.0
+Original:
+https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9
+https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9bf6bffcafa156c14a4c7b3640837/raw
+
+# HG changeset patch
+# User Eion Robb <eionrobb@gmail.com>
+# Date 1487624732 0
+# Branch EionRobb/fix-for-crash-when-sending-invalid-xml-e-1487474010880
+# Node ID b2fc9e774cb9bf6bffcafa156c14a4c7b3640837
+# Parent  6745ecd124da91d6711ebab8812247bcd785939a
+Use the more robust entity processing that @dequisdequis came up with
+
+diff --git a/libpurple/util.c b/libpurple/util.c
+--- a/libpurple/util.c
++++ b/libpurple/util.c
+@@ -978,18 +978,29 @@
+ 		pln = "\302\256";      /* or use g_unichar_to_utf8(0xae); */
+ 	else if(IS_ENTITY("&apos;"))
+ 		pln = "\'";
+-	else if(*(text+1) == '#' &&
+-			(sscanf(text, "&#%u%1[;]", &pound, temp) == 2 ||
+-			 sscanf(text, "&#x%x%1[;]", &pound, temp) == 2) &&
+-			pound != 0) {
++	else if(text[1] == '#' && g_ascii_isxdigit(text[2])) {
+ 		static char buf[7];
+-		int buflen = g_unichar_to_utf8((gunichar)pound, buf);
++		const char *start = text + 2;
++		char *end;
++		guint64 pound;
++		int base = 10;
++		int buflen;
++
++		if (*start == 'x') {
++			base = 16;
++			start++;
++		}
++
++		pound = g_ascii_strtoull(start, &end, base);
++		if (pound == 0 || pound > INT_MAX || *end != ';') {
++			return NULL;
++		}
++
++		len = (end - text) + 1;
++
++		buflen = g_unichar_to_utf8((gunichar)pound, buf);
+ 		buf[buflen] = '\0';
+ 		pln = buf;
+-
+-		len = (*(text+2) == 'x' ? 3 : 2);
+-		while(isxdigit((gint) text[len])) len++;
+-		if(text[len] == ';') len++;
+ 	}
+ 	else
+ 		return NULL;