r36866 - in /desktop/unstable/ekiga/debian: changelog patches/series patches/validate-utf8-strings.patch

Mon Mar 4 21:59:21 UTC 2013

Author: sebastien
Date: Mon Mar  4 21:59:20 2013
New Revision: 36866

URL: http://svn.debian.org/wsvn/pkg-gnome/?sc=1&rev=36866
Log:
* Team upload.
* debian/patches/validate-utf8-strings.patch: new patch, fixes crash
  when the other party's names are not UTF-8 valid (CVE-2012-5621).
  (Closes: #702282)


Added:
    desktop/unstable/ekiga/debian/patches/validate-utf8-strings.patch
Modified:
    desktop/unstable/ekiga/debian/changelog
    desktop/unstable/ekiga/debian/patches/series

Modified: desktop/unstable/ekiga/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/ekiga/debian/changelog?rev=36866&op=diff
==============================================================================

--- desktop/unstable/ekiga/debian/changelog [utf-8] (original)
+++ desktop/unstable/ekiga/debian/changelog [utf-8] Mon Mar  4 21:59:20 2013
@@ -1,3 +1,12 @@
+ekiga (3.2.7-6) unstable; urgency=high
+
+  * Team upload.
+  * debian/patches/validate-utf8-strings.patch: new patch, fixes crash
+    when the other party's names are not UTF-8 valid (CVE-2012-5621).
+    (Closes: #702282)
+
+ -- Sébastien Villemot <sebastien at debian.org>  Mon, 04 Mar 2013 22:38:45 +0100
+
 ekiga (3.2.7-5) unstable; urgency=high
 
   * ACK NMUs - thanks to Hector and Mehdi for their work!

Modified: desktop/unstable/ekiga/debian/patches/series
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/ekiga/debian/patches/series?rev=36866&op=diff
==============================================================================
--- desktop/unstable/ekiga/debian/patches/series [utf-8] (original)
+++ desktop/unstable/ekiga/debian/patches/series [utf-8] Mon Mar  4 21:59:20 2013
@@ -2,3 +2,4 @@
 fix-linux-gnueabihf-build.patch
 opal310.patch
 gcc47.patch
+validate-utf8-strings.patch

Added: desktop/unstable/ekiga/debian/patches/validate-utf8-strings.patch
URL: http://svn.debian.org/wsvn/pkg-gnome/desktop/unstable/ekiga/debian/patches/validate-utf8-strings.patch?rev=36866&op=file
==============================================================================
--- desktop/unstable/ekiga/debian/patches/validate-utf8-strings.patch (added)
+++ desktop/unstable/ekiga/debian/patches/validate-utf8-strings.patch [utf-8] Mon Mar  4 21:59:20 2013
@@ -1,0 +1,40 @@
+Description: Fix crash when the other party's names are not UTF-8 valid
+ CVE-2012-5621: a remote attacker (other party with an invalid UTF-8 valid name)
+ could use this flaw to cause ekiga executable crash.
+Origin: backport, http://git.gnome.org/browse/ekiga/commit/?id=7d09807257
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=653009
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702282
+Last-Update: 2013-03-04
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/lib/engine/components/opal/opal-call.cpp
++++ b/lib/engine/components/opal/opal-call.cpp
+@@ -282,6 +282,17 @@
+   return outgoing; 
+ }
+ 
++// if the parameter is not valid utf8, remove from it all the chars
++//   after the first invalid utf8 char, so that it becomes valid utf8
++static void
++make_valid_utf8 (string & str)
++{
++  const char *pos;
++  if (!g_utf8_validate (str.c_str(), -1, &pos)) {
++    PTRACE (4, "Ekiga\tTrimming invalid UTF-8 string: " << str.c_str());
++    str = str.substr (0, pos - str.c_str()).append ("...");
++  }
++}
+ 
+ void
+ Opal::Call::parse_info (OpalConnection & connection)
+@@ -316,6 +327,10 @@
+     if (!app.empty ())
+       remote_application = app;
+ 
++    make_valid_utf8 (remote_party_name);
++    make_valid_utf8 (remote_application);
++    make_valid_utf8 (remote_uri);
++
+     strip_special_chars (remote_party_name, end_special_chars, false);
+     strip_special_chars (remote_application, end_special_chars, false);
+     strip_special_chars (remote_uri, end_special_chars, false);


