# HG changeset patch # User Mark Doliner # Date 1266480658 0 # Node ID cece09dbb119aef1d0ff41186346d422e256231b # Parent 46abe1203e0bdab585cd3e3e457e4ee88071d238# Parent 4e42f18df200b531b1ea1f69404d92ae80553cb9 merge of 'e9d34ab5e47f22b35fd2d69d61a2c943cc0653db' and 'fc3d5c2a3920e0875ac235415cea9fc7f5ed780c' diff -r 46abe1203e0b -r cece09dbb119 ChangeLog --- a/ChangeLog Thu Feb 18 06:20:55 2010 +0000 +++ b/ChangeLog Thu Feb 18 08:10:58 2010 +0000 @@ -1,6 +1,6 @@ Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul -version 2.6.6 (??/??/20??): +version 2.6.6 (02/18/2010): libpurple: * Fix 'make check' on OS X. (David Fang) * Fix a quirk in purple_markup_html_to_xhtml that caused some messages @@ -26,6 +26,8 @@ Previously only icons between 48x48 and 50x50 were allowed. MSN: + * Fix CVE-2010-0277, a possible remote crash when parsing an incoming + SLP message. (Discovered by Fabian Yamaguchi) * File transfer requests will no longer cause a crash if you delete the file before the other side accepts. * Received files will no longer hold an extra lock after completion, @@ -73,6 +75,8 @@ Mohta) Pidgin: + * Fix CVE-2010-0423, a denial of service attack due to the parsing + of large numbers of smileys. (Discovered by Antti Hayrynen) * Correctly size conversation and status box entries when the interior-focus style property is diabled. (Gabriel Schulhof) * Correctly handle a multiline text field being required in a @@ -102,6 +106,8 @@ descriptions not to be displayed in the theme selector. Finch: + * Fix CVE-2010-0420, a possible remote crash when handling chat room + buddy names. * Rebindable 'move-first' and 'move-last' actions for tree widgets. So it is possible to jump to the first or last entry in the buddy list (and other such lists) by pressing home or end key (defaults) diff -r 46abe1203e0b -r cece09dbb119 ChangeLog.API --- a/ChangeLog.API Thu Feb 18 06:20:55 2010 +0000 +++ b/ChangeLog.API Thu Feb 18 08:10:58 2010 +0000 @@ -1,6 +1,6 @@ Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul -version 2.6.6 (??/??/2010): +version 2.6.6 (02/18/2010): libpurple: Changed: * purple_xfer_cancel_local is now called instead of diff -r 46abe1203e0b -r cece09dbb119 ChangeLog.win32 --- a/ChangeLog.win32 Thu Feb 18 06:20:55 2010 +0000 +++ b/ChangeLog.win32 Thu Feb 18 08:10:58 2010 +0000 @@ -1,5 +1,5 @@ -version 2.6.6 (??/??/2010): +version 2.6.6 (02/18/2010): * Installer translations for: Norwegian nynorsk version 2.6.5 (01/08/2010): diff -r 46abe1203e0b -r cece09dbb119 NEWS --- a/NEWS Thu Feb 18 06:20:55 2010 +0000 +++ b/NEWS Thu Feb 18 08:10:58 2010 +0000 @@ -2,7 +2,9 @@ Our development blog is available at: http://planet.pidgin.im -2.6.6 (??/??/2010): +2.6.6 (02/18/2010): + Mark: This release includes some great little changes and fixes a few + security-related bugs. See the ChangeLog for details. 2.6.5 (01/08/2010): Paul: This release fixes a pretty serious bug in the MSN code, so we're diff -r 46abe1203e0b -r cece09dbb119 configure.ac --- a/configure.ac Thu Feb 18 06:20:55 2010 +0000 +++ b/configure.ac Thu Feb 18 08:10:58 2010 +0000 @@ -47,7 +47,7 @@ m4_define([purple_major_version], [2]) m4_define([purple_minor_version], [6]) m4_define([purple_micro_version], [6]) -m4_define([purple_version_suffix], [devel]) +m4_define([purple_version_suffix], []) m4_define([purple_version], [purple_major_version.purple_minor_version.purple_micro_version]) m4_define([purple_display_version], purple_version[]m4_ifdef([purple_version_suffix],[purple_version_suffix])) @@ -56,7 +56,7 @@ m4_define([gnt_major_version], [2]) m4_define([gnt_minor_version], [6]) m4_define([gnt_micro_version], [6]) -m4_define([gnt_version_suffix], [devel]) +m4_define([gnt_version_suffix], []) m4_define([gnt_version], [gnt_major_version.gnt_minor_version.gnt_micro_version]) m4_define([gnt_display_version], gnt_version[]m4_ifdef([gnt_version_suffix],[gnt_version_suffix])) diff -r 46abe1203e0b -r cece09dbb119 finch/libgnt/gnttree.c --- a/finch/libgnt/gnttree.c Thu Feb 18 06:20:55 2010 +0000 +++ b/finch/libgnt/gnttree.c Thu Feb 18 08:10:58 2010 +0000 @@ -1346,6 +1346,10 @@ { GntTreeRow *pr = NULL; + if (g_hash_table_lookup(tree->hash, key)) { + gnt_tree_remove(tree, key); + } + row->tree = tree; row->key = key; row->data = NULL; diff -r 46abe1203e0b -r cece09dbb119 libpurple/protocols/msn/slp.c --- a/libpurple/protocols/msn/slp.c Thu Feb 18 06:20:55 2010 +0000 +++ b/libpurple/protocols/msn/slp.c Thu Feb 18 08:10:58 2010 +0000 @@ -741,11 +741,10 @@ if (!strncmp(body, "INVITE", strlen("INVITE"))) { char *branch; + char *call_id; char *content; char *content_type; - slpcall = msn_slpcall_new(slplink); - /* From: */ #if 0 slpcall->remote_user = get_token(body, "From: \r\n"); @@ -753,7 +752,7 @@ branch = get_token(body, ";branch={", "}"); - slpcall->id = get_token(body, "Call-ID: {", "}"); + call_id = get_token(body, "Call-ID: {", "}"); #if 0 long content_len = -1; @@ -767,13 +766,15 @@ content = get_token(body, "\r\n\r\n", NULL); - if (branch && content_type && content) + if (branch && call_id && content_type && content) { + slpcall = msn_slpcall_new(slplink); + slpcall->id = call_id; got_invite(slpcall, branch, content_type, content); } else { - msn_slpcall_destroy(slpcall); + g_free(call_id); slpcall = NULL; } diff -r 46abe1203e0b -r cece09dbb119 libpurple/protocols/msn/slpcall.c --- a/libpurple/protocols/msn/slpcall.c Thu Feb 18 06:20:55 2010 +0000 +++ b/libpurple/protocols/msn/slpcall.c Thu Feb 18 08:10:58 2010 +0000 @@ -199,7 +199,7 @@ slpcall = NULL; body = slpmsg->buffer; - body_len = slpmsg->size; + body_len = slpmsg->offset; if (slpmsg->flags == 0x0 || slpmsg->flags == 0x1000000) { diff -r 46abe1203e0b -r cece09dbb119 libpurple/protocols/msn/slplink.c --- a/libpurple/protocols/msn/slplink.c Thu Feb 18 06:20:55 2010 +0000 +++ b/libpurple/protocols/msn/slplink.c Thu Feb 18 08:10:58 2010 +0000 @@ -585,15 +585,16 @@ } else if (slpmsg->size && slpmsg->buffer) { - if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size) + if (G_MAXSIZE - len < offset || (offset + len) > slpmsg->size || slpmsg->offset != offset) { purple_debug_error("msn", "Oversized slpmsg - msgsize=%lld offset=%" G_GUINT64_FORMAT " len=%" G_GSIZE_FORMAT "\n", slpmsg->size, offset, len); g_return_if_reached(); + } else { + memcpy(slpmsg->buffer + offset, data, len); + slpmsg->offset += len; } - else - memcpy(slpmsg->buffer + offset, data, len); } if ((slpmsg->flags == 0x20 || diff -r 46abe1203e0b -r cece09dbb119 libpurple/protocols/msn/slpmsg.h --- a/libpurple/protocols/msn/slpmsg.h Thu Feb 18 06:20:55 2010 +0000 +++ b/libpurple/protocols/msn/slpmsg.h Thu Feb 18 08:10:58 2010 +0000 @@ -57,7 +57,18 @@ gboolean ft; PurpleStoredImage *img; guchar *buffer; + + /** + * For outgoing messages this is the number of bytes from buffer that + * have already been sent out. For incoming messages this is the + * number of bytes that have been written to buffer. + */ long long offset; + + /** + * This is the size of buffer, unless this is an outgoing file transfer, + * in which case this is the size of the file. + */ long long size; GList *msgs; /**< The real messages. */ diff -r 46abe1203e0b -r cece09dbb119 pidgin/gtkimhtml.c --- a/pidgin/gtkimhtml.c Thu Feb 18 06:20:55 2010 +0000 +++ b/pidgin/gtkimhtml.c Thu Feb 18 08:10:58 2010 +0000 @@ -2222,21 +2222,6 @@ return smiley->icon; } -static GdkPixbufAnimation * -gtk_smiley_tree_image (GtkIMHtml *imhtml, - const gchar *sml, - const gchar *text) -{ - GtkIMHtmlSmiley *smiley; - - smiley = gtk_imhtml_smiley_get(imhtml,sml,text); - - if (!smiley) - return NULL; - - return gtk_smiley_get_image(smiley); -} - #define VALID_TAG(x) do { \ if (!g_ascii_strncasecmp (string, x ">", strlen (x ">"))) { \ if (tag) *tag = g_strndup (string, strlen (x)); \ @@ -2695,6 +2680,8 @@ ws = g_malloc(len + 1); ws[0] = '\0'; + g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(0)); + gtk_text_buffer_begin_user_action(imhtml->text_buffer); while (pos < len) { if (*c == '<' && gtk_imhtml_is_tag (c + 1, &tag, &tlen, &type)) { @@ -3547,6 +3534,8 @@ } gtk_text_buffer_delete(imhtml->text_buffer, start, end); + g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(0)); + g_object_unref(object); } @@ -4983,12 +4972,33 @@ GdkPixbufAnimation *annipixbuf = NULL; GtkWidget *icon = NULL; GtkTextChildAnchor *anchor = NULL; - char *unescaped = purple_unescape_html(smiley); - GtkIMHtmlSmiley *imhtml_smiley = gtk_imhtml_smiley_get(imhtml, sml, unescaped); + char *unescaped; + GtkIMHtmlSmiley *imhtml_smiley; GtkWidget *ebox = NULL; + int numsmileys_thismsg, numsmileys_total; + + /* + * This GtkIMHtml has the maximum number of smileys allowed, so don't + * add any more. We do this for performance reasons, because smileys + * are apparently pretty inefficient. Hopefully we can remove this + * restriction when we're using a better HTML widget. + */ + numsmileys_thismsg = GPOINTER_TO_INT(g_object_get_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg")); + if (numsmileys_thismsg >= 30) { + gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1); + return; + } + numsmileys_total = GPOINTER_TO_INT(g_object_get_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total")); + if (numsmileys_total >= 300) { + gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1); + return; + } + + unescaped = purple_unescape_html(smiley); + imhtml_smiley = gtk_imhtml_smiley_get(imhtml, sml, unescaped); if (imhtml->format_functions & GTK_IMHTML_SMILEY) { - annipixbuf = gtk_smiley_tree_image(imhtml, sml, unescaped); + annipixbuf = imhtml_smiley ? gtk_smiley_get_image(imhtml_smiley) : NULL; if (annipixbuf) { if (gdk_pixbuf_animation_is_static_image(annipixbuf)) { pixbuf = gdk_pixbuf_animation_get_static_image(annipixbuf); @@ -5042,6 +5052,9 @@ if (ebox) gtk_container_add(GTK_CONTAINER(ebox), icon); gtk_text_view_add_child_at_anchor(GTK_TEXT_VIEW(imhtml), ebox ? ebox : icon, anchor); + + g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(numsmileys_thismsg + 1)); + g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(numsmileys_total + 1)); } else if (imhtml_smiley != NULL && (imhtml->format_functions & GTK_IMHTML_SMILEY)) { anchor = gtk_text_buffer_create_child_anchor(imhtml->text_buffer, iter); imhtml_smiley->anchors = g_slist_append(imhtml_smiley->anchors, g_object_ref(anchor)); @@ -5054,6 +5067,9 @@ g_object_set_data_full(G_OBJECT(anchor), "gtkimhtml_htmltext", g_strdup(smiley), g_free); gtk_text_view_add_child_at_anchor(GTK_TEXT_VIEW(imhtml), ebox, anchor); } + + g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_thismsg", GINT_TO_POINTER(numsmileys_thismsg + 1)); + g_object_set_data(G_OBJECT(imhtml), "gtkimhtml_numsmileys_total", GINT_TO_POINTER(numsmileys_total + 1)); } else { gtk_text_buffer_insert(imhtml->text_buffer, iter, smiley, -1); }