Overview

File pidgin-CVE-2013-0274.patch of Package pidgin

# HG changeset patch
# User Mark Doliner <mark@kingant.net>
# Date 1360574030 28800
# Node ID ad7e7fb98db3bbd7bf9ab49072fd34cd4fa25dd9
# Parent  c31cf8de31cd391dd1b647ba63ec68bfe262589f
Fix a crash when receiving UPnP responses with abnormally long values.


This is CVE-2013-0274.

The problem was detected by Coverity static analysis and fixed by
Daniel Atallah.

This should fix CIDs 731954, 731953, 731952, 731951, and 731950

--- pidgin-2.7.10/libpurple/upnp.c.orig	2013-03-01 08:25:42.616219062 +0100
+++ pidgin-2.7.10/libpurple/upnp.c	2013-03-01 08:26:30.606262170 +0100
@@ -406,7 +406,7 @@
 		: PURPLE_UPNP_STATUS_UNABLE_TO_DISCOVER;
 	control_info.lookup_time = time(NULL);
 	control_info.control_url = control_url;
-	strncpy(control_info.service_type, dd->service_type,
+	g_strlcpy(control_info.service_type, dd->service_type,
 		sizeof(control_info.service_type));
 
 	fire_discovery_callbacks(control_url != NULL);
@@ -598,9 +598,9 @@
 		sentSuccess = FALSE;
 
 		if((dd->retry_count % 2) == 0) {
-			strncpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
+			g_strlcpy(dd->service_type, WAN_IP_CONN_SERVICE, sizeof(dd->service_type));
 		} else {
-			strncpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
+			g_strlcpy(dd->service_type, WAN_PPP_CONN_SERVICE, sizeof(dd->service_type));
 		}
 
 		sendMessage = g_strdup_printf(SEARCH_REQUEST_STRING, dd->service_type);
@@ -786,7 +786,7 @@
 	}
 	*temp2 = '\0';
 
-	strncpy(control_info.publicip, temp + 1,
+	g_strlcpy(control_info.publicip, temp + 1,
 			sizeof(control_info.publicip));
 
 	purple_debug_info("upnp", "NAT Returned IP: %s\n", control_info.publicip);
@@ -821,7 +821,7 @@
 looked_up_internal_ip_cb(gpointer data, gint source, const gchar *error_message)
 {
 	if (source) {
-		strncpy(control_info.internalip,
+		g_strlcpy(control_info.internalip,
 			purple_network_get_local_system_ip(source),
 			sizeof(control_info.internalip));
 		purple_debug_info("upnp", "Local IP: %s\n",
@@ -974,7 +974,7 @@
 	ar->cb_data = cb_data;
 	ar->add = TRUE;
 	ar->portmap = portmap;
-	strncpy(ar->protocol, protocol, sizeof(ar->protocol));
+	g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
 
 	/* If we're waiting for a discovery, add to the callbacks list */
 	if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {
@@ -1021,7 +1021,7 @@
 	ar->cb_data = cb_data;
 	ar->add = FALSE;
 	ar->portmap = portmap;
-	strncpy(ar->protocol, protocol, sizeof(ar->protocol));
+	g_strlcpy(ar->protocol, protocol, sizeof(ar->protocol));
 
 	/* If we're waiting for a discovery, add to the callbacks list */
 	if(control_info.status == PURPLE_UPNP_STATUS_DISCOVERING) {
openSUSE Build Service is sponsored by
Places