From 4133dc0fb16b4f2433b00d796e3bc8f283d37d22 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 05 2015 19:28:12 +0000 Subject: import pidgin-2.10.7-23.ael7b --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b2d48f5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/pidgin-2.10.7.tar.bz2 +SOURCES/purple-fedora-prefs.xml diff --git a/.pidgin.metadata b/.pidgin.metadata new file mode 100644 index 0000000..c77f4a3 --- /dev/null +++ b/.pidgin.metadata @@ -0,0 +1,2 @@ +01bc06e3a5712dded3ad4a4913ada12a3cd01e15 SOURCES/pidgin-2.10.7.tar.bz2 +280a2d02ea4329a5125e44e5ace0937598e3240c SOURCES/purple-fedora-prefs.xml diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/pidgin-2.10.1-fix-msn-ft-crashes.patch b/SOURCES/pidgin-2.10.1-fix-msn-ft-crashes.patch new file mode 100644 index 0000000..aab707b --- /dev/null +++ b/SOURCES/pidgin-2.10.1-fix-msn-ft-crashes.patch @@ -0,0 +1,33 @@ +---------------------------------------------------------------------- +Revision: 9d51cb9fbcc04d21597eed0381f4d06c53facc44 +Parent: 17326b88b85d2f13939a71ca80d4a617f0527f9a +Author: Cristi Posoiu +Date: 06/03/11 02:55:31 +Branch: im.pidgin.pidgin + +Changelog: + +Fix up some cases of file transfers never finishing. This will help certain +instances of Yahoo file transfers not working, but not all. Fixes #12472. + +Changes against parent 17326b88b85d2f13939a71ca80d4a617f0527f9a + + patched libpurple/ft.c + +============================================================ +--- libpurple/ft.c 2b8633b159e16099b858dd21ed122e9c3811a9d5 ++++ libpurple/ft.c ffba61c0a50c9d5f866f8b1f0dec16cf13bbd65c +@@ -1100,9 +1100,11 @@ purple_xfer_write(PurpleXfer *xfer, cons + r = write(xfer->fd, buffer, s); + if (r < 0 && errno == EAGAIN) + r = 0; +- if ((purple_xfer_get_bytes_sent(xfer)+r) >= purple_xfer_get_size(xfer)) +- purple_xfer_set_completed(xfer, TRUE); + } ++ if (r >= 0 && (purple_xfer_get_bytes_sent(xfer)+r) >= purple_xfer_get_size(xfer) && ++ !purple_xfer_is_completed(xfer)) ++ purple_xfer_set_completed(xfer, TRUE); ++ + + return r; + } diff --git a/SOURCES/pidgin-2.10.7-CVE-2012-6152.patch b/SOURCES/pidgin-2.10.7-CVE-2012-6152.patch new file mode 100644 index 0000000..d29d797 --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2012-6152.patch @@ -0,0 +1,1165 @@ +diff -up pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c +--- pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c 2014-01-27 10:20:14.473648650 -0500 +@@ -21,6 +21,12 @@ + * + */ + ++/* ++ * Note: When handling the list of struct yahoo_pair's from an incoming ++ * packet the value might not be UTF-8. You should either validate that ++ * it is UTF-8 using g_utf8_validate() or use yahoo_string_decode(). ++ */ ++ + #include "internal.h" + + #include "account.h" +@@ -592,14 +598,24 @@ static void yahoo_process_list_15(Purple + yd->current_list15_grp = yahoo_string_decode(gc, pair->value, FALSE); + break; + case 7: /* buddy's s/n */ +- g_free(temp); +- temp = g_strdup(purple_normalize(account, pair->value)); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ g_free(temp); ++ temp = g_strdup(purple_normalize(account, pair->value)); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_list_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 241: /* user on federated network */ + fed = strtol(pair->value, NULL, 10); + break; + case 59: /* somebody told cookies come here too, but im not sure */ +- yahoo_process_cookie(yd, pair->value); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ yahoo_process_cookie(yd, pair->value); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_list_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 317: /* Stealth Setting */ + stealth = strtol(pair->value, NULL, 10); +@@ -662,22 +678,42 @@ static void yahoo_process_list(PurpleCon + g_string_append(yd->tmp_serv_blist, pair->value); + break; + case 88: +- if (!yd->tmp_serv_ilist) +- yd->tmp_serv_ilist = g_string_new(pair->value); +- else +- g_string_append(yd->tmp_serv_ilist, pair->value); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ if (!yd->tmp_serv_ilist) ++ yd->tmp_serv_ilist = g_string_new(pair->value); ++ else ++ g_string_append(yd->tmp_serv_ilist, pair->value); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_list " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 89: +- yd->profiles = g_strsplit(pair->value, ",", -1); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ yd->profiles = g_strsplit(pair->value, ",", -1); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_list " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 59: /* cookies, yum */ +- yahoo_process_cookie(yd, pair->value); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ yahoo_process_cookie(yd, pair->value); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_list " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case YAHOO_SERVICE_PRESENCE_PERM: +- if (!yd->tmp_serv_plist) +- yd->tmp_serv_plist = g_string_new(pair->value); +- else +- g_string_append(yd->tmp_serv_plist, pair->value); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ if (!yd->tmp_serv_plist) ++ yd->tmp_serv_plist = g_string_new(pair->value); ++ else ++ g_string_append(yd->tmp_serv_plist, pair->value); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_list " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + } + } +@@ -700,6 +736,12 @@ static void yahoo_process_list(PurpleCon + grp = yahoo_string_decode(gc, split[0], FALSE); + buddies = g_strsplit(split[1], ",", -1); + for (bud = buddies; bud && *bud; bud++) { ++ if (!g_utf8_validate(*bud, -1, NULL)) { ++ purple_debug_warning("yahoo", "yahoo_process_list " ++ "got non-UTF-8 string for bud\n"); ++ continue; ++ } ++ + norm_bud = g_strdup(purple_normalize(account, *bud)); + f = yahoo_friend_find_or_new(gc, norm_bud); + +@@ -794,14 +836,26 @@ static void yahoo_process_notify(PurpleC + + while (l) { + struct yahoo_pair *pair = l->data; +- if (pair->key == 4 || pair->key == 1) +- from = pair->value; ++ if (pair->key == 4 || pair->key == 1) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ from = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_notify " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } + if (pair->key == 49) + msg = pair->value; + if (pair->key == 13) + stat = pair->value; +- if (pair->key == 14) +- game = pair->value; ++ if (pair->key == 14) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ game = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_notify " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } + if (pair->key == 11) + val_11 = strtol(pair->value, NULL, 10); + if (pair->key == 241) +@@ -905,10 +959,15 @@ static void yahoo_process_sms_message(Pu + while (l != NULL) { + struct yahoo_pair *pair = l->data; + if (pair->key == 4) { +- sms = g_new0(struct _yahoo_im, 1); +- sms->from = g_strdup_printf("+%s", pair->value); +- sms->time = time(NULL); +- sms->utf8 = TRUE; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ sms = g_new0(struct _yahoo_im, 1); ++ sms->from = g_strdup_printf("+%s", pair->value); ++ sms->time = time(NULL); ++ sms->utf8 = TRUE; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_sms_message " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + } + if (pair->key == 14) { + if (sms) +@@ -917,8 +976,14 @@ static void yahoo_process_sms_message(Pu + if (pair->key == 68) + if(sms) + g_hash_table_insert(yd->sms_carrier, g_strdup(sms->from), g_strdup(pair->value)); +- if (pair->key == 16) +- server_msg = pair->value; ++ if (pair->key == 16) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ server_msg = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_sms_message " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } + l = l->next; + } + +@@ -972,13 +1037,18 @@ static void yahoo_process_message(Purple + while (l != NULL) { + struct yahoo_pair *pair = l->data; + if (pair->key == 4 || pair->key == 1) { +- im = g_new0(struct _yahoo_im, 1); +- list = g_slist_append(list, im); +- im->from = pair->value; +- im->time = time(NULL); +- im->utf8 = TRUE; +- im->fed = YAHOO_FEDERATION_NONE; +- im->fed_from = g_strdup(im->from); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ im = g_new0(struct _yahoo_im, 1); ++ list = g_slist_append(list, im); ++ im->from = pair->value; ++ im->time = time(NULL); ++ im->utf8 = TRUE; ++ im->fed = YAHOO_FEDERATION_NONE; ++ im->fed_from = g_strdup(im->from); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_message " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + } + if (im && pair->key == 5) + im->active_id = pair->value; +@@ -1034,7 +1104,7 @@ static void yahoo_process_message(Purple + } + } + /* IMV key */ +- if (im && pair->key == 63) ++ if (im && pair->key == 63 && g_utf8_validate(pair->value, -1, NULL)) + { + /* Check for the Doodle IMV, no IMvironment for federated buddies */ + if (im->from != NULL && im->fed == YAHOO_FEDERATION_NONE) +@@ -1173,10 +1243,22 @@ static void yahoo_process_sysmessage(Pur + while (l) { + struct yahoo_pair *pair = l->data; + +- if (pair->key == 5) +- me = pair->value; +- if (pair->key == 14) +- msg = pair->value; ++ if (pair->key == 5) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ me = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_sysmessage " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } ++ if (pair->key == 14) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ msg = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_sysmessage " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } + + l = l->next; + } +@@ -1334,7 +1416,12 @@ static void yahoo_buddy_auth_req_15(Purp + + switch (pair->key) { + case 4: +- temp = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ temp = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_buddy_auth_req_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 13: + response = strtol(pair->value, NULL, 10); +@@ -1389,22 +1476,42 @@ static void yahoo_buddy_auth_req_15(Purp + + switch (pair->key) { + case 4: +- temp = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ temp = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_buddy_auth_req_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 5: +- add_req->id = g_strdup(pair->value); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ add_req->id = g_strdup(pair->value); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_buddy_auth_req_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 14: + msg = pair->value; + break; + case 216: +- firstname = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ firstname = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_buddy_auth_req_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 241: + add_req->fed = strtol(pair->value, NULL, 10); + break; + case 254: +- lastname = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ lastname = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_buddy_auth_req_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + + } +@@ -1485,10 +1592,20 @@ static void yahoo_buddy_added_us(PurpleC + + switch (pair->key) { + case 1: +- add_req->id = g_strdup(pair->value); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ add_req->id = g_strdup(pair->value); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_buddy_added_us " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 3: +- add_req->who = g_strdup(pair->value); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ add_req->who = g_strdup(pair->value); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_buddy_added_us " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 15: /* time, for when they add us and we're offline */ + break; +@@ -1540,10 +1657,20 @@ static void yahoo_buddy_denied_our_add_o + + switch (pair->key) { + case 3: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_buddy_denied_our_add_old " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 14: +- msg = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ msg = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_buddy_denied_our_add_old " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + } + l = l->next; +@@ -1640,12 +1767,28 @@ static void yahoo_process_mail(PurpleCon + struct yahoo_pair *pair = l->data; + if (pair->key == 9) + count = strtol(pair->value, NULL, 10); +- else if (pair->key == 43) +- who = pair->value; +- else if (pair->key == 42) +- email = pair->value; +- else if (pair->key == 18) +- subj = pair->value; ++ else if (pair->key == 43) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_mail " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } else if (pair->key == 42) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ email = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_mail " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } else if (pair->key == 18) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ subj = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_mail " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } + l = l->next; + } + +@@ -2075,10 +2218,22 @@ static void yahoo_process_auth(PurpleCon + + while (l) { + struct yahoo_pair *pair = l->data; +- if (pair->key == 94) +- seed = pair->value; +- if (pair->key == 1) +- sn = pair->value; ++ if (pair->key == 94) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ seed = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_auth " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } ++ if (pair->key == 1) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ sn = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_auth " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } + if (pair->key == 13) + m = atoi(pair->value); + l = l->next; +@@ -2150,10 +2305,20 @@ static void yahoo_process_ignore(PurpleC + struct yahoo_pair *pair = l->data; + switch (pair->key) { + case 0: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_ignore " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 1: +- me = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ me = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_ignore " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 13: + /* 1 == ignore, 2 == unignore */ +@@ -2222,8 +2387,14 @@ static void yahoo_process_authresp(Purpl + + if (pair->key == 66) + err = strtol(pair->value, NULL, 10); +- else if (pair->key == 20) +- url = pair->value; ++ else if (pair->key == 20) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ url = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_authresp " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } + + l = l->next; + } +@@ -2311,7 +2482,12 @@ static void yahoo_process_addbuddy(Purpl + err = strtol(pair->value, NULL, 10); + break; + case 7: +- temp = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ temp = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_addbuddy " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 65: + group = pair->value; +@@ -2468,11 +2644,16 @@ static void yahoo_p2p_process_p2pfilexfe + + switch (pair->key) { + case 4: +- who = pair->value; +- if(strncmp(who, p2p_data->host_username, strlen(p2p_data->host_username)) != 0) { +- /* from whom are we receiving the packets ?? */ +- purple_debug_warning("yahoo","p2p: received data from wrong user\n"); +- return; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ if(strncmp(who, p2p_data->host_username, strlen(p2p_data->host_username)) != 0) { ++ /* from whom are we receiving the packets ?? */ ++ purple_debug_warning("yahoo","p2p: received data from wrong user\n"); ++ return; ++ } ++ } else { ++ purple_debug_warning("yahoo", "yahoo_p2p_process_p2pfilexfer " ++ "got non-UTF-8 string for key %d\n", pair->key); + } + break; + case 13: +@@ -2841,15 +3022,25 @@ static void yahoo_process_p2p(PurpleConn + /* our identity */ + break; + case 4: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_p2p " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 1: + /* who again, the master identity this time? */ + break; + case 12: +- base64 = pair->value; +- /* so, this is an ip address. in base64. decoded it's in ascii. +- after strtol, it's in reversed byte order. Who thought this up?*/ ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ base64 = pair->value; ++ /* so, this is an ip address. in base64. decoded it's in ascii. ++ after strtol, it's in reversed byte order. Who thought this up?*/ ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_p2p " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 13: + val_13 = strtol(pair->value, NULL, 10); +@@ -2938,7 +3129,12 @@ static void yahoo_process_audible(Purple + + switch (pair->key) { + case 4: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_audible " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 5: + /* us */ +@@ -2946,11 +3142,21 @@ static void yahoo_process_audible(Purple + case 230: + /* the audible, in foo.locale.bar.baz format + eg: base.tw.smiley.smiley43 */ +- id = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ id = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_audible " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 231: + /* the text of the audible */ +- msg = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ msg = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_audible " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 232: + /* SHA-1 hash of audible SWF file (eg: 4e8691499d9c0fb8374478ff9720f4a9ea4a4915) */ +diff -up pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_aliases.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_aliases.c +--- pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_aliases.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_aliases.c 2014-01-27 10:20:14.473648650 -0500 +@@ -696,8 +696,14 @@ void yahoo_process_contact_details(Purpl + struct yahoo_pair *pair = l->data; + switch (pair->key) { + case 4: +- who = pair->value; /* This is the person who sent us the details. +- But not necessarily about himself. */ ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ /* This is the person who sent us the details. ++ But not necessarily about himself. */ ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_contact_details " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 5: + break; +@@ -709,8 +715,13 @@ void yahoo_process_contact_details(Purpl + and look into the xml instead to see who the information is about. */ + break; + case 280: +- xml = pair->value; +- parse_contact_details(yd, who, xml); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ xml = pair->value; ++ parse_contact_details(yd, who, xml); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_contact_details " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + } + } +diff -up pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_filexfer.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_filexfer.c +--- pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_filexfer.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_filexfer.c 2014-01-27 10:20:14.474648740 -0500 +@@ -749,25 +749,60 @@ void yahoo_process_p2pfilexfer(PurpleCon + + switch(pair->key) { + case 5: /* Get who the packet is for */ +- me = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ me = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 4: /* Get who the packet is from */ +- from = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ from = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 49: /* Get the type of service */ +- service = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ service = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 14: /* Get the 'message' of the packet */ +- message = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ message = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 13: /* Get the command associated with this packet */ +- command = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ command = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 63: /* IMVironment name and version */ +- imv = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ imv = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 64: /* Not sure, but it does vary with initialization of Doodle */ +- unknown = pair->value; /* So, I'll keep it (for a little while atleast) */ ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ unknown = pair->value; /* So, I'll keep it (for a little while atleast) */ ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_p2pfilexfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + } + +@@ -813,16 +848,36 @@ void yahoo_process_filetransfer(PurpleCo + + switch (pair->key) { + case 4: +- from = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ from = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetransfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 5: +- to = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ to = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetransfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 14: +- msg = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ msg = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetransfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 20: +- url = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ url = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetransfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 38: + expires = strtol(pair->value, NULL, 10); +@@ -834,10 +889,20 @@ void yahoo_process_filetransfer(PurpleCo + filesize = atol(pair->value); + break; + case 49: +- service = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ service = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetransfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 63: +- imv = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ imv = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetransfer " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + } + } +@@ -1616,20 +1681,40 @@ void yahoo_process_filetrans_15(PurpleCo + + switch (pair->key) { + case 4: +- from = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ from = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 5: +- to = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ to = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 265: +- xfer_peer_idstring = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ xfer_peer_idstring = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 27: + filename_list = g_slist_prepend(filename_list, g_strdup(pair->value)); + nooffiles++; + break; + case 28: +- size_list = g_slist_prepend(size_list, g_strdup(pair->value)); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ size_list = g_slist_prepend(size_list, g_strdup(pair->value)); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 222: + val_222 = atol(pair->value); +@@ -1638,10 +1723,20 @@ void yahoo_process_filetrans_15(PurpleCo + + /* check for p2p and imviron .... not sure it comes by this service packet. Since it was bundled with filexfer in old ymsg version, still keeping it. */ + case 49: +- service = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ service = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 63: +- imv = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ imv = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + /* end check */ + +@@ -1803,7 +1898,12 @@ void yahoo_process_filetrans_info_15(Pur + to = pair->value; + break; + case 265: +- xfer_peer_idstring = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ xfer_peer_idstring = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_info_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 27: + filename = pair->value; +@@ -1816,10 +1916,20 @@ void yahoo_process_filetrans_info_15(Pur + /* 249 has value 1 or 2 when doing p2p transfer and value 3 when relaying through yahoo server */ + break; + case 250: +- url = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ url = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_info_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 251: +- xfer_idstring_for_relay = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ xfer_idstring_for_relay = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_info_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + } + } +@@ -1902,10 +2012,20 @@ void yahoo_process_filetrans_acc_15(Purp + + switch (pair->key) { + case 251: +- xfer_idstring_for_relay = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ xfer_idstring_for_relay = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_acc_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 265: +- xfer_peer_idstring = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ xfer_peer_idstring = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_acc_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 66: + val_66 = atol(pair->value); +@@ -1914,7 +2034,13 @@ void yahoo_process_filetrans_acc_15(Purp + val_249 = atol(pair->value); + break; + case 250: +- url = pair->value; /* we get a p2p url here when sending file, connected as client */ ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ /* we get a p2p url here when sending file, connected as client */ ++ url = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_filetrans_acc_15 " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + } + } +diff -up pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_friend.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_friend.c +--- pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_friend.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_friend.c 2014-01-27 10:20:14.474648740 -0500 +@@ -158,7 +158,12 @@ void yahoo_process_presence(PurpleConnec + + switch (pair->key) { + case 7: +- temp = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ temp = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_presence " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 31: + value = strtol(pair->value, NULL, 10); +diff -up pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_picture.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_picture.c +--- pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_picture.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/yahoo/yahoo_picture.c 2014-01-27 10:20:14.475648826 -0500 +@@ -84,10 +84,20 @@ void yahoo_process_picture(PurpleConnect + switch (pair->key) { + case 1: + case 4: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_picture " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 5: +- us = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ us = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_picture " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 13: { + int tmp; +@@ -100,7 +110,12 @@ void yahoo_process_picture(PurpleConnect + break; + } + case 20: +- url = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ url = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_picture " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 192: + checksum = strtol(pair->value, NULL, 10); +@@ -154,7 +169,12 @@ void yahoo_process_picture_checksum(Purp + + switch (pair->key) { + case 4: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_picture_checksum " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 5: + /* us */ +@@ -197,7 +217,12 @@ void yahoo_process_picture_upload(Purple + /* filename on our computer. */ + break; + case 20: /* url at yahoo */ +- url = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ url = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_picture_upload " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + case 38: /* timestamp */ + break; + } +@@ -225,7 +250,12 @@ void yahoo_process_avatar_update(PurpleC + + switch (pair->key) { + case 4: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_avatar_upload " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 5: + /* us */ +diff -up pidgin-2.10.7/libpurple/protocols/yahoo/yahoochat.c.CVE-2012-6152 pidgin-2.10.7/libpurple/protocols/yahoo/yahoochat.c +--- pidgin-2.10.7/libpurple/protocols/yahoo/yahoochat.c.CVE-2012-6152 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/yahoo/yahoochat.c 2014-01-27 10:20:14.475648826 -0500 +@@ -156,15 +156,25 @@ void yahoo_process_conference_invite(Pur + room = yahoo_string_decode(gc, pair->value, FALSE); + break; + case 50: /* inviter */ +- who = pair->value; +- g_string_append_printf(members, "%s\n", who); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ g_string_append_printf(members, "%s\n", who); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_conference_invite " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 51: /* This user is being invited to the conference. Comes with status = 11, so we wont reach here */ + break; + case 52: /* Invited users. Assuming us invited, since we got this packet */ + break; /* break needed, or else we add the users to the conference before they accept the invitation */ + case 53: /* members who have already joined the conference */ +- g_string_append_printf(members, "%s\n", pair->value); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ g_string_append_printf(members, "%s\n", pair->value); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_conference_invite " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 58: + g_free(msg); +@@ -220,7 +230,12 @@ void yahoo_process_conference_decline(Pu + room = yahoo_string_decode(gc, pair->value, FALSE); + break; + case 54: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_conference_decline " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 14: + g_free(msg); +@@ -277,7 +292,12 @@ void yahoo_process_conference_logon(Purp + room = yahoo_string_decode(gc, pair->value, FALSE); + break; + case 53: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_conference_logon " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + } + } +@@ -309,7 +329,12 @@ void yahoo_process_conference_logoff(Pur + room = yahoo_string_decode(gc, pair->value, FALSE); + break; + case 56: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_conference_logoff " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + } + } +@@ -340,7 +365,12 @@ void yahoo_process_conference_message(Pu + room = yahoo_string_decode(gc, pair->value, FALSE); + break; + case 3: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_conference_message " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 14: + msg = pair->value; +@@ -506,18 +536,38 @@ void yahoo_process_chat_join(PurpleConne + topic = yahoo_string_decode(gc, pair->value, TRUE); + break; + case 128: +- someid = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ someid = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_chat_join " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 108: /* number of joiners */ + break; + case 129: +- someotherid = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ someotherid = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_chat_join " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 130: +- somebase64orhashosomething = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ somebase64orhashosomething = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_chat_join " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 126: +- somenegativenumber = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ somenegativenumber = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_chat_join " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 13: /* this is 1. maybe its the type of room? (normal, user created, private, etc?) */ + break; +@@ -528,7 +578,12 @@ void yahoo_process_chat_join(PurpleConne + info about individual room members, (including us) */ + + case 109: /* the yahoo id */ +- members = g_list_append(members, pair->value); ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ members = g_list_append(members, pair->value); ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_chat_join " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 110: /* age */ + break; +@@ -625,8 +680,14 @@ void yahoo_process_chat_exit(PurpleConne + g_free(room); + room = yahoo_string_decode(gc, pair->value, TRUE); + } +- if (pair->key == 109) +- who = pair->value; ++ if (pair->key == 109) { ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_chat_exit " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } ++ } + } + + if (who && room) { +@@ -658,10 +719,20 @@ void yahoo_process_chat_message(PurpleCo + room = yahoo_string_decode(gc, pair->value, TRUE); + break; + case 109: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_chat_message " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 117: +- msg = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ msg = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_chat_message " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 124: + msgtype = strtol(pair->value, NULL, 10); +@@ -724,7 +795,12 @@ void yahoo_process_chat_addinvite(Purple + msg = yahoo_string_decode(gc, pair->value, FALSE); + break; + case 119: +- who = pair->value; ++ if (g_utf8_validate(pair->value, -1, NULL)) { ++ who = pair->value; ++ } else { ++ purple_debug_warning("yahoo", "yahoo_process_chat_addinvite " ++ "got non-UTF-8 string for key %d\n", pair->key); ++ } + break; + case 118: /* us */ + break; diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6477.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6477.patch new file mode 100644 index 0000000..6ee4bcc --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6477.patch @@ -0,0 +1,78 @@ +diff -up pidgin-2.10.7/libpurple/conversation.c.CVE-2013-6477 pidgin-2.10.7/libpurple/conversation.c +--- pidgin-2.10.7/libpurple/conversation.c.CVE-2013-6477 2013-02-11 04:16:51.000000000 -0500 ++++ pidgin-2.10.7/libpurple/conversation.c 2014-01-29 20:17:16.584055979 -0500 +@@ -1551,6 +1551,14 @@ purple_conv_chat_write(PurpleConvChat *c + if (purple_conv_chat_is_user_ignored(chat, who)) + return; + ++ if (mtime < 0) { ++ purple_debug_error("conversation", ++ "purple_conv_chat_write ignoring negative timestamp\n"); ++ /* TODO: Would be more appropriate to use a value that indicates ++ that the timestamp is unknown, and surface that in the UI. */ ++ mtime = time(NULL); ++ } ++ + if (!(flags & PURPLE_MESSAGE_WHISPER)) { + const char *str; + +diff -up pidgin-2.10.7/libpurple/log.c.CVE-2013-6477 pidgin-2.10.7/libpurple/log.c +--- pidgin-2.10.7/libpurple/log.c.CVE-2013-6477 2013-02-11 04:16:51.000000000 -0500 ++++ pidgin-2.10.7/libpurple/log.c 2014-01-29 20:17:16.584055979 -0500 +@@ -753,7 +753,7 @@ static char *log_get_timestamp(PurpleLog + { + gboolean show_date; + char *date; +- struct tm tm; ++ struct tm *tm; + + show_date = (log->type == PURPLE_LOG_SYSTEM) || (time(NULL) > when + 20*60); + +@@ -763,11 +763,11 @@ static char *log_get_timestamp(PurpleLog + if (date != NULL) + return date; + +- tm = *(localtime(&when)); ++ tm = localtime(&when); + if (show_date) +- return g_strdup(purple_date_format_long(&tm)); ++ return g_strdup(purple_date_format_long(tm)); + else +- return g_strdup(purple_time_format(&tm)); ++ return g_strdup(purple_time_format(tm)); + } + + /* NOTE: This can return msg (which you may or may not want to g_free()) +diff -up pidgin-2.10.7/libpurple/server.c.CVE-2013-6477 pidgin-2.10.7/libpurple/server.c +--- pidgin-2.10.7/libpurple/server.c.CVE-2013-6477 2013-02-11 04:16:53.000000000 -0500 ++++ pidgin-2.10.7/libpurple/server.c 2014-01-29 20:17:16.585055993 -0500 +@@ -567,6 +567,14 @@ void serv_got_im(PurpleConnection *gc, c + + account = purple_connection_get_account(gc); + ++ if (mtime < 0) { ++ purple_debug_error("server", ++ "serv_got_im ignoring negative timestamp\n"); ++ /* TODO: Would be more appropriate to use a value that indicates ++ that the timestamp is unknown, and surface that in the UI. */ ++ mtime = time(NULL); ++ } ++ + /* + * XXX: Should we be setting this here, or relying on prpls to set it? + */ +@@ -905,6 +913,14 @@ void serv_got_chat_in(PurpleConnection * + g_return_if_fail(who != NULL); + g_return_if_fail(message != NULL); + ++ if (mtime < 0) { ++ purple_debug_error("server", ++ "serv_got_chat_in ignoring negative timestamp\n"); ++ /* TODO: Would be more appropriate to use a value that indicates ++ that the timestamp is unknown, and surface that in the UI. */ ++ mtime = time(NULL); ++ } ++ + for (bcs = g->buddy_chats; bcs != NULL; bcs = bcs->next) { + conv = (PurpleConversation *)bcs->data; + diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6478.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6478.patch new file mode 100644 index 0000000..2cfbd22 --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6478.patch @@ -0,0 +1,35 @@ +diff -up pidgin-2.10.7/pidgin/gtkimhtml.c.CVE-2013-6477 pidgin-2.10.7/pidgin/gtkimhtml.c +--- pidgin-2.10.7/pidgin/gtkimhtml.c.CVE-2013-6477 2013-02-11 04:16:53.000000000 -0500 ++++ pidgin-2.10.7/pidgin/gtkimhtml.c 2014-01-27 12:20:54.660113325 -0500 +@@ -514,7 +514,13 @@ gtk_imhtml_tip_paint (GtkIMHtml *imhtml) + + g_return_val_if_fail(GTK_IS_IMHTML(imhtml), FALSE); + +- layout = gtk_widget_create_pango_layout(imhtml->tip_window, imhtml->tip); ++ /* We set the text in a separate function call so we can specify a ++ max length. This is important so the tooltip isn't too wide for ++ the screen, and also because some X library function exits the ++ process when it can't allocate enough memory for a super wide ++ tooltip. */ ++ layout = gtk_widget_create_pango_layout(imhtml->tip_window, NULL); ++ pango_layout_set_text(layout, imhtml->tip, 200); + + gtk_paint_flat_box (imhtml->tip_window->style, imhtml->tip_window->window, + GTK_STATE_NORMAL, GTK_SHADOW_OUT, NULL, imhtml->tip_window, +@@ -561,7 +567,15 @@ gtk_imhtml_tip (gpointer data) + G_CALLBACK (gtk_imhtml_tip_paint), imhtml); + + gtk_widget_ensure_style (imhtml->tip_window); +- layout = gtk_widget_create_pango_layout(imhtml->tip_window, imhtml->tip); ++ ++ /* We set the text in a separate function call so we can specify a ++ max length. This is important so the tooltip isn't too wide for ++ the screen, and also because some X library function exits the ++ process when it can't allocate enough memory for a super wide ++ tooltip. */ ++ layout = gtk_widget_create_pango_layout(imhtml->tip_window, NULL); ++ pango_layout_set_text(layout, imhtml->tip, 200); ++ + font = pango_context_load_font(pango_layout_get_context(layout), + imhtml->tip_window->style->font_desc); + diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6479.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6479.patch new file mode 100644 index 0000000..e1c4cf6 --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6479.patch @@ -0,0 +1,207 @@ +diff -up pidgin-2.10.7/libpurple/util.c.CVE-2013-6479 pidgin-2.10.7/libpurple/util.c +--- pidgin-2.10.7/libpurple/util.c.CVE-2013-6479 2013-02-11 04:16:53.000000000 -0500 ++++ pidgin-2.10.7/libpurple/util.c 2014-01-28 19:09:20.896950189 -0500 +@@ -33,6 +33,10 @@ + #include "prefs.h" + #include "util.h" + ++/* 512KiB Default value for maximum HTTP download size (when the client hasn't ++ specified a length) */ ++#define DEFAULT_MAX_HTTP_DOWNLOAD (512 * 1024) ++ + struct _PurpleUtilFetchUrlData + { + PurpleUtilFetchUrlCallback callback; +@@ -68,7 +72,7 @@ struct _PurpleUtilFetchUrlData + char *webdata; + gsize len; + unsigned long data_len; +- gssize max_len; ++ gsize max_len; + gboolean chunked; + PurpleAccount *account; + }; +@@ -3239,24 +3243,26 @@ purple_strcasereplace(const char *string + return ret; + } + +-const char * +-purple_strcasestr(const char *haystack, const char *needle) ++/** TODO: Expose this when we can add API */ ++static const char * ++purple_strcasestr_len(const char *haystack, gssize hlen, const char *needle, gssize nlen) + { +- size_t hlen, nlen; + const char *tmp, *ret; + + g_return_val_if_fail(haystack != NULL, NULL); + g_return_val_if_fail(needle != NULL, NULL); + +- hlen = strlen(haystack); +- nlen = strlen(needle); ++ if (hlen == -1) ++ hlen = strlen(haystack); ++ if (nlen == -1) ++ nlen = strlen(needle); + tmp = haystack, + ret = NULL; + + g_return_val_if_fail(hlen > 0, NULL); + g_return_val_if_fail(nlen > 0, NULL); + +- while (*tmp && !ret) { ++ while (*tmp && !ret && (hlen - (tmp - haystack)) >= nlen) { + if (!g_ascii_strncasecmp(needle, tmp, nlen)) + ret = tmp; + else +@@ -3266,6 +3272,12 @@ purple_strcasestr(const char *haystack, + return ret; + } + ++const char * ++purple_strcasestr(const char *haystack, const char *needle) ++{ ++ return purple_strcasestr_len(haystack, -1, needle, -1); ++} ++ + char * + purple_str_size_to_units(size_t size) + { +@@ -3575,7 +3587,7 @@ static void ssl_url_fetch_connect_cb(gpo + static void ssl_url_fetch_error_cb(PurpleSslConnection *ssl_connection, PurpleSslErrorType error, gpointer data); + + static gboolean +-parse_redirect(const char *data, size_t data_len, ++parse_redirect(const char *data, gsize data_len, + PurpleUtilFetchUrlData *gfud) + { + gchar *s; +@@ -3680,20 +3692,21 @@ parse_redirect(const char *data, size_t + return TRUE; + } + ++/* find the starting point of the content for the specified header and make ++ * sure that the content is safe to pass to sscanf */ + static const char * +-find_header_content(const char *data, size_t data_len, const char *header, size_t header_len) ++find_header_content(const char *data, gsize data_len, const char *header) + { + const char *p = NULL; + +- if (header_len <= 0) +- header_len = strlen(header); ++ gsize header_len = strlen(header); + +- /* Note: data is _not_ nul-terminated. */ + if (data_len > header_len) { ++ /* Check if the first header matches (data won't start with a \n") */ + if (header[0] == '\n') + p = (g_ascii_strncasecmp(data, header + 1, header_len - 1) == 0) ? data : NULL; + if (!p) +- p = purple_strcasestr(data, header); ++ p = purple_strcasestr_len(data, data_len, header, header_len); + if (p) + p += header_len; + } +@@ -3709,13 +3722,13 @@ find_header_content(const char *data, si + return NULL; + } + +-static size_t +-parse_content_len(const char *data, size_t data_len) ++static gsize ++parse_content_len(const char *data, gsize data_len) + { +- size_t content_len = 0; ++ gsize content_len = 0; + const char *p = NULL; + +- p = find_header_content(data, data_len, "\nContent-Length: ", sizeof("\nContent-Length: ") - 1); ++ p = find_header_content(data, data_len, "\nContent-Length: "); + if (p) { + sscanf(p, "%" G_GSIZE_FORMAT, &content_len); + purple_debug_misc("util", "parsed %" G_GSIZE_FORMAT "\n", content_len); +@@ -3725,9 +3738,9 @@ parse_content_len(const char *data, size + } + + static gboolean +-content_is_chunked(const char *data, size_t data_len) ++content_is_chunked(const char *data, gsize data_len) + { +- const char *p = find_header_content(data, data_len, "\nTransfer-Encoding: ", sizeof("\nTransfer-Encoding: ") - 1); ++ const char *p = find_header_content(data, data_len, "\nTransfer-Encoding: "); + if (p && g_ascii_strncasecmp(p, "chunked", 7) == 0) + return TRUE; + +@@ -3810,7 +3823,7 @@ url_fetch_recv_cb(gpointer url_data, gin + while ((gfud->is_ssl && ((len = purple_ssl_read(gfud->ssl_connection, buf, sizeof(buf))) > 0)) || + (!gfud->is_ssl && (len = read(source, buf, sizeof(buf))) > 0)) + { +- if(gfud->max_len != -1 && (gfud->len + len) > gfud->max_len) { ++ if((gfud->len + len) > gfud->max_len) { + purple_util_fetch_url_error(gfud, _("Error reading from %s: response too long (%d bytes limit)"), + gfud->website.address, gfud->max_len); + return; +@@ -3838,9 +3851,8 @@ url_fetch_recv_cb(gpointer url_data, gin + /* See if we've reached the end of the headers yet */ + end_of_headers = strstr(gfud->webdata, "\r\n\r\n"); + if (end_of_headers) { +- char *new_data; + guint header_len = (end_of_headers + 4 - gfud->webdata); +- size_t content_len; ++ gsize content_len; + + purple_debug_misc("util", "Response headers: '%.*s'\n", + header_len, gfud->webdata); +@@ -3860,15 +3872,36 @@ url_fetch_recv_cb(gpointer url_data, gin + content_len = 8192; + } else { + gfud->has_explicit_data_len = TRUE; ++ if (content_len > gfud->max_len) { ++ purple_debug_error("util", ++ "Overriding explicit Content-Length of %" G_GSIZE_FORMAT " with max of %" G_GSSIZE_FORMAT "\n", ++ content_len, gfud->max_len); ++ content_len = gfud->max_len; ++ } + } + + + /* If we're returning the headers too, we don't need to clean them out */ + if (gfud->include_headers) { ++ char *new_data; + gfud->data_len = content_len + header_len; +- gfud->webdata = g_realloc(gfud->webdata, gfud->data_len); ++ new_data = g_try_realloc(gfud->webdata, gfud->data_len); ++ if (new_data == NULL) { ++ purple_debug_error("util", ++ "Failed to allocate %" G_GSIZE_FORMAT " bytes: %s\n", ++ content_len, g_strerror(errno)); ++ purple_util_fetch_url_error(gfud, ++ _("Unable to allocate enough memory to hold " ++ "the contents from %s. The web server may " ++ "be trying something malicious."), ++ gfud->website.address); ++ ++ return; ++ } ++ gfud->webdata = new_data; + } else { +- size_t body_len = gfud->len - header_len; ++ char *new_data; ++ gsize body_len = gfud->len - header_len; + + content_len = MAX(content_len, body_len); + +@@ -4154,7 +4187,11 @@ purple_util_fetch_url_request_len_with_a + gfud->request = g_strdup(request); + gfud->include_headers = include_headers; + gfud->fd = -1; +- gfud->max_len = max_len; ++ if (max_len <= 0) { ++ max_len = DEFAULT_MAX_HTTP_DOWNLOAD; ++ purple_debug_error("util", "Defaulting max download from %s to %" G_GSSIZE_FORMAT "\n", url, max_len); ++ } ++ gfud->max_len = (gsize) max_len; + gfud->account = account; + + purple_url_parse(url, &gfud->website.address, &gfud->website.port, diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6481.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6481.patch new file mode 100644 index 0000000..2100c66 --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6481.patch @@ -0,0 +1,67 @@ +diff -up pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c.CVE-2013-6481 pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c +--- pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c.CVE-2013-6481 2014-01-27 10:20:14.473648650 -0500 ++++ pidgin-2.10.7/libpurple/protocols/yahoo/libymsg.c 2014-01-28 20:57:13.990365865 -0500 +@@ -2720,7 +2720,7 @@ static void yahoo_p2p_read_pkt_cb(gpoint + int pos = 0; + int pktlen; + struct yahoo_packet *pkt; +- guchar *start = NULL; ++ guchar *start; + struct yahoo_p2p_data *p2p_data; + YahooData *yd; + +@@ -2742,19 +2742,29 @@ static void yahoo_p2p_read_pkt_cb(gpoint + return; + } + ++ /* TODO: It looks like there's a bug here (and above) where an incorrect ++ * assumtion is being made that the buffer will be added to when this ++ * is next called, but that's not really the case! */ + if(len < YAHOO_PACKET_HDRLEN) + return; + +- if(strncmp((char *)buf, "YMSG", MIN(4, len)) != 0) { ++ if(strncmp((char *)buf, "YMSG", 4) != 0) { + /* Not a YMSG packet */ +- purple_debug_warning("yahoo","p2p: Got something other than YMSG packet\n"); ++ purple_debug_warning("yahoo", "p2p: Got something other than YMSG packet\n"); + +- start = memchr(buf + 1, 'Y', len - 1); +- if (start == NULL) ++ start = (guchar *) g_strstr_len((char *) buf + 1, len - 1 ,"YMSG"); ++ if (start == NULL) { ++ /* remove from p2p connection lists, also calls yahoo_p2p_disconnect_destroy_data */ ++ if (g_hash_table_lookup(yd->peers, p2p_data->host_username)) ++ g_hash_table_remove(yd->peers, p2p_data->host_username); ++ else ++ yahoo_p2p_disconnect_destroy_data(data); + return; ++ } ++ purple_debug_warning("yahoo","p2p: Got something other than YMSG packet\n"); + +- g_memmove(buf, start, len - (start - buf)); +- len -= start - buf; ++ len -= (start - buf); ++ g_memmove(buf, start, len); + } + + pos += 4; /* YMSG */ +@@ -2762,7 +2772,17 @@ static void yahoo_p2p_read_pkt_cb(gpoint + pos += 2; + + pktlen = yahoo_get16(buf + pos); pos += 2; +- purple_debug_misc("yahoo", "p2p: %d bytes to read\n", len); ++ if (len < (YAHOO_PACKET_HDRLEN + pktlen)) { ++ purple_debug_error("yahoo", "p2p: packet length(%d) > buffer length(%d)\n", ++ pktlen, (len - pos)); ++ /* remove from p2p connection lists, also calls yahoo_p2p_disconnect_destroy_data */ ++ if (g_hash_table_lookup(yd->peers, p2p_data->host_username)) ++ g_hash_table_remove(yd->peers, p2p_data->host_username); ++ else ++ yahoo_p2p_disconnect_destroy_data(data); ++ return; ++ } else ++ purple_debug_misc("yahoo", "p2p: %d bytes to read\n", pktlen); + + pkt = yahoo_packet_new(0, 0, 0); + pkt->service = yahoo_get16(buf + pos); pos += 2; diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6482.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6482.patch new file mode 100644 index 0000000..c573f0d --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6482.patch @@ -0,0 +1,147 @@ +diff -up pidgin-2.10.7/libpurple/protocols/msn/msg.c.CVE-2013-6482 pidgin-2.10.7/libpurple/protocols/msn/msg.c +--- pidgin-2.10.7/libpurple/protocols/msn/msg.c.CVE-2013-6482 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/msn/msg.c 2014-01-29 09:20:02.125156089 -0500 +@@ -178,6 +178,8 @@ msn_message_parse_payload(MsnMessage *ms + g_free(tmp_base); + g_return_if_reached(); + } ++ ++ /* NUL-terminate the end of the headers - it'll get skipped over below */ + *end = '\0'; + + /* Split the headers and parse each one */ +@@ -195,10 +197,12 @@ msn_message_parse_payload(MsnMessage *ms + + /* The only one I care about is 'boundary' (which is folded from + the key 'Content-Type'), so only process that. */ +- if (!strcmp(key, "boundary")) { ++ if (!strcmp(key, "boundary") && value) { + char *end = strchr(value, '\"'); +- *end = '\0'; +- msn_message_set_header(msg, key, value); ++ if (end) { ++ *end = '\0'; ++ msn_message_set_header(msg, key, value); ++ } + } + + g_strfreev(tokens); +@@ -210,18 +214,15 @@ msn_message_parse_payload(MsnMessage *ms + key = tokens[0]; + value = tokens[1]; + +- /*if not MIME content ,then return*/ + if (!strcmp(key, "MIME-Version")) + { +- g_strfreev(tokens); +- continue; ++ /* Ignore MIME-Version header */ + } +- +- if (!strcmp(key, "Content-Type")) ++ else if (!strcmp(key, "Content-Type")) + { + char *charset, *c; + +- if ((c = strchr(value, ';')) != NULL) ++ if (value && (c = strchr(value, ';')) != NULL) + { + if ((charset = strchr(c, '=')) != NULL) + { +diff -up pidgin-2.10.7/libpurple/protocols/msn/oim.c.CVE-2013-6482 pidgin-2.10.7/libpurple/protocols/msn/oim.c +--- pidgin-2.10.7/libpurple/protocols/msn/oim.c.CVE-2013-6482 2014-01-29 09:20:03.696153312 -0500 ++++ pidgin-2.10.7/libpurple/protocols/msn/oim.c 2014-01-29 09:20:04.713151523 -0500 +@@ -362,11 +362,12 @@ msn_oim_send_read_cb(MsnSoapMessage *req + if (faultcode) { + char *faultcode_str = xmlnode_get_data(faultcode); + +- if (g_str_equal(faultcode_str, "q0:AuthenticationFailed")) { ++ if (faultcode_str && g_str_equal(faultcode_str, "q0:AuthenticationFailed")) { + xmlnode *challengeNode = xmlnode_get_child(faultNode, + "detail/LockKeyChallenge"); ++ char *challenge = NULL; + +- if (challengeNode == NULL) { ++ if (challengeNode == NULL || (challenge = xmlnode_get_data(challengeNode)) == NULL) { + if (oim->challenge) { + g_free(oim->challenge); + oim->challenge = NULL; +@@ -384,7 +385,6 @@ msn_oim_send_read_cb(MsnSoapMessage *req + } else { + char buf[33]; + +- char *challenge = xmlnode_get_data(challengeNode); + msn_handle_chl(challenge, buf); + + g_free(oim->challenge); +@@ -400,22 +400,23 @@ msn_oim_send_read_cb(MsnSoapMessage *req + } + } else { + /* Report the error */ +- const char *str_reason; ++ const char *str_reason = NULL; + +- if (g_str_equal(faultcode_str, "q0:SystemUnavailable")) { +- str_reason = _("Message was not sent because the system is " +- "unavailable. This normally happens when the " +- "user is blocked or does not exist."); +- +- } else if (g_str_equal(faultcode_str, "q0:SenderThrottleLimitExceeded")) { +- str_reason = _("Message was not sent because messages " +- "are being sent too quickly."); +- +- } else if (g_str_equal(faultcode_str, "q0:InvalidContent")) { +- str_reason = _("Message was not sent because an unknown " +- "encoding error occurred."); ++ if (faultcode_str) { ++ if (g_str_equal(faultcode_str, "q0:SystemUnavailable")) { ++ str_reason = _("Message was not sent because the system is " ++ "unavailable. This normally happens when the " ++ "user is blocked or does not exist."); ++ } else if (g_str_equal(faultcode_str, "q0:SenderThrottleLimitExceeded")) { ++ str_reason = _("Message was not sent because messages " ++ "are being sent too quickly."); ++ } else if (g_str_equal(faultcode_str, "q0:InvalidContent")) { ++ str_reason = _("Message was not sent because an unknown " ++ "encoding error occurred."); ++ } ++ } + +- } else { ++ if (str_reason == NULL) { + str_reason = _("Message was not sent because an unknown " + "error occurred."); + } +diff -up pidgin-2.10.7/libpurple/protocols/msn/soap.c.CVE-2013-6482 pidgin-2.10.7/libpurple/protocols/msn/soap.c +--- pidgin-2.10.7/libpurple/protocols/msn/soap.c.CVE-2013-6482 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/msn/soap.c 2014-01-29 09:20:04.714151533 -0500 +@@ -304,21 +304,25 @@ msn_soap_handle_body(MsnSoapConnection * + if (faultcode != NULL) { + char *faultdata = xmlnode_get_data(faultcode); + +- if (g_str_equal(faultdata, "psf:Redirect")) { ++ if (faultdata && g_str_equal(faultdata, "psf:Redirect")) { + xmlnode *url = xmlnode_get_child(fault, "redirectUrl"); + + if (url) { + char *urldata = xmlnode_get_data(url); +- msn_soap_handle_redirect(conn, urldata); ++ if (urldata) ++ msn_soap_handle_redirect(conn, urldata); + g_free(urldata); + } + + g_free(faultdata); + msn_soap_message_destroy(response); + return TRUE; +- } else if (g_str_equal(faultdata, "wsse:FailedAuthentication")) { ++ } else if (faultdata && g_str_equal(faultdata, "wsse:FailedAuthentication")) { + xmlnode *reason = xmlnode_get_child(fault, "faultstring"); +- char *reasondata = xmlnode_get_data(reason); ++ char *reasondata = NULL; ++ ++ if (reason) ++ reasondata = xmlnode_get_data(reason); + + msn_soap_connection_sanitize(conn, TRUE); + msn_session_set_error(conn->session, MSN_ERROR_AUTH, diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6483-regression.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6483-regression.patch new file mode 100644 index 0000000..881fb7f --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6483-regression.patch @@ -0,0 +1,133 @@ +diff -up pidgin-2.10.7/libpurple/protocols/jabber/iq.c.CVE-2013-6483-regression pidgin-2.10.7/libpurple/protocols/jabber/iq.c +--- pidgin-2.10.7/libpurple/protocols/jabber/iq.c.CVE-2013-6483-regression 2014-02-03 09:49:18.556521925 -0500 ++++ pidgin-2.10.7/libpurple/protocols/jabber/iq.c 2014-02-03 09:49:29.904554588 -0500 +@@ -283,6 +283,52 @@ void jabber_iq_remove_callback_by_id(Jab + g_hash_table_remove(js->iq_callbacks, id); + } + ++/** ++ * Verify that the 'from' attribute of an IQ reply is a valid match for ++ * a given IQ request. The expected behavior is outlined in section ++ * 8.1.2.1 of the XMPP CORE spec (RFC 6120). We consider the reply to ++ * be a valid match if any of the following is true: ++ * - Request 'to' matches reply 'from' (including the case where ++ * neither are set). ++ * - Request 'to' was empty and reply 'from' is server JID. ++ * - Request 'to' was empty and reply 'from' is my JID. The spec says ++ * we should only allow bare JID, but we also allow full JID for ++ * compatibility with some servers. ++ * ++ * These rules should allow valid IQ replies while preventing spoofed ++ * ones. ++ * ++ * For more discussion see the "Spoofing of iq ids and misbehaving ++ * servers" email thread from January 2014 on the jdev and security ++ * mailing lists. ++ * ++ * @return TRUE if this reply is valid for the given request. ++ */ ++static gboolean does_reply_from_match_request_to(JabberStream *js, JabberID *to, JabberID *from) ++{ ++ if (jabber_id_equal(to, from)) { ++ /* Request 'to' matches reply 'from' */ ++ return TRUE; ++ } ++ ++ if (!to && purple_strequal(from->domain, js->user->domain)) { ++ /* Request 'to' is empty and reply 'from' domain matches our domain */ ++ ++ if (!from->node && !from->resource) { ++ /* Reply 'from' is server bare JID */ ++ return TRUE; ++ } ++ ++ if (purple_strequal(from->node, js->user->node) ++ && (!from->resource || purple_strequal(from->resource, js->user->resource))) { ++ /* Reply 'from' is my full or bare JID */ ++ return TRUE; ++ } ++ } ++ ++ return FALSE; ++} ++ + void jabber_iq_parse(JabberStream *js, xmlnode *packet) + { + JabberIqCallbackData *jcd; +@@ -377,8 +423,9 @@ void jabber_iq_parse(JabberStream *js, x + + /* First, lets see if a special callback got registered */ + if(type == JABBER_IQ_RESULT || type == JABBER_IQ_ERROR) { +- if((jcd = g_hash_table_lookup(js->iq_callbacks, id))) { +- if(jabber_id_equal(js, jcd->to, from_id)) { ++ jcd = g_hash_table_lookup(js->iq_callbacks, id); ++ if (jcd) { ++ if (does_reply_from_match_request_to(js, jcd->to, from_id)) { + jcd->callback(js, from, type, id, packet, jcd->data); + jabber_iq_remove_callback_by_id(js, id); + jabber_id_free(from_id); +diff -up pidgin-2.10.7/libpurple/protocols/jabber/jutil.c.CVE-2013-6483-regression pidgin-2.10.7/libpurple/protocols/jabber/jutil.c +--- pidgin-2.10.7/libpurple/protocols/jabber/jutil.c.CVE-2013-6483-regression 2014-02-03 09:49:18.558521926 -0500 ++++ pidgin-2.10.7/libpurple/protocols/jabber/jutil.c 2014-02-03 09:49:29.904554588 -0500 +@@ -510,30 +510,21 @@ jabber_id_free(JabberID *jid) + + + gboolean +-jabber_id_equal(JabberStream *js, const JabberID *jid1, const JabberID *jid2) ++jabber_id_equal(const JabberID *jid1, const JabberID *jid2) + { +- const JabberID *j1, *j2; +- JabberID *bare_user_jid; +- gboolean equal; +- +- /* If an outgoing stanza has no 'to', or an incoming has no 'from', +- * then those are "the server acting as my account". This function will +- * handle that correctly. +- */ +- if (!jid1 && !jid2) ++ if (!jid1 && !jid2) { ++ /* Both are null therefore equal */ + return TRUE; ++ } + +- bare_user_jid = jabber_id_to_bare_jid(js->user); +- j1 = jid1 ? jid1 : bare_user_jid; +- j2 = jid2 ? jid2 : bare_user_jid; +- +- equal = purple_strequal(j1->node, j2->node) && +- purple_strequal(j1->domain, j2->domain) && +- purple_strequal(j1->resource, j2->resource); +- +- jabber_id_free(bare_user_jid); +- +- return equal; ++ if (!jid1 || !jid2) { ++ /* One is null, other is non-null, therefore not equal */ ++ return FALSE; ++ } ++ ++ return purple_strequal(jid1->node, jid2->node) && ++ purple_strequal(jid1->domain, jid2->domain) && ++ purple_strequal(jid1->resource, jid2->resource); + } + + char *jabber_get_domain(const char *in) +diff -up pidgin-2.10.7/libpurple/protocols/jabber/jutil.h.CVE-2013-6483-regression pidgin-2.10.7/libpurple/protocols/jabber/jutil.h +--- pidgin-2.10.7/libpurple/protocols/jabber/jutil.h.CVE-2013-6483-regression 2014-02-03 09:49:18.559521925 -0500 ++++ pidgin-2.10.7/libpurple/protocols/jabber/jutil.h 2014-02-03 09:49:29.904554588 -0500 +@@ -46,12 +46,10 @@ typedef enum { + JabberID* jabber_id_new(const char *str); + + /** +- * Compare two JIDs for equality. +- * +- * Warning: If either JID is NULL then this function uses the user's +- * bare JID, instead! ++ * Compare two JIDs for equality. In addition to the node and domain, ++ * the resources of the two JIDs must also be equal (or both absent). + */ +-gboolean jabber_id_equal(JabberStream *js, const JabberID *jid1, const JabberID *jid2); ++gboolean jabber_id_equal(const JabberID *jid1, const JabberID *jid2); + + void jabber_id_free(JabberID *jid); + diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6483.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6483.patch new file mode 100644 index 0000000..13ed6b9 --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6483.patch @@ -0,0 +1,297 @@ +diff -up pidgin-2.10.7/libpurple/protocols/jabber/iq.c.CVE-2013-6483 pidgin-2.10.7/libpurple/protocols/jabber/iq.c +--- pidgin-2.10.7/libpurple/protocols/jabber/iq.c.CVE-2013-6483 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/jabber/iq.c 2014-01-29 10:06:23.876656091 -0500 +@@ -49,6 +49,18 @@ + static GHashTable *iq_handlers = NULL; + static GHashTable *signal_iq_handlers = NULL; + ++struct _JabberIqCallbackData { ++ JabberIqCallback *callback; ++ gpointer data; ++ JabberID *to; ++}; ++ ++void jabber_iq_callbackdata_free(JabberIqCallbackData *jcd) ++{ ++ jabber_id_free(jcd->to); ++ g_free(jcd); ++} ++ + JabberIq *jabber_iq_new(JabberStream *js, JabberIqType type) + { + JabberIq *iq; +@@ -98,11 +110,6 @@ JabberIq *jabber_iq_new_query(JabberStre + return iq; + } + +-typedef struct _JabberCallbackData { +- JabberIqCallback *callback; +- gpointer data; +-} JabberCallbackData; +- + void + jabber_iq_set_callback(JabberIq *iq, JabberIqCallback *callback, gpointer data) + { +@@ -125,15 +132,17 @@ void jabber_iq_set_id(JabberIq *iq, cons + + void jabber_iq_send(JabberIq *iq) + { +- JabberCallbackData *jcd; ++ JabberIqCallbackData *jcd; + g_return_if_fail(iq != NULL); + + jabber_send(iq->js, iq->node); + + if(iq->id && iq->callback) { +- jcd = g_new0(JabberCallbackData, 1); ++ jcd = g_new0(JabberIqCallbackData, 1); + jcd->callback = iq->callback; + jcd->data = iq->callback_data; ++ jcd->to = jabber_id_new(xmlnode_get_attrib(iq->node, "to")); ++ + g_hash_table_insert(iq->js->iq_callbacks, g_strdup(iq->id), jcd); + } + +@@ -276,18 +285,30 @@ void jabber_iq_remove_callback_by_id(Jab + + void jabber_iq_parse(JabberStream *js, xmlnode *packet) + { +- JabberCallbackData *jcd; ++ JabberIqCallbackData *jcd; + xmlnode *child, *error, *x; + const char *xmlns; + const char *iq_type, *id, *from; + JabberIqType type = JABBER_IQ_NONE; + gboolean signal_return; ++ JabberID *from_id; + + from = xmlnode_get_attrib(packet, "from"); + id = xmlnode_get_attrib(packet, "id"); + iq_type = xmlnode_get_attrib(packet, "type"); + + /* ++ * Ensure the 'from' attribute is valid. No point in handling a stanza ++ * of which we don't understand where it came from. ++ */ ++ from_id = jabber_id_new(from); ++ ++ if (from && !from_id) { ++ purple_debug_error("jabber", "Received an iq with an invalid from: %s\n", from); ++ return; ++ } ++ ++ /* + * child will be either the first tag child or NULL if there is no child. + * Historically, we used just the 'query' subchild, but newer XEPs use + * differently named children. Grabbing the first child is (for the time +@@ -312,6 +333,7 @@ void jabber_iq_parse(JabberStream *js, x + if (type == JABBER_IQ_NONE) { + purple_debug_error("jabber", "IQ with invalid type ('%s') - ignoring.\n", + iq_type ? iq_type : "(null)"); ++ jabber_id_free(from_id); + return; + } + +@@ -342,20 +364,38 @@ void jabber_iq_parse(JabberStream *js, x + purple_debug_error("jabber", "IQ of type '%s' missing id - ignoring.\n", + iq_type); + ++ jabber_id_free(from_id); + return; + } + + signal_return = GPOINTER_TO_INT(purple_signal_emit_return_1(purple_connection_get_prpl(js->gc), + "jabber-receiving-iq", js->gc, iq_type, id, from, packet)); +- if (signal_return) ++ if (signal_return) { ++ jabber_id_free(from_id); + return; ++ } + + /* First, lets see if a special callback got registered */ + if(type == JABBER_IQ_RESULT || type == JABBER_IQ_ERROR) { + if((jcd = g_hash_table_lookup(js->iq_callbacks, id))) { +- jcd->callback(js, from, type, id, packet, jcd->data); +- jabber_iq_remove_callback_by_id(js, id); +- return; ++ if(jabber_id_equal(js, jcd->to, from_id)) { ++ jcd->callback(js, from, type, id, packet, jcd->data); ++ jabber_iq_remove_callback_by_id(js, id); ++ jabber_id_free(from_id); ++ return; ++ } else { ++ char *expected_to; ++ ++ if (jcd->to) { ++ expected_to = jabber_id_get_full_jid(jcd->to); ++ } else { ++ expected_to = jabber_id_get_bare_jid(js->user); ++ } ++ ++ purple_debug_error("jabber", "Got a result iq with id %s from %s instead of expected %s!\n", id, from ? from : "(null)", expected_to); ++ ++ g_free(expected_to); ++ } + } + } + +@@ -372,12 +412,15 @@ void jabber_iq_parse(JabberStream *js, x + if (signal_ref > 0) { + signal_return = GPOINTER_TO_INT(purple_signal_emit_return_1(purple_connection_get_prpl(js->gc), "jabber-watched-iq", + js->gc, iq_type, id, from, child)); +- if (signal_return) ++ if (signal_return) { ++ jabber_id_free(from_id); + return; ++ } + } + + if(jih) { + jih(js, from, type, id, child); ++ jabber_id_free(from_id); + return; + } + } +@@ -404,6 +447,8 @@ void jabber_iq_parse(JabberStream *js, x + + jabber_iq_send(iq); + } ++ ++ jabber_id_free(from_id); + } + + void jabber_iq_register_handler(const char *node, const char *xmlns, JabberIqHandler *handlerfunc) +diff -up pidgin-2.10.7/libpurple/protocols/jabber/iq.h.CVE-2013-6483 pidgin-2.10.7/libpurple/protocols/jabber/iq.h +--- pidgin-2.10.7/libpurple/protocols/jabber/iq.h.CVE-2013-6483 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/jabber/iq.h 2014-01-29 10:06:23.877656064 -0500 +@@ -36,6 +36,7 @@ typedef enum { + #include "connection.h" + + typedef struct _JabberIq JabberIq; ++typedef struct _JabberIqCallbackData JabberIqCallbackData; + + /** + * A JabberIqHandler is called to process an incoming IQ stanza. +@@ -96,6 +97,7 @@ JabberIq *jabber_iq_new_query(JabberStre + + void jabber_iq_parse(JabberStream *js, xmlnode *packet); + ++void jabber_iq_callbackdata_free(JabberIqCallbackData *jcd); + void jabber_iq_remove_callback_by_id(JabberStream *js, const char *id); + void jabber_iq_set_callback(JabberIq *iq, JabberIqCallback *cb, gpointer data); + void jabber_iq_set_id(JabberIq *iq, const char *id); +diff -up pidgin-2.10.7/libpurple/protocols/jabber/jabber.c.CVE-2013-6483 pidgin-2.10.7/libpurple/protocols/jabber/jabber.c +--- pidgin-2.10.7/libpurple/protocols/jabber/jabber.c.CVE-2013-6483 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/jabber/jabber.c 2014-01-29 10:06:23.878656039 -0500 +@@ -988,7 +988,7 @@ jabber_stream_new(PurpleAccount *account + js->user_jb->subscription |= JABBER_SUB_BOTH; + + js->iq_callbacks = g_hash_table_new_full(g_str_hash, g_str_equal, +- g_free, g_free); ++ g_free, (GDestroyNotify)jabber_iq_callbackdata_free); + js->chats = g_hash_table_new_full(g_str_hash, g_str_equal, + g_free, (GDestroyNotify)jabber_chat_free); + js->next_id = g_random_int(); +diff -up pidgin-2.10.7/libpurple/protocols/jabber/jutil.c.CVE-2013-6483 pidgin-2.10.7/libpurple/protocols/jabber/jutil.c +--- pidgin-2.10.7/libpurple/protocols/jabber/jutil.c.CVE-2013-6483 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/jabber/jutil.c 2014-01-29 10:06:23.879656015 -0500 +@@ -508,6 +508,34 @@ jabber_id_free(JabberID *jid) + } + } + ++ ++gboolean ++jabber_id_equal(JabberStream *js, const JabberID *jid1, const JabberID *jid2) ++{ ++ const JabberID *j1, *j2; ++ JabberID *bare_user_jid; ++ gboolean equal; ++ ++ /* If an outgoing stanza has no 'to', or an incoming has no 'from', ++ * then those are "the server acting as my account". This function will ++ * handle that correctly. ++ */ ++ if (!jid1 && !jid2) ++ return TRUE; ++ ++ bare_user_jid = jabber_id_to_bare_jid(js->user); ++ j1 = jid1 ? jid1 : bare_user_jid; ++ j2 = jid2 ? jid2 : bare_user_jid; ++ ++ equal = purple_strequal(j1->node, j2->node) && ++ purple_strequal(j1->domain, j2->domain) && ++ purple_strequal(j1->resource, j2->resource); ++ ++ jabber_id_free(bare_user_jid); ++ ++ return equal; ++} ++ + char *jabber_get_domain(const char *in) + { + JabberID *jid = jabber_id_new(in); +@@ -536,6 +564,17 @@ char *jabber_get_resource(const char *in + return out; + } + ++JabberID * ++jabber_id_to_bare_jid(const JabberID *jid) ++{ ++ JabberID *result = g_new0(JabberID, 1); ++ ++ result->node = g_strdup(jid->node); ++ result->domain = g_strdup(jid->domain); ++ ++ return result; ++} ++ + char * + jabber_get_bare_jid(const char *in) + { +@@ -561,6 +600,19 @@ jabber_id_get_bare_jid(const JabberID *j + NULL); + } + ++char * ++jabber_id_get_full_jid(const JabberID *jid) ++{ ++ g_return_val_if_fail(jid != NULL, NULL); ++ ++ return g_strconcat(jid->node ? jid->node : "", ++ jid->node ? "@" : "", ++ jid->domain, ++ jid->resource ? "/" : "", ++ jid->resource ? jid->resource : "", ++ NULL); ++} ++ + gboolean + jabber_jid_is_domain(const char *jid) + { +diff -up pidgin-2.10.7/libpurple/protocols/jabber/jutil.h.CVE-2013-6483 pidgin-2.10.7/libpurple/protocols/jabber/jutil.h +--- pidgin-2.10.7/libpurple/protocols/jabber/jutil.h.CVE-2013-6483 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/jabber/jutil.h 2014-01-29 10:06:23.879656015 -0500 +@@ -44,12 +44,23 @@ typedef enum { + #include "jabber.h" + + JabberID* jabber_id_new(const char *str); ++ ++/** ++ * Compare two JIDs for equality. ++ * ++ * Warning: If either JID is NULL then this function uses the user's ++ * bare JID, instead! ++ */ ++gboolean jabber_id_equal(JabberStream *js, const JabberID *jid1, const JabberID *jid2); ++ + void jabber_id_free(JabberID *jid); + + char *jabber_get_domain(const char *jid); + char *jabber_get_resource(const char *jid); + char *jabber_get_bare_jid(const char *jid); + char *jabber_id_get_bare_jid(const JabberID *jid); ++char *jabber_id_get_full_jid(const JabberID *jid); ++JabberID *jabber_id_to_bare_jid(const JabberID *jid); + + gboolean jabber_jid_is_domain(const char *jid); + diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6484.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6484.patch new file mode 100644 index 0000000..22038a1 --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6484.patch @@ -0,0 +1,12 @@ +diff -up pidgin-2.10.7/libpurple/stun.c.CVE-2013-6484 pidgin-2.10.7/libpurple/stun.c +--- pidgin-2.10.7/libpurple/stun.c.CVE-2013-6484 2013-02-11 04:16:53.000000000 -0500 ++++ pidgin-2.10.7/libpurple/stun.c 2014-01-29 13:08:18.835817422 -0500 +@@ -175,7 +175,7 @@ static void reply_cb(gpointer data, gint + struct sockaddr_in *sinptr; + + len = recv(source, buffer, sizeof(buffer) - 1, 0); +- if (!len) { ++ if (len < 0) { + purple_debug_warning("stun", "unable to read stun response\n"); + return; + } diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6485.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6485.patch new file mode 100644 index 0000000..8f81e57 --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6485.patch @@ -0,0 +1,35 @@ +diff -up pidgin-2.10.7/libpurple/util.c.CVE-2013-6485 pidgin-2.10.7/libpurple/util.c +--- pidgin-2.10.7/libpurple/util.c.CVE-2013-6485 2014-01-28 19:09:20.896950189 -0500 ++++ pidgin-2.10.7/libpurple/util.c 2014-01-29 16:48:35.033699646 -0500 +@@ -37,6 +37,8 @@ + specified a length) */ + #define DEFAULT_MAX_HTTP_DOWNLOAD (512 * 1024) + ++#define MAX_HTTP_CHUNK_SIZE (10 * 1024 * 1024) ++ + struct _PurpleUtilFetchUrlData + { + PurpleUtilFetchUrlCallback callback; +@@ -3780,11 +3782,12 @@ process_chunked_data(char *data, gsize * + break; + s += 2; + +- if (s + sz > data + *len) { ++ if (sz > MAX_HTTP_CHUNK_SIZE || s + sz > data + *len) { + purple_debug_error("util", "Error processing chunked data: " + "Chunk size %" G_GSIZE_FORMAT " bytes was longer " + "than the data remaining in the buffer (%" + G_GSIZE_FORMAT " bytes)\n", sz, data + *len - s); ++ break; + } + + /* Move all data overtop of the chunk length that we read in earlier */ +@@ -3792,7 +3795,7 @@ process_chunked_data(char *data, gsize * + p += sz; + s += sz; + newlen += sz; +- if (*s != '\r' && *(s + 1) != '\n') { ++ if (*s == '\0' || (*s != '\r' && *(s + 1) != '\n')) { + purple_debug_error("util", "Error processing chunked data: " + "Expected \\r\\n, found: %s\n", s); + break; diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6487.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6487.patch new file mode 100644 index 0000000..b408212 --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6487.patch @@ -0,0 +1,24 @@ +diff -up pidgin-2.10.7/libpurple/protocols/gg/lib/http.c.CVE-2013-6487 pidgin-2.10.7/libpurple/protocols/gg/lib/http.c +--- pidgin-2.10.7/libpurple/protocols/gg/lib/http.c.CVE-2013-6487 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/gg/lib/http.c 2014-01-29 20:52:59.629513642 -0500 +@@ -47,6 +47,8 @@ + #include + #include + ++#define GG_HTTP_MAX_LENGTH 1000000000 ++ + /** + * Rozpoczyna połączenie HTTP. + * +@@ -364,6 +366,11 @@ int gg_http_watch_fd(struct gg_http *h) + h->body_size = left; + } + ++ if (h->body_size > GG_HTTP_MAX_LENGTH) { ++ gg_debug(GG_DEBUG_MISC, "=> http, content-length too big\n"); ++ h->body_size = GG_HTTP_MAX_LENGTH; ++ } ++ + if (left > h->body_size) { + gg_debug(GG_DEBUG_MISC, "=> http, oversized reply (%d bytes needed, %d bytes left)\n", h->body_size, left); + h->body_size = left; diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6489.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6489.patch new file mode 100644 index 0000000..afa45d5 --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6489.patch @@ -0,0 +1,35 @@ +diff -up pidgin-2.10.7/libpurple/protocols/mxit/markup.c.CVE-2013-6489 pidgin-2.10.7/libpurple/protocols/mxit/markup.c +--- pidgin-2.10.7/libpurple/protocols/mxit/markup.c.CVE-2013-6489 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/mxit/markup.c 2014-01-29 20:55:34.239345911 -0500 +@@ -204,7 +204,8 @@ static unsigned int asn_getlength( const + */ + static int asn_getUtf8( const char* data, char type, char** utf8 ) + { +- int len; ++ unsigned int len; ++ gchar *out_str; + + /* validate the field type [1 byte] */ + if ( data[0] != type ) { +@@ -213,10 +214,17 @@ static int asn_getUtf8( const char* data + return -1; + } + +- len = data[1]; /* length field [1 bytes] */ +- *utf8 = g_malloc( len + 1 ); +- memcpy( *utf8, &data[2], len ); /* data field */ +- (*utf8)[len] = '\0'; ++ len = (uint8_t)data[1]; /* length field [1 byte] */ ++ out_str = g_malloc(len + 1); ++ if (out_str == NULL) { ++ purple_debug_fatal(MXIT_PLUGIN_ID, "asn_getUtf8: out of memory"); ++ return -1; ++ } ++ ++ memcpy(out_str, &data[2], len); /* data field */ ++ out_str[len] = '\0'; ++ ++ *utf8 = out_str; + + return ( len + 2 ); + } diff --git a/SOURCES/pidgin-2.10.7-CVE-2013-6490.patch b/SOURCES/pidgin-2.10.7-CVE-2013-6490.patch new file mode 100644 index 0000000..3df77a8 --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2013-6490.patch @@ -0,0 +1,27 @@ +diff -up pidgin-2.10.7/libpurple/protocols/simple/simple.c.CVE-2013-6490 pidgin-2.10.7/libpurple/protocols/simple/simple.c +--- pidgin-2.10.7/libpurple/protocols/simple/simple.c.CVE-2013-6490 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/simple/simple.c 2014-01-29 22:27:25.222516679 -0500 +@@ -1640,7 +1640,7 @@ static void process_input(struct simple_ + cur += 2; + restlen = conn->inbufused - (cur - conn->inbuf); + if(restlen >= msg->bodylen) { +- dummy = g_malloc(msg->bodylen + 1); ++ dummy = g_new(char, msg->bodylen + 1); + memcpy(dummy, cur, msg->bodylen); + dummy[msg->bodylen] = '\0'; + msg->body = dummy; +diff -up pidgin-2.10.7/libpurple/protocols/simple/sipmsg.c.CVE-2013-6490 pidgin-2.10.7/libpurple/protocols/simple/sipmsg.c +--- pidgin-2.10.7/libpurple/protocols/simple/sipmsg.c.CVE-2013-6490 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/simple/sipmsg.c 2014-01-29 22:27:25.223516732 -0500 +@@ -114,6 +114,11 @@ struct sipmsg *sipmsg_parse_header(const + tmp2 = sipmsg_find_header(msg, "Content-Length"); + if (tmp2 != NULL) + msg->bodylen = strtol(tmp2, NULL, 10); ++ if (msg->bodylen < 0) { ++ purple_debug_warning("simple", "Invalid body length: %d", ++ msg->bodylen); ++ msg->bodylen = 0; ++ } + + if(msg->response) { + tmp2 = sipmsg_find_header(msg, "CSeq"); diff --git a/SOURCES/pidgin-2.10.7-CVE-2014-0020.patch b/SOURCES/pidgin-2.10.7-CVE-2014-0020.patch new file mode 100644 index 0000000..87d3dfa --- /dev/null +++ b/SOURCES/pidgin-2.10.7-CVE-2014-0020.patch @@ -0,0 +1,600 @@ +diff -up pidgin-2.10.7/libpurple/protocols/irc/msgs.c.CVE-2014-0020 pidgin-2.10.7/libpurple/protocols/irc/msgs.c +--- pidgin-2.10.7/libpurple/protocols/irc/msgs.c.CVE-2014-0020 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/irc/msgs.c 2014-01-29 23:28:32.833335259 -0500 +@@ -20,6 +20,12 @@ + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA + */ + ++/* ++ * Note: If you change any of these functions to use additional args you ++ * MUST ensure the arg count is correct in parse.c. Otherwise it may be ++ * possible for a malicious server or man-in-the-middle to trigger a crash. ++ */ ++ + #include "internal.h" + + #include "conversation.h" +@@ -203,9 +209,6 @@ void irc_msg_features(struct irc_conn *i + gchar **features; + int i; + +- if (!args || !args[0] || !args[1]) +- return; +- + features = g_strsplit(args[1], " ", -1); + for (i = 0; features[i]; i++) { + char *val; +@@ -220,9 +223,6 @@ void irc_msg_features(struct irc_conn *i + + void irc_msg_luser(struct irc_conn *irc, const char *name, const char *from, char **args) + { +- if (!args || !args[0]) +- return; +- + if (!strcmp(name, "251")) { + /* 251 is required, so we pluck our nick from here and + * finalize connection */ +@@ -238,9 +238,6 @@ void irc_msg_away(struct irc_conn *irc, + PurpleConnection *gc; + char *msg; + +- if (!args || !args[1]) +- return; +- + if (irc->whois.nick && !purple_utf8_strcasecmp(irc->whois.nick, args[1])) { + /* We're doing a whois, show this in the whois dialog */ + irc_msg_whois(irc, name, from, args); +@@ -259,8 +256,7 @@ void irc_msg_badmode(struct irc_conn *ir + { + PurpleConnection *gc = purple_account_get_connection(irc->account); + +- if (!args || !args[1] || !gc) +- return; ++ g_return_if_fail(gc); + + purple_notify_error(gc, NULL, _("Bad mode"), args[1]); + } +@@ -269,17 +265,13 @@ void irc_msg_ban(struct irc_conn *irc, c + { + PurpleConversation *convo; + +- if (!args || !args[0] || !args[1]) +- return; +- + convo = purple_find_conversation_with_account(PURPLE_CONV_TYPE_CHAT, + args[1], irc->account); + + if (!strcmp(name, "367")) { + char *msg = NULL; + /* Ban list entry */ +- if (!args[2]) +- return; ++ g_return_if_fail(args[2]); + if (args[3] && args[4]) { + /* This is an extended syntax, not in RFC 1459 */ + int t1 = atoi(args[4]); +@@ -315,8 +307,7 @@ void irc_msg_banned(struct irc_conn *irc + PurpleConnection *gc = purple_account_get_connection(irc->account); + char *buf; + +- if (!args || !args[1] || !gc) +- return; ++ g_return_if_fail(gc); + + buf = g_strdup_printf(_("You are banned from %s."), args[1]); + purple_notify_error(gc, _("Banned"), _("Banned"), buf); +@@ -328,9 +319,6 @@ void irc_msg_banfull(struct irc_conn *ir + PurpleConversation *convo; + char *buf, *nick; + +- if (!args || !args[0] || !args[1] || !args[2]) +- return; +- + convo = purple_find_conversation_with_account(PURPLE_CONV_TYPE_CHAT, args[1], irc->account); + if (!convo) + return; +@@ -349,9 +337,6 @@ void irc_msg_chanmode(struct irc_conn *i + PurpleConversation *convo; + char *buf, *escaped; + +- if (!args || !args[1] || !args[2]) +- return; +- + convo = purple_find_conversation_with_account(PURPLE_CONV_TYPE_CHAT, args[1], irc->account); + if (!convo) /* XXX punt on channels we are not in for now */ + return; +@@ -489,13 +474,6 @@ void irc_msg_who(struct irc_conn *irc, c + PurpleConvChatBuddyFlags flags; + GList *keys = NULL, *values = NULL; + +- if (!args || !args[0] || !args[1] || !args[2] || !args[3] +- || !args[4] || !args[5] || !args[6] || !args[7]) { +- purple_debug(PURPLE_DEBUG_ERROR, "irc", +- "Got a WHO response with not enough arguments\n"); +- return; +- } +- + conv = purple_find_conversation_with_account(PURPLE_CONV_TYPE_CHAT, args[1], irc->account); + if (!conv) { + purple_debug(PURPLE_DEBUG_ERROR, "irc","Got a WHO response for %s, which doesn't exist\n", args[1]); +@@ -571,9 +549,6 @@ void irc_msg_list(struct irc_conn *irc, + PurpleRoomlistRoom *room; + char *topic; + +- if (!args[0] || !args[1] || !args[2] || !args[3]) +- return; +- + if (!purple_roomlist_get_in_progress(irc->roomlist)) { + purple_debug_warning("irc", "Buggy server didn't send RPL_LISTSTART.\n"); + purple_roomlist_set_in_progress(irc->roomlist, TRUE); +@@ -595,13 +570,13 @@ void irc_msg_topic(struct irc_conn *irc, + PurpleConversation *convo; + + if (!strcmp(name, "topic")) { +- if (!args[0] || !args[1]) +- return; ++ g_return_if_fail(args[0]); ++ g_return_if_fail(args[1]); + chan = args[0]; + topic = irc_mirc2txt (args[1]); + } else { +- if (!args[0] || !args[1] || !args[2]) +- return; ++ g_return_if_fail(args[1]); ++ g_return_if_fail(args[2]); + chan = args[1]; + topic = irc_mirc2txt (args[2]); + } +@@ -652,9 +627,6 @@ void irc_msg_topicinfo(struct irc_conn * + struct tm *tm; + time_t t; + char *msg, *timestamp, *datestamp; +- +- if (!args || !args[1] || !args[2] || !args[3]) +- return; + + convo = purple_find_conversation_with_account(PURPLE_CONV_TYPE_CHAT, args[1], irc->account); + if (!convo) { +@@ -683,8 +655,7 @@ void irc_msg_unknown(struct irc_conn *ir + PurpleConnection *gc = purple_account_get_connection(irc->account); + char *buf; + +- if (!args || !args[1] || !gc) +- return; ++ g_return_if_fail(gc); + + buf = g_strdup_printf(_("Unknown message '%s'"), args[1]); + purple_notify_error(gc, _("Unknown message"), buf, _("The IRC server received a message it did not understand.")); +@@ -776,9 +747,6 @@ void irc_msg_motd(struct irc_conn *irc, + { + char *escaped; + +- if (!args || !args[0]) +- return; +- + if (!strcmp(name, "375")) { + if (irc->motd) + g_string_free(irc->motd, TRUE); +@@ -815,11 +783,9 @@ void irc_msg_motd(struct irc_conn *irc, + + void irc_msg_time(struct irc_conn *irc, const char *name, const char *from, char **args) + { +- PurpleConnection *gc; ++ PurpleConnection *gc = purple_account_get_connection(irc->account); + +- gc = purple_account_get_connection(irc->account); +- if (gc == NULL || args == NULL || args[2] == NULL) +- return; ++ g_return_if_fail(gc); + + purple_notify_message(gc, PURPLE_NOTIFY_MSG_INFO, _("Time Response"), + _("The IRC server's local time is:"), +@@ -830,8 +796,7 @@ void irc_msg_nochan(struct irc_conn *irc + { + PurpleConnection *gc = purple_account_get_connection(irc->account); + +- if (gc == NULL || args == NULL || args[1] == NULL) +- return; ++ g_return_if_fail(gc); + + purple_notify_error(gc, NULL, _("No such channel"), args[1]); + } +@@ -892,9 +857,6 @@ void irc_msg_notop(struct irc_conn *irc, + { + PurpleConversation *convo; + +- if (!args || !args[1] || !args[2]) +- return; +- + convo = purple_find_conversation_with_account(PURPLE_CONV_TYPE_CHAT, args[1], irc->account); + if (!convo) + return; +@@ -908,8 +870,7 @@ void irc_msg_invite(struct irc_conn *irc + GHashTable *components; + gchar *nick; + +- if (!args || !args[1] || !gc) +- return; ++ g_return_if_fail(gc); + + components = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, g_free); + nick = irc_mask_nick(from); +@@ -925,8 +886,7 @@ void irc_msg_inviteonly(struct irc_conn + PurpleConnection *gc = purple_account_get_connection(irc->account); + char *buf; + +- if (!args || !args[1] || !gc) +- return; ++ g_return_if_fail(gc); + + buf = g_strdup_printf(_("Joining %s requires an invitation."), args[1]); + purple_notify_error(gc, _("Invitation only"), _("Invitation only"), buf); +@@ -939,9 +899,6 @@ void irc_msg_ison(struct irc_conn *irc, + struct irc_buddy *ib; + int i; + +- if (!args || !args[1]) +- return; +- + nicks = g_strsplit(args[1], " ", -1); + for (i = 0; nicks[i]; i++) { + if ((ib = g_hash_table_lookup(irc->buddies, (gconstpointer)nicks[i])) == NULL) { +@@ -982,14 +939,13 @@ void irc_msg_join(struct irc_conn *irc, + PurpleConvChat *chat; + PurpleConvChatBuddy *cb; + +- char *nick = irc_mask_nick(from), *userhost, *buf; ++ char *nick, *userhost, *buf; + struct irc_buddy *ib; + static int id = 1; + +- if (!gc) { +- g_free(nick); +- return; +- } ++ g_return_if_fail(gc); ++ ++ nick = irc_mask_nick(from); + + if (!purple_utf8_strcasecmp(nick, purple_connection_get_display_name(gc))) { + /* We are joining a channel for the first time */ +@@ -1049,12 +1005,11 @@ void irc_msg_kick(struct irc_conn *irc, + { + PurpleConnection *gc = purple_account_get_connection(irc->account); + PurpleConversation *convo = purple_find_conversation_with_account(PURPLE_CONV_TYPE_CHAT, args[0], irc->account); +- char *nick = irc_mask_nick(from), *buf; ++ char *nick, *buf; + +- if (!gc) { +- g_free(nick); +- return; +- } ++ g_return_if_fail(gc); ++ ++ nick = irc_mask_nick(from); + + if (!convo) { + purple_debug(PURPLE_DEBUG_ERROR, "irc", "Received a KICK for unknown channel %s\n", args[0]); +@@ -1197,9 +1152,6 @@ void irc_msg_nickused(struct irc_conn *i + char *newnick, *buf, *end; + PurpleConnection *gc = purple_account_get_connection(irc->account); + +- if (!args || !args[1]) +- return; +- + if (gc && purple_connection_get_state(gc) == PURPLE_CONNECTED) { + /* We only want to do the following dance if the connection + has not been successfully completed. If it has, just +@@ -1238,9 +1190,6 @@ void irc_msg_nickused(struct irc_conn *i + + void irc_msg_notice(struct irc_conn *irc, const char *name, const char *from, char **args) + { +- if (!args || !args[0] || !args[1]) +- return; +- + irc_msg_handle_privmsg(irc, name, from, args[0], args[1], TRUE); + } + +@@ -1248,8 +1197,7 @@ void irc_msg_nochangenick(struct irc_con + { + PurpleConnection *gc = purple_account_get_connection(irc->account); + +- if (!args || !args[2] || !gc) +- return; ++ g_return_if_fail(gc); + + purple_notify_error(gc, _("Cannot change nick"), _("Could not change nick"), args[2]); + } +@@ -1260,8 +1208,7 @@ void irc_msg_part(struct irc_conn *irc, + PurpleConversation *convo; + char *nick, *msg, *channel; + +- if (!args || !args[0] || !gc) +- return; ++ g_return_if_fail(gc); + + /* Undernet likes to :-quote the channel name, for no good reason + * that I can see. This catches that. */ +@@ -1294,8 +1241,6 @@ void irc_msg_part(struct irc_conn *irc, + void irc_msg_ping(struct irc_conn *irc, const char *name, const char *from, char **args) + { + char *buf; +- if (!args || !args[0]) +- return; + + buf = irc_format(irc, "v:", "PONG", args[0]); + irc_send(irc, buf); +@@ -1309,9 +1254,6 @@ void irc_msg_pong(struct irc_conn *irc, + char **parts, *msg; + time_t oldstamp; + +- if (!args || !args[1]) +- return; +- + parts = g_strsplit(args[1], " ", 2); + + if (!parts[0] || !parts[1]) { +@@ -1345,9 +1287,6 @@ void irc_msg_pong(struct irc_conn *irc, + + void irc_msg_privmsg(struct irc_conn *irc, const char *name, const char *from, char **args) + { +- if (!args || !args[0] || !args[1]) +- return; +- + irc_msg_handle_privmsg(irc, name, from, args[0], args[1], FALSE); + } + +@@ -1401,8 +1340,7 @@ void irc_msg_regonly(struct irc_conn *ir + PurpleConversation *convo; + char *msg; + +- if (!args || !args[1] || !args[2] || !gc) +- return; ++ g_return_if_fail(gc); + + convo = purple_find_conversation_with_account(PURPLE_CONV_TYPE_CHAT, args[1], irc->account); + if (convo) { +@@ -1424,8 +1362,7 @@ void irc_msg_quit(struct irc_conn *irc, + struct irc_buddy *ib; + char *data[2]; + +- if (!args || !args[0] || !gc) +- return; ++ g_return_if_fail(gc); + + data[0] = irc_mask_nick(from); + data[1] = args[0]; +@@ -1445,9 +1382,6 @@ void irc_msg_unavailable(struct irc_conn + { + PurpleConnection *gc = purple_account_get_connection(irc->account); + +- if (!args || !args[1]) +- return; +- + purple_notify_error(gc, NULL, _("Nick or channel is temporarily unavailable."), args[1]); + } + +@@ -1456,8 +1390,7 @@ void irc_msg_wallops(struct irc_conn *ir + PurpleConnection *gc = purple_account_get_connection(irc->account); + char *nick, *msg; + +- if (!args || !args[0] || !gc) +- return; ++ g_return_if_fail(gc); + + nick = irc_mask_nick(from); + msg = g_strdup_printf (_("Wallops from %s"), nick); +@@ -1633,7 +1566,7 @@ irc_msg_cap(struct irc_conn *irc, const + PurpleConnection *gc = purple_account_get_connection(irc->account); + const char *mech_list = NULL; + +- if (!args[1] || !args[2] || strncmp(args[2], "sasl ", 6)) ++ if (strncmp(args[2], "sasl ", 6)) + return; + if (strncmp(args[1], "ACK", 4)) { + const char *tmp = _("SASL authentication failed: Server does not support SASL authentication."); +diff -up pidgin-2.10.7/libpurple/protocols/irc/parse.c.CVE-2014-0020 pidgin-2.10.7/libpurple/protocols/irc/parse.c +--- pidgin-2.10.7/libpurple/protocols/irc/parse.c.CVE-2014-0020 2013-02-11 04:16:52.000000000 -0500 ++++ pidgin-2.10.7/libpurple/protocols/irc/parse.c 2014-01-29 23:28:32.834335227 -0500 +@@ -50,80 +50,85 @@ extern PurplePlugin *_irc_plugin; + static struct _irc_msg { + char *name; + char *format; ++ ++ /** The required parameter count, based on values we use, not protocol ++ * specification. */ ++ int req_cnt; ++ + void (*cb)(struct irc_conn *irc, const char *name, const char *from, char **args); + } _irc_msgs[] = { +- { "005", "n*", irc_msg_features }, /* Feature list */ +- { "251", "n:", irc_msg_luser }, /* Client & Server count */ +- { "255", "n:", irc_msg_luser }, /* Client & Server count Mk. II */ +- { "301", "nn:", irc_msg_away }, /* User is away */ +- { "303", "n:", irc_msg_ison }, /* ISON reply */ +- { "311", "nnvvv:", irc_msg_whois }, /* Whois user */ +- { "312", "nnv:", irc_msg_whois }, /* Whois server */ +- { "313", "nn:", irc_msg_whois }, /* Whois ircop */ +- { "317", "nnvv", irc_msg_whois }, /* Whois idle */ +- { "318", "nt:", irc_msg_endwhois }, /* End of WHOIS */ +- { "319", "nn:", irc_msg_whois }, /* Whois channels */ +- { "320", "nn:", irc_msg_whois }, /* Whois (fn ident) */ +- { "314", "nnnvv:", irc_msg_whois }, /* Whowas user */ +- { "315", "nt:", irc_msg_who }, /* end of WHO channel */ +- { "369", "nt:", irc_msg_endwhois }, /* End of WHOWAS */ +- { "321", "*", irc_msg_list }, /* Start of list */ +- { "322", "ncv:", irc_msg_list }, /* List. */ +- { "323", ":", irc_msg_list }, /* End of list. */ +- { "324", "ncv:", irc_msg_chanmode }, /* Channel modes */ +- { "331", "nc:", irc_msg_topic }, /* No channel topic */ +- { "332", "nc:", irc_msg_topic }, /* Channel topic */ +- { "333", "ncvv", irc_msg_topicinfo }, /* Topic setter stuff */ +- { "352", "ncvvvnv:", irc_msg_who }, /* Channel WHO */ +- { "353", "nvc:", irc_msg_names }, /* Names list */ +- { "366", "nc:", irc_msg_names }, /* End of names */ +- { "367", "ncnnv", irc_msg_ban }, /* Ban list */ +- { "368", "nc:", irc_msg_ban }, /* End of ban list */ +- { "372", "n:", irc_msg_motd }, /* MOTD */ +- { "375", "n:", irc_msg_motd }, /* Start MOTD */ +- { "376", "n:", irc_msg_motd }, /* End of MOTD */ +- { "391", "nv:", irc_msg_time }, /* Time reply */ +- { "401", "nt:", irc_msg_nonick }, /* No such nick/chan */ +- { "406", "nt:", irc_msg_nonick }, /* No such nick for WHOWAS */ +- { "403", "nc:", irc_msg_nochan }, /* No such channel */ +- { "404", "nt:", irc_msg_nosend }, /* Cannot send to chan */ +- { "421", "nv:", irc_msg_unknown }, /* Unknown command */ +- { "422", "n:", irc_msg_motd }, /* MOTD file missing */ +- { "432", "vn:", irc_msg_badnick }, /* Erroneous nickname */ +- { "433", "vn:", irc_msg_nickused }, /* Nickname already in use */ +- { "437", "nc:", irc_msg_unavailable }, /* Nick/channel is unavailable */ +- { "438", "nn:", irc_msg_nochangenick }, /* Nick may not change */ +- { "442", "nc:", irc_msg_notinchan }, /* Not in channel */ +- { "473", "nc:", irc_msg_inviteonly }, /* Tried to join invite-only */ +- { "474", "nc:", irc_msg_banned }, /* Banned from channel */ +- { "477", "nc:", irc_msg_regonly }, /* Registration Required */ +- { "478", "nct:", irc_msg_banfull }, /* Banlist is full */ +- { "482", "nc:", irc_msg_notop }, /* Need to be op to do that */ +- { "501", "n:", irc_msg_badmode }, /* Unknown mode flag */ +- { "506", "nc:", irc_msg_nosend }, /* Must identify to send */ +- { "515", "nc:", irc_msg_regonly }, /* Registration required */ ++ { "005", "n*", 2, irc_msg_features }, /* Feature list */ ++ { "251", "n:", 1, irc_msg_luser }, /* Client & Server count */ ++ { "255", "n:", 1, irc_msg_luser }, /* Client & Server count Mk. II */ ++ { "301", "nn:", 3, irc_msg_away }, /* User is away */ ++ { "303", "n:", 2, irc_msg_ison }, /* ISON reply */ ++ { "311", "nnvvv:", 6, irc_msg_whois }, /* Whois user */ ++ { "312", "nnv:", 4, irc_msg_whois }, /* Whois server */ ++ { "313", "nn:", 2, irc_msg_whois }, /* Whois ircop */ ++ { "317", "nnvv", 4, irc_msg_whois }, /* Whois idle */ ++ { "318", "nt:", 2, irc_msg_endwhois }, /* End of WHOIS */ ++ { "319", "nn:", 3, irc_msg_whois }, /* Whois channels */ ++ { "320", "nn:", 2, irc_msg_whois }, /* Whois (fn ident) */ ++ { "314", "nnnvv:", 6, irc_msg_whois }, /* Whowas user */ ++ { "315", "nt:", 0, irc_msg_who }, /* end of WHO channel */ ++ { "369", "nt:", 2, irc_msg_endwhois }, /* End of WHOWAS */ ++ { "321", "*", 0, irc_msg_list }, /* Start of list */ ++ { "322", "ncv:", 4, irc_msg_list }, /* List. */ ++ { "323", ":", 0, irc_msg_list }, /* End of list. */ ++ { "324", "ncv:", 3, irc_msg_chanmode }, /* Channel modes */ ++ { "331", "nc:", 3, irc_msg_topic }, /* No channel topic */ ++ { "332", "nc:", 3, irc_msg_topic }, /* Channel topic */ ++ { "333", "ncvv", 4, irc_msg_topicinfo }, /* Topic setter stuff */ ++ { "352", "ncvvvnv:", 8, irc_msg_who }, /* Channel WHO */ ++ { "353", "nvc:", 4, irc_msg_names }, /* Names list */ ++ { "366", "nc:", 2, irc_msg_names }, /* End of names */ ++ { "367", "ncnnv", 3, irc_msg_ban }, /* Ban list */ ++ { "368", "nc:", 2, irc_msg_ban }, /* End of ban list */ ++ { "372", "n:", 1, irc_msg_motd }, /* MOTD */ ++ { "375", "n:", 1, irc_msg_motd }, /* Start MOTD */ ++ { "376", "n:", 1, irc_msg_motd }, /* End of MOTD */ ++ { "391", "nv:", 3, irc_msg_time }, /* Time reply */ ++ { "401", "nt:", 2, irc_msg_nonick }, /* No such nick/chan */ ++ { "406", "nt:", 2, irc_msg_nonick }, /* No such nick for WHOWAS */ ++ { "403", "nc:", 2, irc_msg_nochan }, /* No such channel */ ++ { "404", "nt:", 3, irc_msg_nosend }, /* Cannot send to chan */ ++ { "421", "nv:", 2, irc_msg_unknown }, /* Unknown command */ ++ { "422", "n:", 1, irc_msg_motd }, /* MOTD file missing */ ++ { "432", "vn:", 0, irc_msg_badnick }, /* Erroneous nickname */ ++ { "433", "vn:", 2, irc_msg_nickused }, /* Nickname already in use */ ++ { "437", "nc:", 2, irc_msg_unavailable }, /* Nick/channel is unavailable */ ++ { "438", "nn:", 3, irc_msg_nochangenick }, /* Nick may not change */ ++ { "442", "nc:", 3, irc_msg_notinchan }, /* Not in channel */ ++ { "473", "nc:", 2, irc_msg_inviteonly }, /* Tried to join invite-only */ ++ { "474", "nc:", 2, irc_msg_banned }, /* Banned from channel */ ++ { "477", "nc:", 3, irc_msg_regonly }, /* Registration Required */ ++ { "478", "nct:", 3, irc_msg_banfull }, /* Banlist is full */ ++ { "482", "nc:", 3, irc_msg_notop }, /* Need to be op to do that */ ++ { "501", "n:", 2, irc_msg_badmode }, /* Unknown mode flag */ ++ { "506", "nc:", 3, irc_msg_nosend }, /* Must identify to send */ ++ { "515", "nc:", 3, irc_msg_regonly }, /* Registration required */ + #ifdef HAVE_CYRUS_SASL +- { "903", "*", irc_msg_authok}, /* SASL auth successful */ +- { "904", "*", irc_msg_authtryagain }, /* SASL auth failed, can recover */ +- { "905", "*", irc_msg_authfail }, /* SASL auth failed */ +- { "906", "*", irc_msg_authfail }, /* SASL auth failed */ +- { "907", "*", irc_msg_authfail }, /* SASL auth failed */ +- { "cap", "vv:", irc_msg_cap }, /* SASL capable */ ++ { "903", "*", 0, irc_msg_authok}, /* SASL auth successful */ ++ { "904", "*", 0, irc_msg_authtryagain }, /* SASL auth failed, can recover*/ ++ { "905", "*", 0, irc_msg_authfail }, /* SASL auth failed */ ++ { "906", "*", 0, irc_msg_authfail }, /* SASL auth failed */ ++ { "907", "*", 0, irc_msg_authfail }, /* SASL auth failed */ ++ { "cap", "vv:", 3, irc_msg_cap }, /* SASL capable */ + #endif +- { "invite", "n:", irc_msg_invite }, /* Invited */ +- { "join", ":", irc_msg_join }, /* Joined a channel */ +- { "kick", "cn:", irc_msg_kick }, /* KICK */ +- { "mode", "tv:", irc_msg_mode }, /* MODE for channel */ +- { "nick", ":", irc_msg_nick }, /* Nick change */ +- { "notice", "t:", irc_msg_notice }, /* NOTICE recv */ +- { "part", "c:", irc_msg_part }, /* Parted a channel */ +- { "ping", ":", irc_msg_ping }, /* Received PING from server */ +- { "pong", "v:", irc_msg_pong }, /* Received PONG from server */ +- { "privmsg", "t:", irc_msg_privmsg }, /* Received private message */ +- { "topic", "c:", irc_msg_topic }, /* TOPIC command */ +- { "quit", ":", irc_msg_quit }, /* QUIT notice */ +- { "wallops", ":", irc_msg_wallops }, /* WALLOPS command */ +- { NULL, NULL, NULL } ++ { "invite", "n:", 2, irc_msg_invite }, /* Invited */ ++ { "join", ":", 1, irc_msg_join }, /* Joined a channel */ ++ { "kick", "cn:", 3, irc_msg_kick }, /* KICK */ ++ { "mode", "tv:", 2, irc_msg_mode }, /* MODE for channel */ ++ { "nick", ":", 1, irc_msg_nick }, /* Nick change */ ++ { "notice", "t:", 2, irc_msg_notice }, /* NOTICE recv */ ++ { "part", "c:", 1, irc_msg_part }, /* Parted a channel */ ++ { "ping", ":", 1, irc_msg_ping }, /* Received PING from server */ ++ { "pong", "v:", 2, irc_msg_pong }, /* Received PONG from server */ ++ { "privmsg", "t:", 2, irc_msg_privmsg }, /* Received private message */ ++ { "topic", "c:", 2, irc_msg_topic }, /* TOPIC command */ ++ { "quit", ":", 1, irc_msg_quit }, /* QUIT notice */ ++ { "wallops", ":", 1, irc_msg_wallops }, /* WALLOPS command */ ++ { NULL, NULL, 0, NULL } + }; + + static struct _irc_user_cmd { +@@ -660,6 +665,8 @@ void irc_parse_msg(struct irc_conn *irc, + char *cur, *end, *tmp, *from, *msgname, *fmt, **args, *msg; + guint i; + PurpleConnection *gc = purple_account_get_connection(irc->account); ++ gboolean fmt_valid; ++ int args_cnt; + + irc->recv_time = time(NULL); + +@@ -716,7 +723,9 @@ void irc_parse_msg(struct irc_conn *irc, + } + g_free(msgname); + ++ fmt_valid = TRUE; + args = g_new0(char *, strlen(msgent->format)); ++ args_cnt = 0; + for (cur = end, fmt = msgent->format, i = 0; fmt[i] && *cur++; i++) { + switch (fmt[i]) { + case 'v': +@@ -753,12 +762,23 @@ void irc_parse_msg(struct irc_conn *irc, + break; + default: + purple_debug(PURPLE_DEBUG_ERROR, "irc", "invalid message format character '%c'\n", fmt[i]); ++ fmt_valid = FALSE; + break; + } ++ if (fmt_valid) ++ args_cnt = i + 1; ++ } ++ if (G_UNLIKELY(!fmt_valid)) { ++ purple_debug_error("irc", "message format was invalid"); ++ } else if (G_LIKELY(args_cnt >= msgent->req_cnt)) { ++ tmp = irc_recv_convert(irc, from); ++ (msgent->cb)(irc, msgent->name, tmp, args); ++ g_free(tmp); ++ } else { ++ purple_debug_error("irc", "args count (%d) doesn't reach " ++ "expected value of %d for the '%s' command", ++ args_cnt, msgent->req_cnt, msgent->name); + } +- tmp = irc_recv_convert(irc, from); +- (msgent->cb)(irc, msgent->name, tmp, args); +- g_free(tmp); + for (i = 0; i < strlen(msgent->format); i++) { + g_free(args[i]); + } diff --git a/SOURCES/pidgin-2.10.7-drop-gadu-gadu.patch b/SOURCES/pidgin-2.10.7-drop-gadu-gadu.patch new file mode 100644 index 0000000..8e7c91a --- /dev/null +++ b/SOURCES/pidgin-2.10.7-drop-gadu-gadu.patch @@ -0,0 +1,21 @@ +diff -urNp pidgin-2.10.7.orig/configure.ac pidgin-2.10.7/configure.ac +--- pidgin-2.10.7.orig/configure.ac 2013-11-08 12:44:01.112342610 +0100 ++++ pidgin-2.10.7/configure.ac 2013-11-08 12:44:14.305358651 +0100 +@@ -1123,7 +1123,7 @@ if test "x$STATIC_PRPLS" != "x" -a "x$DY + fi + + if test "x$STATIC_PRPLS" = "xall" ; then +- STATIC_PRPLS="bonjour gg irc jabber msn myspace mxit novell oscar sametime silc simple yahoo zephyr" ++ STATIC_PRPLS="bonjour irc jabber msn myspace mxit novell oscar sametime silc simple yahoo zephyr" + fi + if test "x$have_meanwhile" != "xyes" ; then + STATIC_PRPLS=`echo $STATIC_PRPLS | $sedpath 's/sametime//'` +@@ -1208,7 +1208,7 @@ AC_DEFINE_UNQUOTED(STATIC_PROTO_INIT, $e + + AC_ARG_WITH(dynamic_prpls, [AC_HELP_STRING([--with-dynamic-prpls], [specify which protocols to build dynamically])], [DYNAMIC_PRPLS=`echo $withval | $sedpath 's/,/ /g'`]) + if test "x$DYNAMIC_PRPLS" = "xall" ; then +- DYNAMIC_PRPLS="bonjour gg irc jabber msn myspace mxit novell oscar sametime silc simple yahoo zephyr" ++ DYNAMIC_PRPLS="bonjour irc jabber msn myspace mxit novell oscar sametime silc simple yahoo zephyr" + fi + if test "x$have_meanwhile" != "xyes"; then + DYNAMIC_PRPLS=`echo $DYNAMIC_PRPLS | $sedpath 's/sametime//'` diff --git a/SOURCES/pidgin-2.10.7-link-libirc-to-libsasl2.patch b/SOURCES/pidgin-2.10.7-link-libirc-to-libsasl2.patch new file mode 100644 index 0000000..067808c --- /dev/null +++ b/SOURCES/pidgin-2.10.7-link-libirc-to-libsasl2.patch @@ -0,0 +1,16 @@ +Upstream ticket: #15517 +URL: https://developer.pidgin.im/ticket/15517 +Resolves: #914794 + +diff -upr pidgin-2.10.7.orig/libpurple/protocols/irc/Makefile.am pidgin-2.10.7/libpurple/protocols/irc/Makefile.am +--- pidgin-2.10.7.orig/libpurple/protocols/irc/Makefile.am 2013-02-14 02:44:47.000000000 +0200 ++++ pidgin-2.10.7/libpurple/protocols/irc/Makefile.am 2013-02-14 02:49:58.000000000 +0200 +@@ -27,7 +27,7 @@ else + st = + pkg_LTLIBRARIES = libirc.la + libirc_la_SOURCES = $(IRCSOURCES) +-libirc_la_LIBADD = $(GLIB_LIBS) ++libirc_la_LIBADD = $(GLIB_LIBS) $(SASL_LIBS) + + endif + diff --git a/SOURCES/pidgin-NOT-UPSTREAM-2.5.2-rhel4-sound-migration.patch b/SOURCES/pidgin-NOT-UPSTREAM-2.5.2-rhel4-sound-migration.patch new file mode 100644 index 0000000..083a887 --- /dev/null +++ b/SOURCES/pidgin-NOT-UPSTREAM-2.5.2-rhel4-sound-migration.patch @@ -0,0 +1,33 @@ +diff -urN pidgin-2.5.2.orig/pidgin/gtksound.c pidgin-2.5.2/pidgin/gtksound.c +--- pidgin-2.5.2.orig/pidgin/gtksound.c 2008-07-13 22:05:38.000000000 -0400 ++++ pidgin-2.5.2/pidgin/gtksound.c 2008-11-22 13:36:54.000000000 -0500 +@@ -298,6 +298,9 @@ + purple_prefs_add_bool(PIDGIN_PREFS_ROOT "/sound/mute", FALSE); + purple_prefs_add_path(PIDGIN_PREFS_ROOT "/sound/command", ""); + purple_prefs_add_string(PIDGIN_PREFS_ROOT "/sound/method", "automatic"); ++#ifndef USE_GSTREAMER ++ purple_prefs_add_bool(PIDGIN_PREFS_ROOT "/sound/rhel4migrated", FALSE); ++#endif + purple_prefs_add_int(PIDGIN_PREFS_ROOT "/sound/volume", 50); + + #ifdef USE_GSTREAMER +@@ -433,6 +436,19 @@ + return; + } + ++#ifndef USE_GSTREAMER ++ /* RHEL4 migration code */ ++ if (!purple_prefs_get_bool(PIDGIN_PREFS_ROOT "/sound/rhel4migrated")) { ++ purple_prefs_set_bool(PIDGIN_PREFS_ROOT "/sound/rhel4migrated", TRUE); ++ if(!strcmp(method, "automatic") || ++ !strcmp(method, "esd") || ++ !strcmp(method, "arts")) { ++ purple_prefs_set_string(PIDGIN_PREFS_ROOT "/sound/method", "custom"); ++ purple_prefs_set_path(PIDGIN_PREFS_ROOT "/sound/command", "aplay %s"); ++ } ++ } ++#endif ++ + #ifndef _WIN32 + if (!strcmp(method, "custom")) { + const char *sound_cmd; diff --git a/SPECS/pidgin.spec b/SPECS/pidgin.spec new file mode 100644 index 0000000..099802e --- /dev/null +++ b/SPECS/pidgin.spec @@ -0,0 +1,2029 @@ +# OVERRIDE RHEL VERSION HERE, RHEL BUILDSYSTEM DOESN'T HAVE DIST TAG +#%%global rhel 4 + +# Define Variables that must exist +%{?!rhel:%global rhel 0} +%{?!fedora:%global fedora 0} + +# Map RHEL to Fedora version +%if 0%{?rhel} == 6 +%global fedora 12 +%endif +%if 0%{?rhel} == 7 +%global fedora 19 +%endif + +# Define variables to use in conditionals +%global force_sound_aplay 0 +%global dbus_integration 0 +%global gstreamer_integration 0 +%global nm_integration 0 +%global modular_x 0 +%global dbus_glib_splt 0 +%global bonjour_support 0 +%global meanwhile_integration 0 +%global use_gnome_open 0 +%global perl_devel_separated 0 +%global perl_embed_separated 0 +%global api_docs 0 +%global krb4_removed 0 +%global nss_md2_disabled 0 +%global vv_support 0 +%global libidn_support 0 +%global disable_silc 0 +%global disable_evolution 0 +%global split_evolution 0 +%global use_system_certs 0 +%global use_system_libgadu 0 +%global build_only_libs 0 + +# RHEL4: Use ALSA aplay to output sounds because it lacks gstreamer +%if 0%{?fedora} < 5 +%global force_sound_aplay 1 +%endif +# RHEL4+ and FC5+: dbus, gstreamer, NetworkManager, modular X +%if 0%{?fedora} >= 5 +%global dbus_integration 1 +%global gstreamer_integration 1 +%global nm_integration 1 +%global modular_x 1 +%endif +# RHEL4+ and FC6+: dbus-glib split, bonjour, meanwhile +%if 0%{?fedora} >= 6 +%global dbus_glib_splt 1 +%global bonjour_support 1 +%global meanwhile_integration 1 +%endif +# RHEL4 and RHEL5: Use gnome-open instead of xdg-open (RHEL4 and RHEL5) +%if 0%{?fedora} <= 6 +%global use_gnome_open 1 +%endif +# F7+: Perl devel separated out +%if 0%{?fedora} >= 7 +%global perl_devel_separated 1 +%endif +# F8+: Perl embed separated out, generate pidgin API documentation +%if 0%{?fedora} >= 8 +%global perl_embed_separated 1 +%global api_docs 1 +%endif +# F10+: New NSS (3.12.3) disables weaker MD2 algorithm +%if 0%{?fedora} >= 10 +%global nss_md2_disabled 1 +%endif +# F11+: libidn for punycode domain support, voice and video support, +# use system SSL certificates +%if 0%{?fedora} >= 11 +%global vv_support 1 +%global libidn_support 1 +%global use_system_certs 1 +%endif +# F12+: krb4 removed +%if 0%{?fedora} >= 12 +%global krb4_removed 1 +%endif +# EL6: Disable SILC protocol +# (get rid of extra crypto lib for perpetually broken protocol that nobody uses) +# (the above comment is not necessarily the view held by all maintaners of this package) +%if 0%{?rhel} >= 6 +%global disable_silc 1 +%endif +# F13+ Split Evolution plugin to separate package (#581144) +%if 0%{?fedora} >= 13 +%global split_evolution 1 +%endif +# F16+ Use system libgadu (#713888) +%if 0%{?fedora} >= 16 +%global use_system_libgadu 1 +%endif +# RHEL does not have libgadu +%if 0%{?rhel} +%global use_system_libgadu 0 +%endif +%if 0%{?rhel} >= 7 +%global build_only_libs 1 +%global api_docs 0 +%endif +# F18+ Disable evolution integration (temporarily?) +# due to evolution-data-server 3.6 API changes +%if 0%{?fedora} >= 18 +%global disable_evolution 1 +%global split_evolution 0 +%endif + +Name: pidgin +Version: 2.10.7 +Release: 23%{?dist} +License: GPLv2+ and GPLv2 and MIT +# GPLv2+ - libpurple, gnt, finch, pidgin, most prpls +# GPLv2 - silc & novell prpls +# MIT - Zephyr prpl +Group: Applications/Internet +URL: http://pidgin.im/ +Source0: http://downloads.sourceforge.net/pidgin/pidgin-%{version}.tar.bz2 +Obsoletes: gaim < 999:1 +Provides: gaim = 999:1 + +%if %{split_evolution} +Obsoletes: pidgin <= 2.7.1-1%{?dist} +%else %if %{disable_evolution} +Obsoletes: pidgin-evolution <= 2.10.6%{?dist} +%endif + +## Fedora pidgin defaults +# Only needs regenerating if Pidgin breaks backwards compatibility with prefs.xml +# 1) uninstall any non-default pidgin or libpurple plugins +# 2) run pidgin as new user 3) edit preferences 4) close 5) copy .purple/prefs.xml +# OR 1) edit manually +# - enable ExtPlacement plugin +# - enable History plugin +# - enable Message Notification plugin +# Insert count of new messages into window title +# Set window manager "URGENT" hint +# - disable buddy icon in buddy list +# - enable Logging (in HTML) +# - Browser "GNOME Default" +# - Smiley Theme "Default" +Source1: purple-fedora-prefs.xml + +## Patches 0-99: Fedora specific or upstream wont accept +Patch0: pidgin-NOT-UPSTREAM-2.5.2-rhel4-sound-migration.patch +Patch1: pidgin-2.10.7-drop-gadu-gadu.patch + +## Patches 100+: To be Included in Future Upstream +Patch100: pidgin-2.10.1-fix-msn-ft-crashes.patch +Patch101: pidgin-2.10.7-link-libirc-to-libsasl2.patch + +# CVE-2012-6152 +Patch102: pidgin-2.10.7-CVE-2012-6152.patch + +# CVE-2013-6477 +Patch103: pidgin-2.10.7-CVE-2013-6477.patch + +# CVE-2013-6478 +Patch104: pidgin-2.10.7-CVE-2013-6478.patch + +# CVE-2013-6479 +Patch105: pidgin-2.10.7-CVE-2013-6479.patch + +# CVE-2013-6481 +Patch106: pidgin-2.10.7-CVE-2013-6481.patch + +# CVE-2013-6482 +Patch107: pidgin-2.10.7-CVE-2013-6482.patch + +# CVE-2013-6483 +Patch108: pidgin-2.10.7-CVE-2013-6483.patch +Patch109: pidgin-2.10.7-CVE-2013-6483-regression.patch + +# CVE-2013-6484 +Patch110: pidgin-2.10.7-CVE-2013-6484.patch + +# CVE-2013-6485 +Patch111: pidgin-2.10.7-CVE-2013-6485.patch + +# CVE-2013-6487 +Patch112: pidgin-2.10.7-CVE-2013-6487.patch + +# CVE-2013-6489 +Patch113: pidgin-2.10.7-CVE-2013-6489.patch + +# CVE-2013-6490 +Patch114: pidgin-2.10.7-CVE-2013-6490.patch + +# CVE-2014-0020 +Patch115: pidgin-2.10.7-CVE-2014-0020.patch + +BuildRoot: %{_tmppath}/%{name}-%{version}-root +Summary: A Gtk+ based multiprotocol instant messaging client + +# Require Binary Compatible glib +# returns bogus value if glib2-devel is not installed in order for parsing to succeed +# bogus value wont make it into a real package +%global glib_ver %([ -a %{_libdir}/pkgconfig/glib-2.0.pc ] && pkg-config --modversion glib-2.0 | cut -d. -f 1,2 || echo -n "999") +BuildRequires: glib2-devel +Requires: glib2 >= %{glib_ver} +# Require exact libpurple +Requires: libpurple%{?_isa} = %{version}-%{release} + +Requires(pre): GConf2 +Requires(post): GConf2 +Requires(preun): GConf2 + +# Basic Library Requirements +BuildRequires: autoconf +BuildRequires: libtool +BuildRequires: cyrus-sasl-devel +%if %{nss_md2_disabled} +BuildRequires: nss-devel >= 3.12.3 +%else +BuildRequires: nss-devel +%endif + +%if ! %{build_only_libs} +BuildRequires: startup-notification-devel +BuildRequires: gtk2-devel +BuildRequires: desktop-file-utils +BuildRequires: ncurses-devel +# gtkspell integration (FC1+) +BuildRequires: gtkspell-devel +# Evolution integration (FC3+, < F18) +%if ! %{disable_evolution} +BuildRequires: evolution-data-server-devel +%endif +%endif + +BuildRequires: gettext +BuildRequires: intltool +BuildRequires: tcl-devel +BuildRequires: tk-devel +BuildRequires: libxml2-devel + +%if ! %{krb4_removed} +# krb5 needed for Zephyr (FC1+) +BuildRequires: krb5-devel +%endif +# SILC integration (FC3+) +%if ! %{disable_silc} +BuildRequires: libsilc-devel +%endif +# DBus integration (FC5+) +%if %{dbus_integration} +BuildRequires: dbus-devel >= 0.60 +BuildRequires: python >= 2.4 +%endif +# GStreamer integration (FC5+) +%if %{gstreamer_integration} +BuildRequires: gstreamer-devel >= 0.10 +%endif +# NetworkManager integration (FC5+) +%if %{nm_integration} +BuildRequires: NetworkManager-glib-devel +%endif +# Modular X (FC5+) +%if %{modular_x} +BuildRequires: libSM-devel +BuildRequires: libXScrnSaver-devel +%endif +# Preferred Applications (xdg for FC6+) +%if %{use_gnome_open} +Requires: libgnome +%else +Requires: xdg-utils +%endif +# DBus GLIB Split (FC6+) +%if %{dbus_glib_splt} +BuildRequires: dbus-glib-devel >= 0.70 +%endif +%if %{bonjour_support} +BuildRequires: avahi-glib-devel +%endif +# Meanwhile integration (F6+) +%if %{meanwhile_integration} +BuildRequires: meanwhile-devel +%endif +# Perl devel separated out (F7+) +%if %{perl_devel_separated} +BuildRequires: perl-devel +%endif +# Perl embed separated out (F9+) +%if %{perl_embed_separated} +BuildRequires: perl(ExtUtils::Embed) +%endif +# Voice and video support (F11+) +%if %{vv_support} +%if 0%{?fedora} >= 17 +BuildRequires: farstream-devel +%else +BuildRequires: farsight2-devel +%endif +Requires: gstreamer-plugins-good +%if 0%{?fedora} >= 12 +Requires: gstreamer-plugins-bad-free +%endif +%endif +# libidn punycode domain support (F11+) +%if %{libidn_support} +BuildRequires: libidn-devel +%endif +%if %{use_system_libgadu} +BuildRequires: libgadu-devel +%endif + +%if %{api_docs} +BuildRequires: doxygen +%endif + +%description +Pidgin allows you to talk to anyone using a variety of messaging +protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu, +ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and +Zephyr. These protocols are implemented using a modular, easy to +use design. To use a protocol, just add an account using the +account editor. + +Pidgin supports many common features of other clients, as well as many +unique features, such as perl scripting, TCL scripting and C plugins. + +Pidgin is not affiliated with or endorsed by America Online, Inc., +Microsoft Corporation, Yahoo! Inc., or ICQ Inc. + +%if %{split_evolution} +%package evolution +Summary: Pidgin Evolution integration plugin +Group: Applications/Internet +Requires: %{name} = %{version}-%{release} +Obsoletes: pidgin <= 2.7.1-1%{?dist} + +%description evolution +This package contains the Evolution integration plugin for Pidgin. + +%endif + + +%package devel +Summary: Development headers and libraries for pidgin +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} +Requires: libpurple-devel = %{version}-%{release} +Requires: pkgconfig +Requires: gtk2-devel +Obsoletes: gaim-devel +Provides: gaim-devel = %{version}-%{release} + + +%description devel +The pidgin-devel package contains the header files, developer +documentation, and libraries required for development of Pidgin scripts +and plugins. + +%package perl +Summary: Perl scripting support for Pidgin +Group: Applications/Internet +Requires: libpurple = %{version}-%{release} +Requires: libpurple-perl = %{version}-%{release} + +%description perl +Perl plugin loader for Pidgin. This package will allow you to write or +use Pidgin plugins written in the Perl programming language. + + +%package -n libpurple +Summary: libpurple library for IM clients like Pidgin and Finch +Group: Applications/Internet +# Ensure elimination of gaim.i386 on x86_64 +Obsoletes: gaim < 999:1 +%if %{meanwhile_integration} +Obsoletes: gaim-meanwhile +%endif +Requires: glib2 >= %{glib_ver} +# Bug #212817 Jabber needs cyrus-sasl plugins for authentication +Requires: cyrus-sasl-plain, cyrus-sasl-md5 +# Bug #979052 - Can't connect to xmpp server since upgrade from f18 to f19 +%if 0%{?fedora} >= 19 +Requires: cyrus-sasl-scram +%endif +# Use system SSL certificates (F11+) +%if %{use_system_certs} +Requires: ca-certificates +%endif +# Workaround for accidental shipping of pidgin-docs +%if 0%{?rhel} == 5 +Obsoletes: pidgin-docs = 2.5.2 +%endif + +%description -n libpurple +libpurple contains the core IM support for IM clients such as Pidgin +and Finch. + +libpurple supports a variety of messaging protocols including AIM, MSN, +Yahoo!, Jabber, Bonjour, Gadu-Gadu, ICQ, IRC, Novell Groupwise, QQ, +Lotus Sametime, SILC, Simple and Zephyr. + + +%package -n libpurple-devel +Summary: Development headers, documentation, and libraries for libpurple +Group: Applications/Internet +Requires: libpurple = %{version}-%{release} +Requires: pkgconfig +%if %{dbus_integration} +Requires: dbus-devel >= 0.60 +%endif +%if %{dbus_glib_splt} +Requires: dbus-glib-devel >= 0.70 +%endif + +%description -n libpurple-devel +The libpurple-devel package contains the header files, developer +documentation, and libraries required for development of libpurple based +instant messaging clients or plugins for any libpurple based client. + +%package -n libpurple-perl +Summary: Perl scripting support for libpurple +Group: Applications/Internet +Requires: libpurple = %{version}-%{release} +Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) + +%description -n libpurple-perl +Perl plugin loader for libpurple. This package will allow you to write or +use libpurple plugins written in the Perl programming language. + + +%package -n libpurple-tcl +Summary: Tcl scripting support for libpurple +Group: Applications/Internet +Requires: libpurple = %{version}-%{release} + +%description -n libpurple-tcl +Tcl plugin loader for libpurple. This package will allow you to write or +use libpurple plugins written in the Tcl programming language. + + +%package -n finch +Summary: A text-based user interface for Pidgin +Group: Applications/Internet +Requires: glib2 >= %{glib_ver} +Requires: libpurple = %{version}-%{release} + +%description -n finch +A text-based user interface for using libpurple. This can be run from a +standard text console or from a terminal within X Windows. It +uses ncurses and our homegrown gnt library for drawing windows +and text. + + +%package -n finch-devel +Summary: Headers etc. for finch stuffs +Group: Applications/Internet +Requires: finch = %{version}-%{release} +Requires: libpurple-devel = %{version}-%{release} +Requires: pkgconfig +Requires: ncurses-devel + +%description -n finch-devel +The finch-devel package contains the header files, developer +documentation, and libraries required for development of Finch scripts +and plugins. + +%if %{api_docs} +%package -n pidgin-docs +Summary: API docs for pidgin and libpurple +Group: Applications/Internet +Requires: pidgin = %{version}-%{release} +Provides: libpurple-docs = %{version}-%{release} + +%description -n pidgin-docs +Doxygen generated API documentation. + +%endif + +%prep +echo "FEDORA=%{fedora} RHEL=%{rhel}" +%setup -q +## Patches 0-99: Fedora specific or upstream wont accept +%if %{force_sound_aplay} +%patch0 -p1 -b .aplay +%endif + +%patch1 -p1 -b .gadu-gadu + +## Patches 100+: To be Included in Future Upstream + +# http://pidgin.im/pipermail/devel/2011-November/010477.html +%patch100 -p0 -R -b .ftcrash +# https://developer.pidgin.im/ticket/15517 +%patch101 -p1 -b .irc-sasl + +%patch102 -p1 -b .CVE-2012-6152 +%patch103 -p1 -b .CVE-2013-6477 +%patch104 -p1 -b .CVE-2013-6478 +%patch105 -p1 -b .CVE-2013-6479 +%patch106 -p1 -b .CVE-2013-6481 +%patch107 -p1 -b .CVE-2013-6482 +%patch108 -p1 -b .CVE-2013-6483 +%patch109 -p1 -b .CVE-2013-6483-regression +%patch110 -p1 -b .CVE-2013-6484 +%patch111 -p1 -b .CVE-2013-6485 +%patch112 -p1 -b .CVE-2013-6487 +%patch113 -p1 -b .CVE-2013-6489 +%patch114 -p1 -b .CVE-2013-6490 +%patch115 -p1 -b .CVE-2014-0020 + +# Our preferences +cp %{SOURCE1} prefs.xml + +# RHEL5 and earlier did not have xdg-open, so use gnome-open instead +if [ "%{use_gnome_open}" == "1" ]; then + sed -i "s/value='xdg-open'/value='gnome-open'/" prefs.xml +fi + +# Bug #528796: Get rid of #!/usr/bin/env python +# Upstream refuses to use ./configure --python-path= in these scripts. +for file in finch/plugins/pietray.py libpurple/purple-remote libpurple/plugins/dbus-buddyicons-example.py \ + libpurple/plugins/startup.py libpurple/purple-url-handler libpurple/purple-notifications-example; do + sed -i 's/env python/python/' $file +done + +%build +SWITCHES="--with-extraversion=%{release}" +%if ! %{krb4_removed} + SWITCHES="$SWITCHES --with-krb4" +%endif + SWITCHES="$SWITCHES --enable-perl" +%if ! %{disable_evolution} + SWITCHES="$SWITCHES --enable-gevolution" +%else + SWITCHES="$SWITCHES --disable-gevolution" +%endif +%if %{dbus_integration} + SWITCHES="$SWITCHES --enable-dbus" +%else + SWITCHES="$SWITCHES --disable-dbus" +%endif +%if %{nm_integration} + SWITCHES="$SWITCHES --enable-nm" +%endif +%if %{gstreamer_integration} + SWITCHES="$SWITCHES --enable-gstreamer" +%else + SWITCHES="$SWITCHES --disable-gstreamer" +%endif +%if ! %{bonjour_support} + SWITCHES="$SWITCHES --disable-avahi" +%endif +%if ! %{meanwhile_integration} + SWITCHES="$SWITCHES --disable-meanwhile" +%endif +%if ! %{libidn_support} + SWITCHES="$SWITCHES --disable-idn" +%endif +%if ! %{vv_support} + SWITCHES="$SWITCHES --disable-vv" +%endif +%if %{use_system_certs} + SWITCHES="$SWITCHES --with-system-ssl-certs=/etc/pki/tls/certs" +%endif +%if %{build_only_libs} + SWITCHES="$SWITCHES --disable-consoleui --disable-gtkui" +%endif + +# FC5+ automatic -fstack-protector-all switch +# RHEL7+ uses -fstack-protector-strong +export RPM_OPT_FLAGS=${RPM_OPT_FLAGS//-fstack-protector /-fstack-protector-all } +export CFLAGS="$RPM_OPT_FLAGS" + +# remove after irc-sasl patch has been merged upstream +autoreconf --force --install + +# gnutls is buggy so use mozilla-nss on all distributions +%configure --enable-gnutls=no --enable-nss=yes --enable-cyrus-sasl \ + --enable-tcl --enable-tk \ + --disable-schemas-install $SWITCHES + +make %{?_smp_mflags} LIBTOOL=/usr/bin/libtool + +# one_time_password plugin, included upstream but not built by default +cd libpurple/plugins/ +make one_time_password.so LIBTOOL=/usr/bin/libtool +cd - + +%if %{api_docs} +make docs +find doc/html -empty -delete +%endif + +%install +rm -rf $RPM_BUILD_ROOT +make DESTDIR=$RPM_BUILD_ROOT install LIBTOOL=/usr/bin/libtool + +install -m 0755 libpurple/plugins/one_time_password.so $RPM_BUILD_ROOT%{_libdir}/purple-2/ + +%if ! %{build_only_libs} +desktop-file-install --vendor pidgin --delete-original \ + --add-category X-Red-Hat-Base \ + --dir $RPM_BUILD_ROOT%{_datadir}/applications \ + $RPM_BUILD_ROOT%{_datadir}/applications/pidgin.desktop +%endif + +# remove libtool libraries and static libraries +find $RPM_BUILD_ROOT \( -name "*.la" -o -name "*.a" \) -exec rm -f {} ';' +# remove the perllocal.pod file and other unrequired perl bits +find $RPM_BUILD_ROOT -type f -name perllocal.pod -exec rm -f {} ';' +find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} ';' +find $RPM_BUILD_ROOT -type f -name '*.bs' -empty -exec rm -f {} ';' +# remove relnot.so plugin since it is unusable for our package +rm -f $RPM_BUILD_ROOT%{_libdir}/pidgin/relnot.so +# remove dummy nullclient +rm -f $RPM_BUILD_ROOT%{_bindir}/nullclient +# install Fedora pidgin default prefs.xml +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/purple/ +install -m 644 prefs.xml $RPM_BUILD_ROOT%{_sysconfdir}/purple/prefs.xml + +# remove non-plugin unrequired library symlinks +rm -f $RPM_BUILD_ROOT%{_libdir}/purple-2/liboscar.so +rm -f $RPM_BUILD_ROOT%{_libdir}/purple-2/libjabber.so +rm -f $RPM_BUILD_ROOT%{_libdir}/purple-2/libymsg.so + +# make sure that we can write to all the files we've installed +# so that they are properly stripped +chmod -R u+w $RPM_BUILD_ROOT/* + +%find_lang pidgin + +%if ! %{build_only_libs} +# symlink /usr/bin/gaim to new pidgin name +ln -sf pidgin $RPM_BUILD_ROOT%{_bindir}/gaim +%endif + +%if %{api_docs} +rm -rf html +rm -f doc/html/installdox +mv doc/html/ html/ +mkdir -p $RPM_BUILD_ROOT%{_datadir}/gtk-doc/html/ +ln -sf ../../doc/pidgin-docs-%{version}/html/ \ + $RPM_BUILD_ROOT%{_datadir}/gtk-doc/html/pidgin +%endif + +%if %{build_only_libs} +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/gconf/schemas/purple.schemas +%endif + +%if ! %{build_only_libs} +%pre +if [ "$1" -gt 1 ]; then + export GCONF_CONFIG_SOURCE=`gconftool-2 --get-default-source` + gconftool-2 --makefile-uninstall-rule \ + %{_sysconfdir}/gconf/schemas/purple.schemas >/dev/null || : + killall -HUP gconfd-2 &> /dev/null || : +fi + +%post +touch --no-create %{_datadir}/icons/hicolor || : +[ -x %{_bindir}/gtk-update-icon-cache ] && \ +%{_bindir}/gtk-update-icon-cache --quiet %{_datadir}/icons/hicolor || : +export GCONF_CONFIG_SOURCE=`gconftool-2 --get-default-source` +gconftool-2 --makefile-install-rule \ + %{_sysconfdir}/gconf/schemas/purple.schemas > /dev/null || : +killall -HUP gconfd-2 &> /dev/null || : + +%post -n finch -p /sbin/ldconfig +%endif + +%post -n libpurple -p /sbin/ldconfig + +%if ! %{build_only_libs} +%preun +if [ "$1" -eq 0 ]; then + export GCONF_CONFIG_SOURCE=`gconftool-2 --get-default-source` + gconftool-2 --makefile-uninstall-rule \ + %{_sysconfdir}/gconf/schemas/purple.schemas > /dev/null || : + killall -HUP gconfd-2 &> /dev/null || : +fi + +%postun +touch --no-create %{_datadir}/icons/hicolor || : +[ -x %{_bindir}/gtk-update-icon-cache ] && \ +%{_bindir}/gtk-update-icon-cache --quiet %{_datadir}/icons/hicolor || : + +%postun -n finch -p /sbin/ldconfig +%endif + +%postun -n libpurple -p /sbin/ldconfig + +%clean +rm -rf $RPM_BUILD_ROOT + +%if ! %{build_only_libs} +%files +%defattr(-,root,root,-) +%doc NEWS COPYING AUTHORS README ChangeLog doc/PERL-HOWTO.dox +%{_bindir}/pidgin +%{_bindir}/gaim +%{_libdir}/pidgin/ +%exclude %{_libdir}/pidgin/perl +%if %{split_evolution} +%exclude %{_libdir}/pidgin/gevolution.so +%endif +%{_mandir}/man1/pidgin.* +%{_datadir}/applications/pidgin.desktop +%{_datadir}/pixmaps/pidgin/ +%{_datadir}/icons/hicolor/*/apps/pidgin.* +%{_sysconfdir}/gconf/schemas/purple.schemas + +%if %{split_evolution} +%files evolution +%defattr(-,root,root,-) +%{_libdir}/pidgin/gevolution.so +%endif + +%files perl +%defattr(-,root,root,-) +%{_mandir}/man3/Pidgin* +%{_libdir}/pidgin/perl/ + +%files devel +%defattr(-,root,root,-) +%{_includedir}/pidgin/ +%{_libdir}/pkgconfig/pidgin.pc +%endif + +%files -f pidgin.lang -n libpurple +%defattr(-,root,root,-) +%doc COPYING +%{_libdir}/purple-2/ +%exclude %{_libdir}/purple-2/perl +%{_libdir}/libpurple.so.* +%{_datadir}/sounds/purple/ +%{_datadir}/purple +%dir %{_sysconfdir}/purple +%config(noreplace) %{_sysconfdir}/purple/prefs.xml +%if %{dbus_integration} +%{_bindir}/purple-client-example +%{_bindir}/purple-remote +%{_bindir}/purple-send +%{_bindir}/purple-send-async +%{_bindir}/purple-url-handler +%{_libdir}/libpurple-client.so.* +#%%{_datadir}/dbus-1/services/pidgin.service +%doc libpurple/purple-notifications-example +%endif +%exclude %{_libdir}/purple-2/tcl.so +%exclude %{_libdir}/purple-2/perl.so +%exclude %{_libdir}/purple-2/perl/ + +%files -n libpurple-devel +%defattr(-,root,root,-) +%{_datadir}/aclocal/purple.m4 +%{_libdir}/libpurple.so +%{_includedir}/libpurple/ +%{_libdir}/pkgconfig/purple.pc +%if %{dbus_integration} +%{_libdir}/libpurple-client.so +%endif + +%files -n libpurple-perl +%defattr(-,root,root,-) +%{_mandir}/man3/Purple* +%{_libdir}/purple-2/perl.so +%{_libdir}/purple-2/perl/ + +%files -n libpurple-tcl +%defattr(-,root,root,-) +%{_libdir}/purple-2/tcl.so + +%if ! %{build_only_libs} +%files -n finch +%defattr(-,root,root,-) +%{_bindir}/finch +%{_libdir}/finch/ +%{_libdir}/gnt/ +%{_libdir}/libgnt.so.* +%{_mandir}/man1/finch.* + +%files -n finch-devel +%defattr(-,root,root,-) +%{_includedir}/finch/ +%{_includedir}/gnt/ +%{_libdir}/libgnt.so +%{_libdir}/pkgconfig/gnt.pc +%{_libdir}/pkgconfig/finch.pc +%endif + +%if %{api_docs} +%files -n pidgin-docs +%defattr(-,root,root,-) +%doc html +%{_datadir}/gtk-doc/html/* +%endif + +%changelog +* Tue Aug 19 2014 Ray Strode 2.10.7-23 +- Stop mucking with dist +- Drop support for really old rhel + Resolves: #1028568 + +* Mon Feb 03 2014 Matthew Barnes - 2.10.7-22.el7 +- Fix regression in CVE-2013-6483. + +* Wed Jan 29 2014 Matthew Barnes - 2.10.7-21.el7 +- Add patch for CVE-2014-0020 (RH bug #1058243). + +* Wed Jan 29 2014 Matthew Barnes - 2.10.7-20.el7 +- Add patch for CVE-2013-6490 (RH bug #1058243). + +* Wed Jan 29 2014 Matthew Barnes - 2.10.7-19.el7 +- Add patch for CVE-2013-6489 (RH bug #1058243). + +* Wed Jan 29 2014 Matthew Barnes - 2.10.7-18.el7 +- Add patch for CVE-2013-6487 (RH bug #1058243). + +* Wed Jan 29 2014 Matthew Barnes - 2.10.7-17.el7 +- Add patch for CVE-2013-6477 (RH bug #1058243). + +* Wed Jan 29 2014 Matthew Barnes - 2.10.7-16.el7 +- Add patch for CVE-2013-6485 (RH bug #1058243). + +* Wed Jan 29 2014 Matthew Barnes - 2.10.7-15.el7 +- Add patch for CVE-2013-6484 (RH bug #1058243). + +* Wed Jan 29 2014 Matthew Barnes - 2.10.7-14.el7 +- Add patch for CVE-2013-6483 (RH bug #1058243). + +* Wed Jan 29 2014 Matthew Barnes - 2.10.7-13.el7 +- Add patch for CVE-2013-6482 (RH bug #1058243). + +* Tue Jan 28 2014 Matthew Barnes - 2.10.7-12.el7 +- Add patch for CVE-2013-6481 (RH bug #1058243). + +* Tue Jan 28 2014 Matthew Barnes - 2.10.7-11.el7 +- Add patch for CVE-2013-6479 (RH bug #1058243). + +* Tue Jan 28 2014 Matthew Barnes - 2.10.7-10.el7 +- Turns out the previous patch is actually for CVE-2013-6478. + +* Mon Jan 27 2014 Matthew Barnes - 2.10.7-9.el7 +- Add patch for CVE-2013-6477 (RH bug #1058243). + +* Mon Jan 27 2014 Matthew Barnes - 2.10.7-8.el7 +- Add patch for CVE-2012-6152 (RH bug #1058243). + +* Fri Jan 24 2014 Daniel Mach - 2.10.7-7.el7 +- Mass rebuild 2014-01-24 + +* Mon Jan 13 2014 Debarshi Ray - 2.10.7-6 +- Fix setting -fstack-protector on RHEL7+, use -fstack-protector-strong there +- Resolves: #1048893 + +* Fri Dec 27 2013 Daniel Mach - 2.10.7-5.el7 +- Mass rebuild 2013-12-27 + +* Thu Nov 07 2013 Debarshi Ray - 2.10.7-4 +- Drop Gadu-Gadu support in RHEL (Red Hat #1026505) + +* Mon Jul 01 2013 Jan Synáček - 2.10.7-3 +- Require cyrus-sasl-scram, BZ 979052 + +* Tue Apr 30 2013 Daniel Mach - 2.10.7-2.2 +- Rebuild for cyrus-sasl + +* Mon Feb 25 2013 Jan Synáček - 2.10.7-2 +- Fix IRC support, BZ 914794 + +* Wed Feb 20 2013 Jan Synáček - 2.10.7-1 +- Update to 2.10.7, BZ 911088 + +* Thu Feb 14 2013 Fedora Release Engineering - 2.10.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Sep 26 2012 Jan Synáček - 2.10.6-4 +- Correctly obsolete pidgin-evolution if evolution integration is disabled, + BZ 860285 + +* Sat Jul 21 2012 Fedora Release Engineering - 2.10.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jul 11 2012 Petr Pisar - 2.10.6-2 +- Perl 5.16 rebuild + +* Wed Jul 11 2012 Jan Synáček - 2.10.6-1 +- Update to 2.10.6, BZ 838311 + +* Tue Jul 10 2012 Petr Pisar - 2.10.5-3 +- Perl 5.16 rebuild + +* Fri Jul 06 2012 Stu Tomlinson 2.10.5-2 +- Disable evolution integration on F18+ due to API changes in + evolution-data-server 3.6 + +* Thu Jul 05 2012 Stu Tomlinson 2.10.5-1 +- Update to 2.10.5, CVE-2012-3374 +- Allow building only libraries (#831364) +- Revive FT crash prevention patch + +* Mon Jun 11 2012 Petr Pisar - 2.10.4-2 +- Perl 5.16 rebuild + +* Wed May 30 2012 Jon Ciesla - 2.10.4-1 +- Update to 2.10.4, CVE-2012-2214, CVE-2012-2318, BZ 806839, 819454. +- Port to farstream patch upstreamed. + +* Wed May 02 2012 Milan Crha - 2.10.2-2 +- Rebuild against newer evolution-data-server + +* Fri Mar 23 2012 Jon Ciesla - 2.10.2-1 +- Update to 2.10.2, BZ 803293, 803299. +- Dropping MSN patches. Protocol patch not needed, won't connect +- to 16 by default. Crash patch was upstreamed. +- Dropped nm09 patch, upstreamed. + +* Fri Mar 9 2012 Tom Callaway - 2.10.1-4 +- fedora 17+ uses farstream now instead of farsight2 + +* Wed Jan 18 2012 Matthew Barnes - 2.10.1-3 +- Map RHEL 7 to Fedora 16 (for now). + +* Wed Jan 18 2012 Matthew Barnes - 2.10.1-2 +- Map RHEL 7 to Fedora 16 (for now). + +* Thu Dec 29 2011 Stu Tomlinson 2.10.1-1 +- 2.10.1, includes security fixes for CVE-2011-3594, CVE-2011-4601, + CVE-2011-4602, CVE-2011-4603 + +* Mon Nov 28 2011 Milan Crha 2.10.0-5 +- Rebuild against newer evolution-data-server + +* Sun Oct 30 2011 Bruno Wolff III 2.10.0-4 +- Rebuild against newer evolution-data-server + +* Tue Aug 30 2011 Milan Crha 2.10.0-3 +- Sync version with f16 branch + +* Mon Aug 29 2011 Milan Crha 2.10.0-2 +- Rebuild against newer evolution-data-server + +* Sun Aug 21 2011 Stu Tomlinson 2.10.0-1 +- 2.10.0 +- Link against system libgadu instead of using internal copy (#713888) + +* Tue Aug 16 2011 Milan Crha 2.9.0-3 +- Rebuild against newer evolution-data-server + +* Thu Jul 21 2011 Petr Sabata - 2.9.0-2 +- Perl mass rebuild + +* Thu Jun 30 2011 Stu Tomlinson 2.8.0-3 +- 2.9.0, includes security/DoS fix to work around gdk-pixbuf issue + CVE-2011-2485 + +* Mon Jun 20 2011 Milan Crha 2.8.0-3 +- Rebuild against new evolution-data-server + +* Fri Jun 17 2011 Marcela Mašláňová - 2.8.0-2 +- Perl mass rebuild + +* Mon Jun 13 2011 Stu Tomlinson 2.8.0-1 +- 2.8.0 + +* Fri May 20 2011 Kalev Lember 2.7.11-4 +- Rebuilt for libcamel soname bump + +* Tue Apr 26 2011 Dan Williams 2.7.11-3 +- A few more NetworkManager 0.9 fixes + +* Fri Mar 25 2011 Dan Williams 2.7.11-2 +- Rebuild for NetworkManager 0.9 + +* Fri Mar 11 2011 Stu Tomlinson 2.7.11-1 +- 2.7.11, includes security/DoS fixes in Yahoo protocol + CVE-2011-1091 (#683031) + +* Thu Mar 10 2011 Dan Williams 2.7.10-2 +- Update for NetworkManager 0.9 + +* Tue Feb 22 2011 Stu Tomlinson 2.7.10-1 +- 2.7.10 + +* Wed Feb 09 2011 Fedora Release Engineering - 2.7.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Feb 01 2011 Milan Crha 2.7.9-3 +- Rebuild against newer evolution-data-server + +* Wed Jan 12 2011 Milan Crha 2.7.9-2 +- Rebuild against newer evolution-data-server + +* Mon Dec 27 2010 Stu Tomlinson 2.7.9-1 +- 2.7.9, includes security/DoS fix in the MSN protocol (#665856) + +* Mon Nov 29 2010 Stu Tomlinson 2.7.7-1 +- 2.7.7 +- Disable MSNP16 due to regressions interacting with official client + +* Fri Nov 19 2010 Stu Tomlinson 2.7.5-2 +- Add additional intermediate CA certificates to fix MSN + +* Mon Nov 01 2010 Stu Tomlinson 2.7.5-1 +- 2.7.5 + +* Fri Oct 22 2010 Stu Tomlinson 2.7.4-1 +- 2.7.4, includes security fix for CVE-2010-3711 + +* Tue Oct 12 2010 Milan Crha - 2.7.3-6 +- Rebuild against newer evolution-data-server + +* Wed Sep 29 2010 jkeating - 2.7.3-5 +- Rebuilt for gcc bug 634757 + +* Thu Sep 16 2010 Stu Tomlinson 2.7.3-4 +- Rebuild against newer libedataserver + +* Mon Sep 13 2010 Dan Horák 2.7.3-3 +- drop the s390(x) ifarchs + +* Mon Aug 23 2010 Tom "spot" Callaway 2.7.3-2 +- use _isa in explicit Requires on libpurple to prevent yum from trying to + jump architectures to resolve dependency + +* Wed Aug 11 2010 Stu Tomlinson 2.7.3-1 +- 2.7.3 + +* Wed Jul 21 2010 Stu Tomlinson 2.7.2-1 +- 2.7.2 with a security fix (CVE-2010-2528) and a couple of bug fixes (#601650) + +* Thu Jul 15 2010 Stu Tomlinson 2.7.1-5 +- Rebuild against newer libedataserver +- spec file cleanup: + replace %%define with %%global + replace tabs with spaces for consistency + mark prefs.xml as a config file + +* Wed Jul 07 2010 Stu Tomlinson 2.7.1-4 +- Include license in libpurple subpackage + +* Tue Jun 01 2010 Marcela Maslanova - 2.7.1-3 +- Mass rebuild with perl-5.12.0 + +* Sun May 30 2010 Stu Tomlinson 2.7.1-2 +- Add Obsoletes to pull in pidgin-evolution during update + +* Sun May 30 2010 Stu Tomlinson 2.7.1-1 +- 2.7.1 +- Adds Direct Connection support for MSN +- Numerous bug fixes +- Evolution support moved to pidgin-evolution for F13+ (#581144) + +* Thu May 20 2010 Stu Tomlinson 2.7.0-2 +- Upstream backports: + 3c30f64efedafc379b6536852bbb3b6ef5f1f6c9 - fix for receiving HTML on ICQ + 13fbe0815f84d5b3c001947559f5818c10275f4c - prevent null deref on disconnecting account (#592750) + c4a874926d07b8597db4b78a181a89cf720a8418 - fix blinking tray icon on new message (#592691) + cfe0e649dda34d9252d40d8f67e445336a247998 - prevent race condition on Yahoo! login + e3dd36706068f3b8eabd630ff71d270c145cce42 - fix crash in Oscar (#548128) + 13fbe0815f84d5b3c001947559f5818c10275f4c - fix crash during network disconnect (#592750) + +* Thu May 13 2010 Stu Tomlinson - 2.7.0-1 +- 2.7.0 with features, bug fixes and a security fix: CVE-2010-1624 (#591806) +- Use System SSL Certificates (#576721) +- Add additional dependencies for Voice + Video (#581343) +- Upstream backport: + 87ada76abf90c44e615679efc5f8128bb941bba1 Reduce MSN traffic + +* Thu Mar 04 2010 Warren Togami - 2.6.6-2 +- Upstream backports: + 0e3079d15adeb12c1e57ceaf5bf037f9b71c8abd Fix AIM SSL clientLogin + b14ee507e932a395a0e1f29298af162c8614ca0f Fix AIM clientLogin with proxy + +* Tue Feb 16 2010 Warren Togami - 2.6.6-1 +- 2.6.6 with security and numerous minor bug fixes + CVE-2010-0277 CVE-2010-0420 CVE-2010-0423 +- Bug #528796: Get rid of #!/usr/bin/env python + +* Fri Jan 8 2010 Warren Togami - 2.6.5-2 +- 2.6.5 +- CVE-2010-0013 +- Other bug fixes +- Fix build with old gcc versions (RHEL4) + +* Tue Dec 8 2009 Warren Togami - 2.6.4-4 +- temporarily disable evolution integration in F13 until it is fixed + +* Wed Dec 02 2009 Warren Togami 2.6.4-2 +- disable SILC in EL6 builds + +* Mon Nov 30 2009 Warren Togami 2.6.4-1 +- 2.6.4 + +* Mon Oct 19 2009 Warren Togami 2.6.3-2 +- Upstream backport: + 3abad7606f4a2dfd1903df796f33924b12509a56 msn_servconn_disconnect-crash + +* Fri Oct 16 2009 Warren Togami 2.6.3-1 +- 2.6.3 CVE-2009-3615 + +* Wed Sep 09 2009 Warren Togami 2.6.2-2 +- Upstream backports: + 97e003ed2bc2bafbb993693c9ae9c6d667731cc1 aim-buddy-status-grab + 37aa00d044431100d37466517568640cb082680c yahoo-buddy-idle-time + 40005b889ee276fbcd0a4e886a68d8a8cce45698 yahoo-status-change-away + cb46b045aa6e927a3814d9053c2b1c0f08d6fa62 crash-validate-jid + +* Sun Sep 06 2009 Stu Tomlinson 2.6.2-1.1 +- VV support needs to be explicitly disabled on F10 + +* Sun Sep 06 2009 Stu Tomlinson 2.6.2-1 +- 2.6.2 Fixes a number of crashes +- CVE-2009-2703, CVE-2009-3083, CVE-2009-3084, CVE-2009-3085 + +* Wed Aug 19 2009 Warren Togami 2.6.1-1 +- 2.6.1: Fix a crash when some users send you a link in a Yahoo IM + +* Tue Aug 18 2009 Warren Togami 2.6.0-1 +- CVE-2009-2694 +- Voice and Video support via farsight2 (Fedora 11+) +- Numerous other bug fixes + +* Tue Aug 06 2009 Warren Togami 2.6.0-0.11.20090812 +- new snapshot at the request of maiku + +* Tue Aug 06 2009 Warren Togami 2.6.0-0.10.20090806 +- new snapshot - theoretically better sound quality in voice chat + +* Tue Aug 04 2009 Warren Togami 2.6.0-0.9.20090804 +- new snapshot + +* Mon Jul 27 2009 Warren Togami 2.6.0-0.8.20090727 +- new snapshot + +* Mon Jul 27 2009 Stu Tomlinson 2.6.0-0.6.20090721 +- Prevent main libpurple & pidgin packages depending on perl (#513902) + +* Sun Jul 26 2009 Fedora Release Engineering - 2.6.0-0.5.20090721 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Wed Jul 22 2009 Warren Togami 2.6.0-0.4.20090721 +- rebuild + +* Tue Jul 21 2009 Warren Togami 2.6.0-0.3.20090721 +- prevent crash with no camera when closing vv window + +* Tue Jul 21 2009 Warren Togami 2.6.0-0.1.20090721 +- 2.6.0 snapshot with voice and video support via farsight2 + +* Sat Jul 11 2009 Stu Tomlison 2.5.8-2 +- Backport patch from upstream to enable NSS to recognize root CA + certificates that use MD2 & MD4 algorithms in their signature, as + used by some MSN and XMPP servers + +* Sun Jun 28 2009 Warren Togami 2.5.8-1 +- 2.5.8 with several important bug fixes + +* Mon Jun 22 2009 Warren Togami 2.5.7-2 +- glib2 compat with RHEL-4 + +* Sat Jun 20 2009 Warren Togami 2.5.7-1 +- 2.5.7 with Yahoo Protocol 16 support + +* Wed May 20 2009 Stu Tomlinson 2.5.6-1 +- 2.5.6 + +* Mon Apr 20 2009 Warren Togami 2.5.5-3 +- F12+ removed krb4 + +* Tue Mar 03 2009 Stu Tomlinson 2.5.5-1 +- 2.5.5 + +* Thu Feb 26 2009 Fedora Release Engineering - 2.5.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Tue Jan 27 2009 Warren Togami 2.5.4-2 +- one_time_password plugin +- Eliminate RPATH + +* Mon Jan 12 2009 Stu Tomlinson 2.5.4-1 +- 2.5.4 + +* Fri Dec 26 2008 Warren Togami 2.5.3-1 +- 2.5.3 + +* Sat Nov 22 2008 Warren Togami 2.5.2-6 +- Automatically detect booleans to enable build features from dist tag +- Unify RHEL4 and RHEL5 spec with Fedora to make both easier to maintain + +* Fri Nov 21 2008 Warren Togami 2.5.2-2 +- Upstream backports: + 100: sametime-redirect-null crash + 101: NetworkManager-improvement + 102: no-password-in-dialog-if-not-remembering + 103: temporarily-remember-password-during-auto-reconnect + 104: smilie-theme-change-crash + 105: url_fetch_connect_cb-double-free crash + 106: GtkIMHtmlSmileys-remove-crash + 107: remove-dialog-from-open-dialog-list + +* Mon Oct 20 2008 Stu Tomlinson 2.5.2-1 +- 2.5.2 +- Generate doxygen API documentation (#466693) + +* Tue Sep 16 2008 Stu Tomlinson 2.5.1-3 +- Backport fixes from upstream: + Add "Has You:" back to MSN tooltips + Fix crash during removal of your own buddy icon + Fix crash when handling self signed certificate with NSS SSL + +* Tue Sep 16 2008 Stu Tomlinson 2.5.1-2 +- Fix a crash with GNOME proxy enabled (#461951) + +* Sun Aug 31 2008 Stu Tomlinson 2.5.1-1 +- 2.5.1 + +* Sat Aug 23 2008 Stu Tomlinson 2.5.0-1 +- 2.5.0 + +* Tue Jul 01 2008 Stu Tomlinson 2.4.3-1.1 +- Add a patch to build with latest rawhide tcl + +* Tue Jul 01 2008 Stu Tomlinson 2.4.3-1 +- 2.4.3 + +* Sat May 17 2008 Stu Tomlinson 2.4.2-1 +- 2.4.2 + +* Tue May 13 2008 Stu Tomlinson 2.4.1-3 +- Rebuild for new evolution-data-server +- Clean up default prefs.xml +- Enable nautilus integration plugin by default in prefs.xml (#242289) + +* Mon Mar 31 2008 Stu Tomlinson 2.4.1-2 +- nss-devel no longer provides mozilla-nss-devel + +* Mon Mar 31 2008 Stu Tomlinson 2.4.1-1 +- 2.4.1 + +* Tue Mar 18 2008 Tom "spot" Callaway 2.4.0-4 +- add Requires for versioned perl (libperl.so) + +* Fri Mar 14 2008 Stu Tomlinson 2.4.0-3 +- BuildRequire perl(ExtUtils::Embed) for perl 5.10 + +* Fri Mar 14 2008 Stu Tomlinson 2.4.0-2 +- Fix download URL +- Use xdg-open instead of gnome-open (#388521, Ville Skyttä) + +* Fri Feb 29 2008 Stu Tomlinson 2.4.0-1 +- 2.4.0 + +* Mon Feb 11 2008 Stu Tomlinson 2.3.1-3 +- %%{_datadir}/purple should be owned by libpurple (#427807) +- Rebuild for gcc 4.3 + +* Fri Jan 04 2008 Jason L Tibbitts III - 2.3.1-2 +- Bump to rebuild against new tcl. + +* Fri Dec 07 2007 Stu Tomlinson 2.3.1-1 +- 2.3.1 Many bugfixes + +* Tue Nov 27 2007 Stu Tomlinson - 2.3.0-1 +- Fix MSN local display name bug + +* Mon Nov 26 2007 Stu Tomlinson - 2.3.0-1 +- 2.3.0 + +* Wed Oct 24 2007 Warren Togami - 2.2.2-1 +- 2.2.2 CVE-2007-4999 + +* Sun Oct 7 2007 Michel Salim - 2.2.1-2 +- BR on avahi-glib-devel to supply complete set of Avahi headers + +* Mon Oct 1 2007 Warren Togami - 2.2.1-1 +- 2.2.1 with many bug fixes and CVE-2007-4996 DOS fix + +* Sat Sep 29 2007 Michel Salim - 2.2.0-3 +- Build against avahi proper instead of its HOWL compatibility layer + +* Tue Sep 18 2007 Warren Togami - 2.2.0-2 +- License clarification +- Backport patches to fix memory leaks +- Backport patches to fix proxy settings & status scores + +* Tue Sep 18 2007 Warren Togami - 2.2.0-1 +- 2.2.0 + +* Mon Aug 20 2007 Warren Togami - 2.1.1-1 +- 2.1.1 + +* Wed Aug 15 2007 Warren Togami - 2.1.0-2 +- Upstream fix backports + 115: gmail-notification-crash #2323 + 117: drag-and-drop-mouse-click-group-header #2333 + 118: jabber-confirm-authentication-unencrypted-crash #2493 + +* Mon Aug 6 2007 Warren Togami +- require exact version of libpurple (#250720) + +* Mon Jul 30 2007 Stu Tomlinson - 2.1.0-1 +- 2.1.0 +- Only include translations in libpurple instead of duplicating them in + packages that depend on libpurple anyway + +* Tue Jun 19 2007 Warren Togami - 2.0.2-3 +- libpurple obsoletes and provides gaim + This smoothens multilib the upgrade path. + +* Fri Jun 15 2007 Stu Tomlinson - 2.0.2-1 +- 2.0.2 + +* Wed Jun 6 2007 Stu Tomlinson - 2.0.1-5 +- Enable Bonjour support (#242949) +- Fix building against latest evolution-data-server + +* Tue Jun 5 2007 Stu Tomlinson - 2.0.1-4 +- Fix purple-remote for AIM & ICQ accounts (#240589) +- Add missing Requires to -devel packages +- Add missing BuildRequires for libxml2-devel + +* Fri May 31 2007 Stu Tomlinson - 2.0.1-2 +- Call g_thread_init early (#241883) +- Fix purple-remote syntax error (#241905) + +* Mon May 28 2007 Stu Tomlinson - 2.0.1-1 +- 2.0.1 + +* Wed May 9 2007 Stu Tomlinson - 2.0.0-3 +- Split out Perl plugin support into subpackages +- Add Tcl plugin support in a subpackage + +* Sun May 6 2007 Stu Tomlinson - 2.0.0-2 +- Silence errors when gconfd-2 is not running + +* Sat May 5 2007 Stu Tomlinson - 2.0.0-1.1 +- Add perl-devel to BuildRequires + +* Fri May 4 2007 Stu Tomlinson - 2.0.0-1 +- 2.0.0 +- Add scriptlets to install & uninstall GConf schemas +- Move schema file from libpurple to Pidgin to avoid GConf + dependencies in libpurple +- rename gaim-fedora-prefs.xml to purple-fedora-prefs.xml + +* Tue May 1 2007 Stu Tomlinson +- Update Gtk icon cache when installing or uninstalling (#238621) +- Don't own all directories we put icons in + +* Mon Apr 30 2007 Warren Togami - 2.0.0-0.36.beta7 +- pidgin-2.0.0beta7, bug fixes and pref migration handling + +* Sat Apr 21 2007 Warren Togami - 2.0.0-0.35.beta7devel +- upstream insists that we remove the Epoch + rawhide users might need to use --oldpackage once to upgrade +- remove mono and howl cruft + +* Wed Apr 18 2007 Stu Tomlinson - 2:2.0.0-0.34.beta7devel +- Split into pidgin, finch & libpurple, along with corresponding -devel RPMs +- Remove ldconfig for plugin directories +- Fix non-UTF8 %%changelog + +* Tue Apr 17 2007 Warren Togami +- -devel req pkgconfig (#222488) + +* Mon Apr 16 2007 Warren Togami - 2:2.0.0-0.33.beta7devel +- pidgin-2.0.0 snapshot prior to beta7 +- rename gaim to pidgin/purple/finch in various places of spec (not complete) +- ExcludeArch s390, s390x. It never did work there. +- Include meanwhile plugin by moving to Extras + +* Fri Mar 23 2007 Warren Togami - 2:2.0.0-0.31.beta6 +- Removed debian-02_gnthistory-in-gtk + Removed debian-03_gconf-gstreamer.patch + Upstream recommended removing these patches. +- Add fix-buggy-fetch-url +- Enable type_chat and type_chat_nick in default prefs.xml + +* Sat Jan 20 2007 Warren Togami - 2:2.0.0-0.30.beta6 +- 2.0.0 beta6 + +* Thu Jan 18 2007 Warren Togami - 2:2.0.0-0.29.beta5 +- Debian patch 17_upnp_crash +- Debian patch 18_jabber-roster-crash + +* Mon Dec 11 2006 Warren Togami - 2:2.0.0-0.28.beta5 +- Debian patch 13_yahoo_webauth_disable + temporarily disable the broken yahoo web auth fallback + +* Wed Dec 06 2006 Warren Togami - 2:2.0.0-0.27.beta5 +- Debian patch 12_gstreamer-cleanup, hopefully fixes #218070 + +* Tue Dec 05 2006 Warren Togami - 2:2.0.0-0.26.beta5 +- Jabber SASL Authentication Crash (#217335) + +* Wed Nov 29 2006 Warren Togami - 2:2.0.0-0.25.beta5 +- GTK File dialog blanked fix (#217768) + +* Tue Nov 28 2006 Warren Togami - 2:2.0.0-0.24.beta5 +- Debian patch 10_text-arrow-keys +- Debian patch 11_reread-resolvconf + +* Sun Nov 26 2006 Warren Togami - 2:2.0.0-0.23.beta5 +- Debian patch 08_jabber-info-crash + +* Tue Nov 21 2006 Warren Togami - 2:2.0.0-0.22.beta5 +- 2.0.0 beta5 +- Debian patches + 02_gnthistory-in-gtk + 03_gconf-gstreamer + 04_blist-memleak + 05_url-handler-xmpp + 06_jabber-registration-srv + 07_msn-custom-smiley-crash +- SILC Account Edit Crash + +* Tue Nov 21 2006 Warren Togami - 2:2.0.0-0.21.beta4 +- #212817 Jabber needs cyrus-sasl plugins for authentication + +* Wed Nov 15 2006 Warren Togami - 2:2.0.0-0.20.beta4 +- #215704 Revert Yahoo protocol version identifier + +* Wed Nov 8 2006 Warren Togami - 2:2.0.0-0.19.beta4 +- buildreq NetworkManager-glib-devel FC5+ (katzj) +- #213800 debug window freeze fix +- #212818 IRC SIGPIPE crash fix + +* Wed Oct 25 2006 Warren Togami - 2:2.0.0-0.17.beta4 +- temporary workaround for gstreamer build bug in beta4 + --enable-gstreamer prevented it from working =) + NOTE: beta4 removed libao support entirely. Distros that lack gstreamer-0.10+ + will need to use command line sound output from now on. +- Gadu Gadu is re-included in beta4 without requirement of external library + +* Mon Oct 23 2006 Warren Togami - 2:2.0.0-0.16.beta4 +- 2.0.0 beta4 +- gaim-text ncurses interface! +- gstreamer integration with FC5+ + +* Thu Oct 05 2006 Warren Togami - 2:2.0.0-0.15.beta3 +- delete config.h correctly (rvokal) + +* Thu Oct 05 2006 Warren Togami - 2:2.0.0-0.14.beta3 +- Fix multilib conflict in -devel (#205206) + +* Sat Sep 30 2006 Matthias Clasen - 2:2.0.0-0.13.beta3 +- Make the tray icon work with transparent panels (#208706) + +* Mon Jul 31 2006 Warren Togami - 2:2.0.0-0.11.beta3 +- rebuild for new libebook + +* Tue Jul 25 2006 Warren Togami - 2:2.0.0-0.9.beta3 +- fix crash with certain UTF-8 names in buddy list (#199590) + +* Sat Jul 22 2006 Warren Togami - 2:2.0.0-0.8.beta3 +- move gaim.pc to -devel (#199761) + +* Wed Jul 19 2006 Warren Togami - 2:2.0.0-0.7.beta3 +- cleanup spec and update default pref + +* Wed Jul 19 2006 John (J5) Palmieri - 2:2.0.0-0.6.beta3.2 +- Add BR for dbus-glib-devel + +* Wed Jul 12 2006 Jesse Keating - 2:2.0.0-0.6.beta3.1 +- rebuild + +* Wed Jul 05 2006 Warren Togami 2.0.0-0.6.beta3 +- SILC blank realname failure fix (#173076) + +* Thu Jun 29 2006 Warren Togami 2.0.0-0.5.beta3 +- buildreq libSM-devel (#197241) + +* Wed Jun 28 2006 Warren Togami 2.0.0-0.4.beta3 +- rebuild against libsilc-1.0.2 + +* Tue Jun 27 2006 Warren Togami 2.0.0-0.3.beta3 +- more spec cleanups +- buildreq libXScrnSaver-devel, gettext, intltool, desktop-file-utils +- disable mono for now due to #196877 + +* Mon Jun 26 2006 Tom "spot" Callaway +- split out -devel package to meet guidelines + +* Mon Jan 23 2006 Tom "spot" Callaway +- gaim2 version of the spec + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Thu Nov 10 2005 Warren Togami - 1:1.5.0-9 +- Ensure that security opt flags are used (#165795) +- Many bug fixes from Peter Lawler (#171350) + 156: Fix Yahoo chatroom ignore on join + 157: Fix Italian yahoo profiles + 158: Strip HTML from status + 159: xmlnode cleanup + 160: Fix crash on non-terminated strings + 161: silc-close-gaim_request-window-prpl-disconnect-p1 + 162: silc-close-gaim_request-window-prpl-disconnect-p2 + 163: silc-close-gaim_request-window-prpl-disconnect-p3 + 164: silc-close-gaim_request-window-prpl-disconnect-p4 + 165: silc-close-gaim_request-window-prpl-disconnect-p5 + 166: silc-close-gaim_request-window-prpl-disconnect-p6 + 167: MSN data corruption fix + 168: msn-kill-convo-close-timeout-notices-p1 + 169: msn-kill-convo-close-timeout-notices-p2 + 170: msn-kill-convo-close-timeout-notices-p3 + 171: forceful-connection_disconnect-not-wipe-password + 172: Clipboard leak and history scrolling fix + 173: smileys-logtype-p1 + 174: smileys-logtype-p2 + 175: Allow Italics in IRC + 176: Add more authors + 177: Update copyright + 178: Update HACKING doc + 179: Fix doc creation + 180: Fix AIM/ICQ Rate Limiting issue + +* Thu Oct 13 2005 Ray Strode - 1:1.5.0-7 +- use upstream desktop file (except use generic name, because + this is our default instant messaging client) + +* Tue Sep 27 2005 Warren Togami - 1:1.5.0-6 +- remove -Wno-pointer-sign, not sure why it was needed earlier +- fix FORTIFY_SOURCE on FC3 + +* Thu Sep 15 2005 Jeremy Katz - 1:1.5.0-5 +- rebuild for new e-d-s + +* Sun Aug 21 2005 Peter Jones - 1:1.5.0-4 +- rebuild for new cairo, add -Wno-pointer-sign +- add -Wno-pointer-sign until somebody maintaining this package makes it build + without it. + +* Sun Aug 14 2005 Warren Togami - 1:1.5.0-2 +- always use -z relro and FORTIFY_SOURCE opt flags for FC3+ and RHEL4+ + (compiler simply ignores these flags if they are unsupported) + +* Thu Aug 11 2005 Warren Togami - 1:1.5.0-1 +- 1.5.0 security and bug fixes + CAN-2005-2370 Gadu-Gadu memory alignment bug + CAN-2005-2102 AIM/ICQ non-UTF-8 Filename Crash + CAN-2005-2103 AIM/ICQ away message buffer overflow + +* Tue Aug 9 2005 Jeremy Katz - 1:1.4.0-7 +- rebuild for new evolution-data-server + +* Mon Aug 1 2005 Warren Togami 1:1.4.0-6 +- FC5+ bash regex replace for -fstack-protector-all (mharris) + +* Sun Jul 31 2005 Warren Togami 1:1.4.0-5 +- FC5+ automatic -fstack-protector-all switch +- 150: MSN buddy names with space disconnect and profile corruption + (supercedes patch 149) +- 151: Gadu Gadu memory alignment crash +- 152: Rename Group Merge crash +- 153: mailto: parse crash (util.c) +- 154: mailto: parse crash (MSN) +- 155: mailto: parse crash (Zephyr) + +* Mon Jul 11 2005 Warren Togami 1:1.4.0-4 +- 149: MSN username with space disconnect fix +- Do not own perl dir, remove empty files (#162994 jpo) + +* Sun Jul 10 2005 Warren Togami 1:1.4.0-2 +- 148: AIM login crash fix + +* Thu Jul 07 2005 Warren Togami 1:1.4.0-1 +- 1.4.0 + +* Thu Jun 09 2005 Warren Togami 1:1.3.1-0 +- 1.3.1 more bug fixes + CAN-2005-1269 CAN-2005-1934 +- enable Message Notification plugin by default + +* Tue May 10 2005 Warren Togami 1:1.3.0-1 +- 1.3.0 many bug fixes and two security fixes + long URL crash fix (#157017) CAN-2005-1261 + MSN bad messages crash fix (#157202) CAN-2005-1262 + +* Thu Apr 07 2005 Warren Togami 1:1.2.1-4 +- use mozilla-nss everywhere because gnutls is buggy (#135778) + +* Wed Apr 06 2005 Warren Togami 1:1.2.1-2 +- 147: drag-n-drop URL crash fix + +* Sun Apr 03 2005 Warren Togami 1:1.2.1-1 +- update to 1.2.1 CAN-2005-0965 CAN-2005-0966 CAN-2005-0967 + +* Fri Mar 18 2005 Warren Togami 1:1.2.0-1 +- update to 1.2.0 (minor bug fixes) + +* Mon Mar 07 2005 Warren Togami 1:1.1.4-5 +- Copy before modifying prefs.xml + +* Sun Mar 06 2005 Warren Togami 1:1.1.4-4 +- 144: POSIX functions became macros, build fix (#150429) +- 145: Fix non-proxy yahoo file transfer +- 146: Fix non-proxy yahoo buddy icons + +* Fri Mar 04 2005 Warren Togami 1:1.1.4-3 +- 143: Gadu Gadu protocol crash fix (#149984) + +* Mon Feb 28 2005 Warren Togami 1:1.1.4-2 +- remove gcc4 conditional since FC4 is gcc4 default + +* Thu Feb 24 2005 Warren Togami 1:1.1.4-1 +- 1.1.4 with MSN crash fix, g_stat() crash workaround + CAN-2005-0208 Gaim HTML parsing DoS (another one) + +* Tue Feb 22 2005 Warren Togami 1:1.1.3-4 +- Test fixes for #149190 and #149304 + +* Mon Feb 21 2005 Dan Williams 1:1.1.3-3 +- Work around #149190 gaim-1.1.3-2 segfaults when calling g_stat() + +* Fri Feb 18 2005 Warren Togami 1:1.1.3-2 +- 1.1.3 including two security fixes + CAN-2005-0472 Client freezes when receiving certain invalid messages + CAN-2005-0473 Client crashes when receiving specific malformed HTML + +* Fri Jan 28 2005 Florian La Roche +- rebuild + +* Thu Jan 20 2005 Warren Togami 1:1.1.2-1 +- 1.1.2 with more bugfixes + +* Tue Jan 18 2005 Chip Turner 1:1.1.1-3 +- rebuild for new perl + +* Mon Jan 03 2005 Warren Togami 1.1.1-2 +- force required glib2 version + +* Tue Dec 28 2004 Warren Togami 1.1.1-1 +- 1.1.1 (minor bugfixes) + +* Thu Dec 2 2004 Warren Togami 1.1.0-1 +- upgrade 1.1.0 (mostly bugfixes) +- fix PIE patch + +* Sat Nov 20 2004 Warren Togami 1.0.3-3 +- make gcc4 conditional + +* Sat Nov 20 2004 Daniel Reed 1.0.3-2 +- Rebuild using gcc4 + - To revert, remove "BuildRequires: gcc4" and "CC=gcc4" + +* Fri Nov 12 2004 Warren Togami 1.0.3-1 +- 1.0.3 another bugfix release + +* Tue Oct 19 2004 Warren Togami 1.0.2-1 +- 1.0.2 fixes many crashes, endian and other issues + +* Tue Oct 19 2004 Warren Togami 1.0.1-3 +- nosnilmot: zephyr krb build was broken by thinko + +* Wed Oct 13 2004 Warren Togami 1.0.1-2 +- CAN-2004-0891 + +* Thu Oct 07 2004 Warren Togami 1.0.1-1 +- update to 1.0.1 +- disable naive GNOME session check +- switch to gnutls default (FC3+) + +* Mon Sep 27 2004 Warren Togami 1.0.0-5 +- djr fixed PIE +- added gnutls option, disabled and favoring mozilla-nss + +* Sat Sep 25 2004 Warren Togami 1.0.0-4 +- PIE + +* Mon Sep 20 2004 Warren Togami 1.0.0-3 +- 141: Jabber chat room list fix + +* Mon Sep 20 2004 Daniel Reed 1.0.0-2 +- #132967 Remove GenericName + +* Sat Sep 18 2004 Warren Togami 1.0.0-1 +- 1.0.0 + +* Wed Sep 01 2004 Warren Togami 0.82.1-2 +- enable SILC protocol + +* Thu Aug 26 2004 Warren Togami 0.82.1-1 +- new upstream point release with crash fix and added translation + +* Wed Aug 25 2004 Warren Togami 0.82-2 +- 140: Buddy icon pref changing crash fix + +* Wed Aug 25 2004 Warren Togami 0.82-1 +- Update to 0.82 resolves several security issues and bugs + CAN-2004-0500, CAN-2004-0754, CAN-2004-0784, CAN-2004-0785 + More details at http://gaim.sourceforge.net/security/ + +* Mon Aug 16 2004 Warren Togami 0.81-7 +- CVS backport 138: GTK Prefs bug fix + +* Sun Aug 15 2004 Warren Togami 0.81-6 +- CVS backport 137: System Log viewer fd leak + +* Sun Aug 15 2004 Warren Togami 0.81-5 +- fix substitution for browser back compat +- req fix for htmlview back compat +- update prefs.xml + +* Fri Aug 13 2004 Warren Togami 0.81-4 +- conditionalize features for alternate target distributions +- remove unnecessary ExclusiveArch +- other cleanups + +* Wed Aug 11 2004 Warren Togami 0.81-3 +- CVS backport 133: CAN-2004-0500 MSNLP buffer overflow + 134: Select buddy icon in new account crash + 135: Jabber join crash + 136: Jabber tooltip fake self crash + +* Mon Aug 9 2004 Daniel Reed 0.81-2 +- #125847 Change gaim.desktop names to "IM" + +* Thu Aug 05 2004 Warren Togami 0.81-1 +- 0.81 +- krb5-devel for Zephyr +- evolution-data-server-devel integration + plugin disabled by default because it seems very unstable + +* Sun Jul 18 2004 Warren Togami 0.80-3 +- CVS backport 130, 131: MSN buddy scaling issue fix + 132: Drag and Drop crash fix + +* Sat Jul 17 2004 Warren Togami 0.80-2 +- CVS backport 129: IRC buddy list flood disconnect fix + +* Fri Jul 16 2004 Warren Togami 0.80-1 +- update to 0.80 +- enable ExtPlacement plugin by default +- Smiley Theme "Default" by default (bug fix) +- Insertions -> Control-{B/I/U} by default + +* Mon Jun 28 2004 Warren Togami 0.79-2 +- remove tray icon patch temporarily because it seems to cause more + problems than it solves. +- provide gaim-devel +- CVS backport 128: Cached buddy icons fix + +* Fri Jun 25 2004 Warren Togami 0.79-1 +- update to 0.79 +- update desktop patch +- update header and pkgconfig locations +- update default prefs +- FC3 sed behavior workaround +- temporarily disable evolution integration + +* Tue Jun 22 2004 Warren Togami 0.78-8 +- rebuilt + +* Mon Jun 08 2004 Warren Togami 0.78-7 +- CVS backport 125: MSN disconnect on non-fatal error fix + 126: Paste html with img crash fix + 127: Misplaced free fix + +* Sat Jun 05 2004 Warren Togami 0.78-4 +- CVS backport 123: jabber disconnect fix + 124: log find click fix + +* Sun May 30 2004 Warren Togami 0.78-2 +- update to 0.78 (without SILC support for now) + +* Sun May 09 2004 Warren Togami 0.77-7 +- CVS backport 121: byte order badness and crashing copy & paste fix + 122: history.so scroll to bottom in new tabs fix + +* Tue May 04 2004 Warren Togami 0.77-6 +- CVS backport 118: x86-64 yahoo auth fix + 119: Copy/paste fixes for UCS-2 encoded selection + 120: IRC reconnect segfault fix +- remove relnot.so plugin because it is unusable in FC +- Default enable logging and history.so plugin + enable autoreconnect plugin +- Fix Gnome Default url handler + +* Thu Apr 29 2004 Warren Togami 0.77-3 +- remove gnome-open manual, since 0.77 has "GNOME Default" as default. +- update default prefs.xml, disable buddy icons in buddy list +- CVS backport 114: plugin prefs saving fix + 115: autoreconn-suppress-dialogs + 116: fix smileys in dialogs + 117: gtk+ 2.0 compat + +* Sun Apr 25 2004 Warren Togami 0.77-1 +- 0.77, remove cvs backports + +* Fri Apr 15 2004 Warren Togami 0.76-6 +- CVS backports: + 111 Prevent Crash during password change if blank fields + 112 Prevent Crash if remote sends invalid characters + 113 Enable /etc/gaim/prefs.xml defaults for new profiles +- Tray Icon enabled by default +- Relabel internal version with V-R + +* Fri Apr 14 2004 Warren Togami 0.76-5 +- CVS backports: + 102 Fix ^F keybinding when gtkrc is set to emacs mode + 103 Add Missing File: evolution-1.5.x buildability + 104 When MSN server intermittently has problems accessing buddy list, MSN will crash with 0.76 + 105, 106, 107 MSN Error reporting fixes + 108 History plugin causes unnecessary horizontal scrollbars + 109 Fix the text replace plugin + 110 Prevent message sending while offline + +* Fri Apr 09 2004 Warren Togami 0.76-3 +- CVS backport: Fix oscar tooltip misbehavior + Fix yahoo more + +* Thu Apr 01 2004 Warren Togami 0.76-2 +- 0.76 + +* Sun Mar 28 2004 Warren Togami +- CVS snapshot +- more spec cleanups + +* Tue Mar 16 2004 Warren Togami +- CVS snapshot, generated with automake-1.7.9 +- update #4 +- update #2 but disable +- #5 no longer needed +- default to gnome-open #6 +- some spec cleanup + +* Tue Mar 02 2004 Elliot Lee +- rebuilt + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Fri Jan 23 2004 Christopher Blizzard 1:0.75-1.1.0 +- Include patch that fixes a bunch of buffer-related problems, mostly + from nectar@freebsd.org and some of my own changes. + +* Wed Jan 14 2004 Christopher Blizzard 1:0.75-0 +- Update to 0.75. +- Remove mem leak patch that is already included in 0.75. +- Clean up a lot of old unused patches and old source tarballs. + +* Fri Dec 12 2003 Christopher Blizzard 1:0.74-10 +- Add patch that fixes a large memory leak. + +* Thu Dec 04 2003 Christopher Blizzard 1:0.74-9 +- Bump release to rebuild for fc2. + +* Wed Nov 25 2003 Christopher Blizzard 1:0.74-0 +- Upgrade to 0.74 +- Include libao-devel and startup-notification-devel to the + buildreq list + +* Mon Nov 03 2003 Christopher Blizzard 1:0.71-2 +- Add gtk2-devel to the buildreq list. + +* Fri Oct 24 2003 Christopher Blizzard 1:0.71-2 +- Include patch that should fix some input problems for ja_JP users + +* Fri Oct 17 2003 Christopher Blizzard 1:0.71-1 +- Include patch that updates the tray icon to a more recent version + +* Mon Sep 29 2003 Christopher Blizzard 1:0.70-0 +- Update to 0.70 + +* Thu Sep 04 2003 Christopher Blizzard 1:0.68-0 +- Update to 0.68 + +* Tue Aug 26 2003 Christopher Blizzard 1:0.66-2 +- Change Instant Messenger to Messaging Client + +* Wed Jul 23 2003 Jeremy Katz 1:0.66-1 +- 0.66 + +* Thu Jul 17 2003 Matt Wilson 1:0.65-1 +- 0.65 +- don't include .a or .la files + +* Tue Jul 15 2003 Matt Wilson 1:0.64-2 +- rebuild against gtkspell + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Wed Jun 04 2003 Christopher Blizzard 1:0.64-0 +- 0.64 + +* Mon Apr 14 2003 Matt Wilson 1:0.61-1 +- 0.61 +- remove prefs patch, no longer needed + +* Wed Apr 9 2003 Matt Wilson 1:0.59.8-1 +- use system libtool (#88340) + +* Wed Jan 29 2003 Christopher Blizzard 0.59.8-0 +- Update to 0.59.8 + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Wed Dec 18 2002 Elliot Lee 0.59-11 +- Add libtoolize etc. steps + +* Tue Dec 17 2002 Elliot Lee 0.59-10 +- Rebuild + +* Mon Nov 18 2002 Tim Powers +- build on all arches + +* Fri Aug 09 2002 Christopher Blizzard 0.59-7 +- Include patch that uses htmlview instead of calling Netscape + directly +- Include patch that turns off the buddy ticker and changes the button + look to the (sane) default. + +* Thu Aug 01 2002 Christopher Blizzard +- Fix .desktop file, and put it in the right place. +- More .desktop file fixes + +* Tue Jun 25 2002 Christopher Blizzard +- Update to 0.59. +- Disable perl for now. + +* Sun May 26 2002 Tim Powers +- automated rebuild + +* Fri May 24 2002 Matt Wilson 0.58-1 +- 0.58 +- remove applet + +* Fri Mar 22 2002 Trond Eivind Glomsrød 0.53-1 +- Langify + +* Wed Mar 13 2002 Christopher Blizzard +- update 0.53 + +* Thu Feb 21 2002 Christopher Blizzard +- update to 0.52 + +* Tue Jan 29 2002 Christopher Blizzard +- update to 0.51 + +* Fri Sep 14 2001 Matt Wilson +- update to 0.43 + +* Fri Aug 03 2001 Christopher Blizzard +- Add BuildRequires for gnome-libs-devel (bug #44739) + +* Mon Jul 02 2001 Christopher Blizzard +- Add BuildRequires for gnome-core-devel (bug #44739) + +* Sun Jun 24 2001 Elliot Lee +- Bump release + rebuild. + +* Thu Feb 15 2001 Trond Eivind Glomsrød +- make it compile + +* Sun Feb 11 2001 Tim Powers +- updated to 0.11.0pre4 (bug fixes) +- applied Bero's konqueror patch to fix kfm->konq + +* Tue Dec 5 2000 Tim Powers +- updated to 0.11.0pre2 +- enable gnome support +- updated ispell to aspell patch +- cleaned up file list + +* Thu Nov 16 2000 Tim Powers +- updated to 0.10.3 + +* Fri Nov 10 2000 Tim Powers +- update to 0.10.2 + +* Mon Sep 11 2000 Tim Powers +- some ideas taken from the package available at the gaim website, mainly to install the applet stuff too. + +* Wed Aug 9 2000 Tim Powers +- added Serial so that we can upgrade from Helix packages from 6.2 + +* Mon Jul 24 2000 Prospector +- rebuilt + +* Tue Jul 18 2000 Tim Powers +- changed default spell checker to aspell from ispell, patched. +- requires aspell + +* Mon Jul 10 2000 Tim Powers +- rebuilt + +* Thu Jun 22 2000 Tim Powers +- fixed problems with ldconfig PreReq, shouls have been /sbin/ldconfig + +* Mon Jun 12 2000 Preston Brown +- 0.9.19 +- fix ldconfig stuff + +* Thu Jun 1 2000 Tim Powers +- cleaned up spec for use with RPM 4.0 (al la _sysconfdir _datadir etc) +- update to 0.9.17 +- yay! a man page! + +* Thu May 25 2000 Tim Powers +- we left a bunch of stuff out, pixmaps, plugins. Fixed +- added applnk entry + +* Wed May 10 2000 Tim Powers +- updated to 0.9.15 + +* Mon Apr 24 2000 Matt Wilson +- updated to 0.9.14 + +* Mon Apr 24 2000 Matt Wilson +- updated to 0.9.13 + +* Thu Feb 10 2000 Matt Wilson +- added patch to prevent floating point errors in lag-o-meter update + code + +* Wed Nov 10 1999 Tim Powers +- updated to 0.9.10 + +* Tue Jul 13 1999 Tim Powers +- rebuilt and put into Powertools 6.1 + +* Mon Jul 12 1999 Dale Lovelace +- First RPM Build