Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package ekiga. Version 3.2.7-6 fixes security RC bug #702282. The debdiff is attached. unblock ekiga/3.2.7-6 Cheers, -- .''`. Sébastien Villemot : :' : Debian Developer `. `' http://www.dynare.org/sebastien `- GPG Key: 4096R/381A7594
diff -Nru ekiga-3.2.7/debian/changelog ekiga-3.2.7/debian/changelog --- ekiga-3.2.7/debian/changelog 2012-05-12 12:31:03.000000000 +0000 +++ ekiga-3.2.7/debian/changelog 2013-03-04 21:38:47.000000000 +0000 @@ -1,3 +1,12 @@ +ekiga (3.2.7-6) unstable; urgency=high + + * Team upload. + * debian/patches/validate-utf8-strings.patch: new patch, fixes crash + when the other party's names are not UTF-8 valid (CVE-2012-5621). + (Closes: #702282) + + -- Sébastien Villemot <sebast...@debian.org> Mon, 04 Mar 2013 22:38:45 +0100 + ekiga (3.2.7-5) unstable; urgency=high * ACK NMUs - thanks to Hector and Mehdi for their work! diff -Nru ekiga-3.2.7/debian/patches/series ekiga-3.2.7/debian/patches/series --- ekiga-3.2.7/debian/patches/series 2012-05-12 11:27:30.000000000 +0000 +++ ekiga-3.2.7/debian/patches/series 2013-03-04 21:25:23.000000000 +0000 @@ -2,3 +2,4 @@ fix-linux-gnueabihf-build.patch opal310.patch gcc47.patch +validate-utf8-strings.patch diff -Nru ekiga-3.2.7/debian/patches/validate-utf8-strings.patch ekiga-3.2.7/debian/patches/validate-utf8-strings.patch --- ekiga-3.2.7/debian/patches/validate-utf8-strings.patch 1970-01-01 00:00:00.000000000 +0000 +++ ekiga-3.2.7/debian/patches/validate-utf8-strings.patch 2013-03-04 21:36:15.000000000 +0000 @@ -0,0 +1,40 @@ +Description: Fix crash when the other party's names are not UTF-8 valid + CVE-2012-5621: a remote attacker (other party with an invalid UTF-8 valid name) + could use this flaw to cause ekiga executable crash. +Origin: backport, http://git.gnome.org/browse/ekiga/commit/?id=7d09807257 +Bug: https://bugzilla.gnome.org/show_bug.cgi?id=653009 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702282 +Last-Update: 2013-03-04 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/lib/engine/components/opal/opal-call.cpp ++++ b/lib/engine/components/opal/opal-call.cpp +@@ -282,6 +282,17 @@ + return outgoing; + } + ++// if the parameter is not valid utf8, remove from it all the chars ++// after the first invalid utf8 char, so that it becomes valid utf8 ++static void ++make_valid_utf8 (string & str) ++{ ++ const char *pos; ++ if (!g_utf8_validate (str.c_str(), -1, &pos)) { ++ PTRACE (4, "Ekiga\tTrimming invalid UTF-8 string: " << str.c_str()); ++ str = str.substr (0, pos - str.c_str()).append ("..."); ++ } ++} + + void + Opal::Call::parse_info (OpalConnection & connection) +@@ -316,6 +327,10 @@ + if (!app.empty ()) + remote_application = app; + ++ make_valid_utf8 (remote_party_name); ++ make_valid_utf8 (remote_application); ++ make_valid_utf8 (remote_uri); ++ + strip_special_chars (remote_party_name, end_special_chars, false); + strip_special_chars (remote_application, end_special_chars, false); + strip_special_chars (remote_uri, end_special_chars, false);
signature.asc
Description: Digital signature
