Your message dated Tue, 05 Mar 2013 20:56:30 +0100
with message-id <[email protected]>
and subject line Re: Bug#702373: unblock: ekiga/3.2.7-6
has caused the Debian Bug report #702373,
regarding unblock: ekiga/3.2.7-6
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
702373: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702373
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package ekiga. Version 3.2.7-6 fixes security RC bug #702282.
The debdiff is attached.
unblock ekiga/3.2.7-6
Cheers,
--
.''`. Sébastien Villemot
: :' : Debian Developer
`. `' http://www.dynare.org/sebastien
`- GPG Key: 4096R/381A7594
diff -Nru ekiga-3.2.7/debian/changelog ekiga-3.2.7/debian/changelog
--- ekiga-3.2.7/debian/changelog 2012-05-12 12:31:03.000000000 +0000
+++ ekiga-3.2.7/debian/changelog 2013-03-04 21:38:47.000000000 +0000
@@ -1,3 +1,12 @@
+ekiga (3.2.7-6) unstable; urgency=high
+
+ * Team upload.
+ * debian/patches/validate-utf8-strings.patch: new patch, fixes crash
+ when the other party's names are not UTF-8 valid (CVE-2012-5621).
+ (Closes: #702282)
+
+ -- Sébastien Villemot <[email protected]> Mon, 04 Mar 2013 22:38:45 +0100
+
ekiga (3.2.7-5) unstable; urgency=high
* ACK NMUs - thanks to Hector and Mehdi for their work!
diff -Nru ekiga-3.2.7/debian/patches/series ekiga-3.2.7/debian/patches/series
--- ekiga-3.2.7/debian/patches/series 2012-05-12 11:27:30.000000000 +0000
+++ ekiga-3.2.7/debian/patches/series 2013-03-04 21:25:23.000000000 +0000
@@ -2,3 +2,4 @@
fix-linux-gnueabihf-build.patch
opal310.patch
gcc47.patch
+validate-utf8-strings.patch
diff -Nru ekiga-3.2.7/debian/patches/validate-utf8-strings.patch ekiga-3.2.7/debian/patches/validate-utf8-strings.patch
--- ekiga-3.2.7/debian/patches/validate-utf8-strings.patch 1970-01-01 00:00:00.000000000 +0000
+++ ekiga-3.2.7/debian/patches/validate-utf8-strings.patch 2013-03-04 21:36:15.000000000 +0000
@@ -0,0 +1,40 @@
+Description: Fix crash when the other party's names are not UTF-8 valid
+ CVE-2012-5621: a remote attacker (other party with an invalid UTF-8 valid name)
+ could use this flaw to cause ekiga executable crash.
+Origin: backport, http://git.gnome.org/browse/ekiga/commit/?id=7d09807257
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=653009
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702282
+Last-Update: 2013-03-04
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/lib/engine/components/opal/opal-call.cpp
++++ b/lib/engine/components/opal/opal-call.cpp
+@@ -282,6 +282,17 @@
+ return outgoing;
+ }
+
++// if the parameter is not valid utf8, remove from it all the chars
++// after the first invalid utf8 char, so that it becomes valid utf8
++static void
++make_valid_utf8 (string & str)
++{
++ const char *pos;
++ if (!g_utf8_validate (str.c_str(), -1, &pos)) {
++ PTRACE (4, "Ekiga\tTrimming invalid UTF-8 string: " << str.c_str());
++ str = str.substr (0, pos - str.c_str()).append ("...");
++ }
++}
+
+ void
+ Opal::Call::parse_info (OpalConnection & connection)
+@@ -316,6 +327,10 @@
+ if (!app.empty ())
+ remote_application = app;
+
++ make_valid_utf8 (remote_party_name);
++ make_valid_utf8 (remote_application);
++ make_valid_utf8 (remote_uri);
++
+ strip_special_chars (remote_party_name, end_special_chars, false);
+ strip_special_chars (remote_application, end_special_chars, false);
+ strip_special_chars (remote_uri, end_special_chars, false);
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
On 2013-03-05 20:49, Sébastien Villemot wrote:
> Package: release.debian.org Severity: normal User:
> [email protected] Usertags: unblock
>
> Please unblock package ekiga. Version 3.2.7-6 fixes security RC bug
> #702282. The debdiff is attached.
>
> unblock ekiga/3.2.7-6
>
> Cheers,
>
Unblocked, thanks.
~Niels
--- End Message ---
