Debian Bug report logs - #655178
pu: package pidgin/2.7.3-1+squeeze1

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Ari Pollak <ari@debian.org>

Date: Mon, 9 Jan 2012 00:45:02 UTC

Severity: normal

Tags: confirmed, squeeze

Fixed in version 6.0.4

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#655178; Package release.debian.org. (Mon, 09 Jan 2012 00:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ari Pollak <ari@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 09 Jan 2012 00:45:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ari Pollak <ari@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package pidgin/2.7.3-1+squeeze1
Date: Sun, 08 Jan 2012 19:40:58 -0500
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

The security team asked me to prepare an update for squeeze that
includes fixes for the outstanding minor security issues (all remote
crashers with no remote code execution). That diff is attached.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (600, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[pidgin_2.7.3-1+squeeze2.debdiff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#655178; Package release.debian.org. (Mon, 09 Jan 2012 21:09:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 09 Jan 2012 21:09:09 GMT) Full text and rfc822 format available.

Message #10 received at 655178@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Ari Pollak <ari@debian.org>, 655178@bugs.debian.org
Subject: Re: Bug#655178: pu: package pidgin/2.7.3-1+squeeze1
Date: Mon, 09 Jan 2012 21:06:19 +0000
On Sun, 2012-01-08 at 19:40 -0500, Ari Pollak wrote:
> The security team asked me to prepare an update for squeeze that
> includes fixes for the outstanding minor security issues (all remote
> crashers with no remote code execution). That diff is attached.

Something odd appears to have happened to CVE-2011-4602.patch; it looks
like a diff of a brokenly wrapped diff.  For instance: (sic)

+============================================================ Index:
+pidgin/libpurple/protocols/jabber/jingle/jingle.c
+=================================================================== ---
+pidgin.orig/libpurple/protocols/jabber/jingle/jingle.c +++
+pidgin/libpurple/protocols/jabber/jingle/jingle.c @@ -119,7 +119,7 @@
+jingle_handle_content_modify(JingleSessi if (local_content != NULL) { const
+gchar *senders = xmlnode_get_attrib(content, "senders"); gchar *local_senders =
+jingle_content_get_senders(local_content);
+-			if (strcmp(senders,
+			local_senders)) +			if

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#655178; Package release.debian.org. (Tue, 10 Jan 2012 00:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ari Pollak <ari@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 10 Jan 2012 00:45:05 GMT) Full text and rfc822 format available.

Message #15 received at 655178@bugs.debian.org (full text, mbox):

From: Ari Pollak <ari@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 655178@bugs.debian.org
Subject: Re: Bug#655178: pu: package pidgin/2.7.3-1+squeeze1
Date: Mon, 09 Jan 2012 19:42:43 -0500
On 01/09/2012 04:06 PM, Adam D. Barratt wrote:
> Something odd appears to have happened to CVE-2011-4602.patch; it looks
> like a diff of a brokenly wrapped diff.  For instance: (sic)

Strange, but it actually doesn't affect the patch, and the actual 
changes are correct. I'll remove the extra "comments" from that patch.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#655178; Package release.debian.org. (Sat, 14 Jan 2012 16:36:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 14 Jan 2012 16:36:07 GMT) Full text and rfc822 format available.

Message #20 received at 655178@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Ari Pollak <ari@debian.org>, 655178@bugs.debian.org
Subject: Re: Bug#655178: pu: package pidgin/2.7.3-1+squeeze1
Date: Sat, 14 Jan 2012 16:33:46 +0000
On Mon, 2012-01-09 at 19:42 -0500, Ari Pollak wrote:
> On 01/09/2012 04:06 PM, Adam D. Barratt wrote:
> > Something odd appears to have happened to CVE-2011-4602.patch; it looks
> > like a diff of a brokenly wrapped diff.  For instance: (sic)
> 
> Strange, but it actually doesn't affect the patch, and the actual 
> changes are correct. I'll remove the extra "comments" from that patch.

Thanks.  Would it be possible to have an updated diff without the cruft?

(fwiw, I'm also not quite sure what some other parts of that patch have
to do with fixing the crash; e.g.

+-	is_audio = !strcmp(media_type, "audio");
++	is_audio = g_str_equal(media_type, "audio");
[...]
+-		type = is_audio == TRUE ? PURPLE_MEDIA_RECV_AUDIO
++		type = is_audio ? PURPLE_MEDIA_RECV_AUDIO
)

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#655178; Package release.debian.org. (Sun, 15 Jan 2012 01:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ari Pollak <ari@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 15 Jan 2012 01:30:05 GMT) Full text and rfc822 format available.

Message #25 received at 655178@bugs.debian.org (full text, mbox):

From: Ari Pollak <ari@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 655178@bugs.debian.org
Subject: Re: Bug#655178: pu: package pidgin/2.7.3-1+squeeze1
Date: Sat, 14 Jan 2012 20:27:23 -0500
[Message part 1 (text/plain, inline)]
On 01/14/2012 11:33 AM, Adam D. Barratt wrote:
> Thanks.  Would it be possible to have an updated diff without the cruft?

New patch attached.

> (fwiw, I'm also not quite sure what some other parts of that patch have
> to do with fixing the crash; e.g.

The patch was taken directly from the upstream change, and I guess they 
didn't do a good job of separating the security fix from general cleanups.
[pidgin_2.7.3-1+squeeze2.debdiff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#655178; Package release.debian.org. (Sun, 15 Jan 2012 13:05:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 15 Jan 2012 13:05:15 GMT) Full text and rfc822 format available.

Message #30 received at 655178@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Ari Pollak <ari@debian.org>, 655178@bugs.debian.org
Subject: Re: Bug#655178: pu: package pidgin/2.7.3-1+squeeze1
Date: Sun, 15 Jan 2012 12:39:51 +0000
On Sat, 2012-01-14 at 20:27 -0500, Ari Pollak wrote:
> On 01/14/2012 11:33 AM, Adam D. Barratt wrote:
> > Thanks.  Would it be possible to have an updated diff without the cruft?
> 
> New patch attached.

Thanks.

> > (fwiw, I'm also not quite sure what some other parts of that patch have
> > to do with fixing the crash; e.g.
> 
> The patch was taken directly from the upstream change, and I guess they 
> didn't do a good job of separating the security fix from general cleanups.

Yeah.  It makes the patch rather noisy and reviewing it more of a pain
than it needs to be. :-(

Please go ahead; thanks.

Regards,

Adam





Added tag(s) squeeze and confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sun, 15 Jan 2012 13:27:17 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#655178; Package release.debian.org. (Mon, 16 Jan 2012 19:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 16 Jan 2012 19:12:03 GMT) Full text and rfc822 format available.

Message #37 received at 655178@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: 655178@bugs.debian.org
Cc: Ari Pollak <ari@debian.org>
Subject: Re: Bug#655178: pu: package pidgin/2.7.3-1+squeeze1
Date: Mon, 16 Jan 2012 19:08:35 +0000
tag 655178 + pending
thanks

On Sun, 2012-01-15 at 12:39 +0000, Adam D. Barratt wrote:
> On Sat, 2012-01-14 at 20:27 -0500, Ari Pollak wrote:
> > The patch was taken directly from the upstream change, and I guess they 
> > didn't do a good job of separating the security fix from general cleanups.
> 
> Yeah.  It makes the patch rather noisy and reviewing it more of a pain
> than it needs to be. :-(
> 
> Please go ahead; thanks.

For the record, this was uploaded and accepted.

Regards,

Adam





Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Mon, 16 Jan 2012 19:12:07 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 6.0.4, send any further explanations to Ari Pollak <ari@debian.org> Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 28 Jan 2012 14:06:56 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 26 Feb 2012 07:38:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 16:01:28 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.