Debian Bug report logs - #686455
unblock: pidgin-latex/1.4.4-2

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Elías Alejandro <ealmdz@gmail.com>

Date: Sat, 1 Sep 2012 19:03:02 UTC

Severity: normal

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#686455; Package release.debian.org. (Sat, 01 Sep 2012 19:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Elías Alejandro <ealmdz@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 01 Sep 2012 19:03:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Elías Alejandro <ealmdz@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: pidgin-latex/1.4.4-2
Date: Sat, 01 Sep 2012 13:59:19 -0500
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package pidgin-latex

It adds an upstream patch which will be also available in 1.4.5 to fix:

01_security_issue.patch: Insuficient validation on blacklist wich could cause
                         send user information over messenger network.



--- pidgin-latex-1.4.4/debian/changelog	2011-07-07 10:15:03.000000000 -0500
+++ pidgin-latex-1.4.4/debian/changelog	2012-08-30 19:48:45.000000000 -0500
@@ -1,3 +1,11 @@
+pidgin-latex (1.4.4-2) unstable; urgency=low
+
+  * debian/patches/01_security_issue.patch: Added. (Closes: #685888)
+    + This fix insufficient validation of LaTeX code and avoid
+      access to user local information.
+
+ -- Elías Alejandro Año Mendoza <ealmdz@gmail.com>  Thu, 30 Aug 2012 20:39:08 -0500
+
 pidgin-latex (1.4.4-1) unstable; urgency=low
 
   * Initial release (Closes: #520658, #609723)
diff -Nru pidgin-latex-1.4.4/debian/patches/01_security_issue.patch pidgin-latex-1.4.4/debian/patches/01_security_issue.patch
--- pidgin-latex-1.4.4/debian/patches/01_security_issue.patch	1969-12-31 19:00:00.000000000 -0500
+++ pidgin-latex-1.4.4/debian/patches/01_security_issue.patch	2012-08-26 16:48:19.000000000 -0500
@@ -0,0 +1,45 @@
+Description: pidgin-latex has a security issue to get into makeatletter-mode.
+ This patch fix insufficient validation of LaTeX code and avoid send
+ messages over a messenger network to a user local system account 
+ information.
+
+Author: Benjamin Moll <qjuh@users.sourceforge.net>
+Forwarded: no
+Last-Update: 2012-07-23 
+
+--- pidgin-latex-1.4.4.orig/LaTeX.c	2011-01-12 19:28:45.000000000 -0500
++++ pidgin-latex-1.4.4/LaTeX.c	2012-08-25 20:27:55.000000000 -0500
+@@ -36,6 +36,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <errno.h>
++#include <regex.h>
+ #include <sys/types.h>
+ 
+ #ifndef _WIN32
+@@ -321,14 +322,21 @@
+ static gboolean is_blacklisted(char *message)
+ {
+   char *not_secure[NB_BLACKLIST] = BLACKLIST;
++  int reti;
+   int i;
+   for (i = 0 ; i < NB_BLACKLIST ; i++)
+   {
+-    char *begin_not_secure = malloc((strlen(not_secure[i])+9)*sizeof(char));
+-    strcpy(begin_not_secure,"\\begin{");
++    regex_t regex;
++    char *begin_not_secure = malloc((strlen(not_secure[i])+18)*sizeof(char));
++    strcpy(begin_not_secure,"\\\\begin\\W*{\\W*");
+     strcat(begin_not_secure,not_secure[i]+0x01);
+-    strcat(begin_not_secure,"}");
+-    if (strstr(message, not_secure[i]) != NULL || strstr(message, begin_not_secure)) return TRUE;
++    strcat(begin_not_secure,"\\W*}");
++    reti = regcomp(&regex, begin_not_secure, 0);
++purple_debug_info("LaTeX", "RegEx-Comp: %s (%d)\n", begin_not_secure, reti);
++    reti = regexec(&regex, message, 0, NULL, 0);
++    regfree(&regex);
++purple_debug_info("LaTeX", "Blacklist: %s und %s (RegEx-Match: %d)\n", not_secure[i], begin_not_secure, reti);
++    if (strstr(message, not_secure[i]) != NULL || reti!=REG_NOMATCH) return TRUE;
+   }
+   return FALSE;
+ }
diff -Nru pidgin-latex-1.4.4/debian/patches/series pidgin-latex-1.4.4/debian/patches/series
--- pidgin-latex-1.4.4/debian/patches/series	1969-12-31 19:00:00.000000000 -0500
+++ pidgin-latex-1.4.4/debian/patches/series	2012-08-26 16:48:19.000000000 -0500
@@ -0,0 +1 @@
+01_security_issue.patch


unblock pidgin-latex/1.4.4-2

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-2-686-pae (SMP w/2 CPU cores)
Locale: LANG=es_PE.UTF-8, LC_CTYPE=es_PE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



Reply sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
You have taken responsibility. (Sat, 01 Sep 2012 19:27:10 GMT) Full text and rfc822 format available.

Notification sent to Elías Alejandro <ealmdz@gmail.com>:
Bug acknowledged by developer. (Sat, 01 Sep 2012 19:27:10 GMT) Full text and rfc822 format available.

Message #10 received at 686455-done@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Elías Alejandro <ealmdz@gmail.com>, 686455-done@bugs.debian.org
Subject: Re: Bug#686455: unblock: pidgin-latex/1.4.4-2
Date: Sat, 01 Sep 2012 20:22:12 +0100
On Sat, 2012-09-01 at 13:59 -0500, Elías Alejandro wrote:
> Please unblock package pidgin-latex
> 
> It adds an upstream patch which will be also available in 1.4.5 to fix:
> 
> 01_security_issue.patch: Insuficient validation on blacklist wich could cause
>                          send user information over messenger network.

Unblocked; thanks.

Regards,

Adam




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 30 Sep 2012 07:29:42 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:18:28 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.