Attachment 948788 Details for Bug 1154910 – patch from upstream

[patch] patch from upstream

CVE-2014-3696.diff (text/plain), 4.51 KB, created by Murray McAllister on 2014-10-21 03:22:22 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Murray McAllister

Created: 2014-10-21 03:22:22 UTC

Size: 4.51 KB

patch

obsolete

>diff -r 6436e14bdb9d -r 44fd89158777 ChangeLog
>--- a/ChangeLog	Mon Apr 07 23:45:55 2014 -0700
>+++ b/ChangeLog	Tue Apr 08 00:31:25 2014 -0700
>@@ -12,6 +12,11 @@ version 2.10.10 (?/?/?):
> 	Gadu-Gadu:
> 	* Updated internal libgadu to version 1.12.0-rc2.
> 
>+	Groupwise:
>+	* Fix potential remote crash parsing server message that indicates that
>+	  a large amount of memory should be allocated. (Discovered by Yves Younan
>+	  and Richard Johnson of Sourcefire VRT) (CVE-2014-NNNN)
>+
> 	MXit:
> 	* Fix potential remote crash parsing a malformed emoticon response.
> 	  (Discovered by Yves Younan and Richard Johnson of Sourcefire VRT)
>diff -r 6436e14bdb9d -r 44fd89158777 libpurple/protocols/novell/nmevent.c
>--- a/libpurple/protocols/novell/nmevent.c	Mon Apr 07 23:45:55 2014 -0700
>+++ b/libpurple/protocols/novell/nmevent.c	Tue Apr 08 00:31:25 2014 -0700
>@@ -149,7 +149,7 @@ handle_receive_message(NMUser * user, NM
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+	if (size > 1000)	return NMERR_PROTOCOL;
> 
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
>@@ -164,7 +164,7 @@ handle_receive_message(NMUser * user, NM
> 	/* Read the message text */
> 	if (rc == NM_OK) {
> 		rc = nm_read_uint32(conn, &size);
>-		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+		if (size > 100000)	return NMERR_PROTOCOL;
> 
> 		if (rc == NM_OK) {
> 			msg = g_new0(char, size + 1);
>@@ -270,7 +270,7 @@ handle_conference_invite(NMUser * user, 
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+	if (size > 1000)	return NMERR_PROTOCOL;
> 
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
>@@ -280,7 +280,7 @@ handle_conference_invite(NMUser * user, 
> 	/* Read the the message */
> 	if (rc == NM_OK) {
> 		rc = nm_read_uint32(conn, &size);
>-		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+		if (size > 100000)	return NMERR_PROTOCOL;
> 
> 		if (rc == NM_OK) {
> 			msg = g_new0(char, size + 1);
>@@ -349,7 +349,7 @@ handle_conference_invite_notify(NMUser *
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+	if (size > 1000)	return NMERR_PROTOCOL;
> 
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
>@@ -401,7 +401,7 @@ handle_conference_reject(NMUser * user, 
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+	if (size > 1000)	return NMERR_PROTOCOL;
> 
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
>@@ -440,7 +440,7 @@ handle_conference_left(NMUser * user, NM
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+	if (size > 1000)	return NMERR_PROTOCOL;
> 
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
>@@ -490,7 +490,7 @@ handle_conference_closed(NMUser * user, 
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+	if (size > 1000)	return NMERR_PROTOCOL;
> 
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
>@@ -530,7 +530,7 @@ handle_conference_joined(NMUser * user, 
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+	if (size > 1000)	return NMERR_PROTOCOL;
> 
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
>@@ -589,7 +589,7 @@ handle_typing(NMUser * user, NMEvent * e
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+	if (size > 1000)	return NMERR_PROTOCOL;
> 
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
>@@ -632,7 +632,7 @@ handle_status_change(NMUser * user, NMEv
> 
> 		/* Read the status text */
> 		rc = nm_read_uint32(conn, &size);
>-		if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+		if (size > 10000)	return NMERR_PROTOCOL;
> 
> 		if (rc == NM_OK) {
> 			text = g_new0(char, size + 1);
>@@ -670,7 +670,7 @@ handle_undeliverable_status(NMUser * use
> 
> 	/* Read the conference guid */
> 	rc = nm_read_uint32(conn, &size);
>-	if (size == MAX_UINT32)	return NMERR_PROTOCOL;
>+	if (size > 1000)	return NMERR_PROTOCOL;
> 
> 	if (rc == NM_OK) {
> 		guid = g_new0(char, size + 1);
>@@ -833,7 +833,10 @@ nm_process_event(NMUser * user, int type
> 	/* Read the event source */
> 	rc = nm_read_uint32(conn, &size);
> 	if (rc == NM_OK) {
>-		if (size > 0) {
>+		if (size > 1000000) {
>+			/* Size is larger than our 1MB sanity check. Ignore it. */
>+			rc = NMERR_PROTOCOL;
>+		} else {
> 			source = g_new0(char, size);
> 
> 			rc = nm_read_all(conn, source, size);

Actions: View | Diff

Attachments on bug 1154910: 948788