[Pkg-privacy-commits] [pidgin-otr] 01/01: Import 4.0.1-1+deb8u1 debdiff.

Intrigeri intrigeri at moszumanska.debian.org
Sat Mar 26 11:21:03 UTC 2016


This is an automated email from the git hooks/post-receive script.

intrigeri pushed a commit to branch jessie
in repository pidgin-otr.

commit f5eec3f0c492fb6566dd315dfd48db4467bcffc8
Author: intrigeri <intrigeri at debian.org>
Date:   Sat Mar 26 11:19:12 2016 +0000

    Import 4.0.1-1+deb8u1 debdiff.
---
 debian/changelog                   |  7 +++++
 debian/patches/CVE-2015-8833.patch | 53 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 61 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 58c33a1..b4c8493 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pidgin-otr (4.0.1-1+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2015-8833: Heap use-after-free issue during SMP.
+
+ -- Felix Geyer <fgeyer at debian.org>  Tue, 22 Mar 2016 17:26:47 +0100
+
 pidgin-otr (4.0.1-1) unstable; urgency=medium
 
   * New upstream release.
diff --git a/debian/patches/CVE-2015-8833.patch b/debian/patches/CVE-2015-8833.patch
new file mode 100644
index 0000000..e1f11d7
--- /dev/null
+++ b/debian/patches/CVE-2015-8833.patch
@@ -0,0 +1,53 @@
+From aaf551b9dd5cbba8c4abaa3d4dc7ead860efef94 Mon Sep 17 00:00:00 2001
+From: Ian Goldberg <iang at cs.uwaterloo.ca>
+Date: Sun, 3 Jan 2016 16:53:20 -0500
+Subject: [PATCH] Fix use-after-free issue during SMP
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Thanks to Stefan Sperling <otr at stsp.name> and Hanno Böck
+<hanno at hboeck.de> for the report.
+
+Fixes #88
+
+Signed-off-by: Hanno Böck <hanno at hboeck.de>
+Signed-off-by: Ian Goldberg <iang at cs.uwaterloo.ca>
+---
+ gtk-dialog.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/gtk-dialog.c b/gtk-dialog.c
+index 09ec12e..309bee6 100644
+--- a/gtk-dialog.c
++++ b/gtk-dialog.c
+@@ -169,7 +169,7 @@ static void otrg_gtk_dialog_free_smp_data(PurpleConversation *conv)
+     g_hash_table_remove(conv->data, "otr-smpdata");
+ }
+ 
+-static void otrg_gtk_dialog_add_smp_data(PurpleConversation *conv)
++static SMPData* otrg_gtk_dialog_add_smp_data(PurpleConversation *conv)
+ {
+     SMPData *smp_data = malloc(sizeof(SMPData));
+     smp_data->smp_secret_dialog = NULL;
+@@ -182,6 +182,8 @@ static void otrg_gtk_dialog_add_smp_data(PurpleConversation *conv)
+     smp_data->their_instance = OTRL_INSTAG_BEST;
+ 
+     purple_conversation_set_data(conv, "otr-smpdata", smp_data);
++
++    return smp_data;
+ }
+ 
+ static GtkWidget *otr_icon(GtkWidget *image, TrustLevel level,
+@@ -777,7 +779,7 @@ static GtkWidget *create_smp_dialog(const char *title, const char *primary,
+      * will kill any existing SMP */
+     if (smp_data->their_instance != context->their_instance) {
+ 	otrg_gtk_dialog_free_smp_data(conv);
+-	otrg_gtk_dialog_add_smp_data(conv);
++	smp_data = otrg_gtk_dialog_add_smp_data(conv);
+     }
+ 
+     if (!(smp_data->smp_secret_dialog)) {
+-- 
+2.8.0.rc3
+
diff --git a/debian/patches/series b/debian/patches/series
index 583be5f..9e0ad93 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Use-AM_PROG_AR-if-available-it-is-required-by-recent.patch
+CVE-2015-8833.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/pidgin-otr.git



More information about the Pkg-privacy-commits mailing list