Bug#685969: fixed in gnugk 2:3.0.2-2

Adam D. Barratt adam at adam-barratt.org.uk
Sun Sep 30 12:08:48 UTC 2012


Control: reopen -1

On Sat, 2012-09-29 at 23:32 +0000, Mark Purcell wrote:
> gnugk (2:3.0.2-2) unstable; urgency=medium
>  .
>    * Fix "CVE-2012-3534" Added gnugk-fix-cve-2012-3534.diff (Closes: #685969)
>    * Urgency medium for RC bug

I was looking at the diff for this with a view to unblocking it, but as
far as I can see it's not actually fixed. The patch is indeed added to
the package, but not applied during build as:

$ cat debian/patches/series 
#gnugk-fix-cve-2012-3534.diff

The patch does apply to the package, but attempting to build with it
enabled produces:

[CC] GkStatus.cxx
GkStatus.cxx:833:4: error: expected unqualified-id before 'else'
GkStatus.cxx:838:1: error: expected declaration before '}' token

Looking at
http://openh323gk.cvs.sourceforge.net/viewvc/openh323gk/openh323gk/GkStatus.cxx?r1=1.132&r2=1.133 , the patch in the Debian package includes the removal of the old lines around lines 833 and 843, but not the subsequent addition of the replacement lines. This means that we end up with

void GkStatus::AuthenticateClient(StatusClient* newClient)
{
                newClient->SetTraceLevel(GkConfig()->GetInteger("StatusTraceLevel", MAX_STATUS_TRACE_LEVEL));
                PTRACE(1, "STATUS\tNew client authenticated successfully: " << newClient->WhoAmI()
                        << ", login: " << newClient->GetUser()
                        );
                // the welcome messages
                newClient->WriteString(PrintGkVersion());
                newClient->Flush();
                AddSocket(newClient);
        } else {
                newClient->WriteString("\r\nAccess forbidden!\r\n");
                // newClient->Flush();  // dont' flush when access is denied to avoid blocking
                delete newClient;
        }
}

Regards,

Adam



More information about the Pkg-voip-maintainers mailing list