Based on 2007-07-19 02:09 centericq-4.21.0-overflows.patch from centericq package
Fixes CVE-2007-0160 and CVE-2007-3713 buffer overflows,
some of them remotely exploitable. (Lubomir Kundrak <lkundrak@redhat.com>)
diff -Nurp centerim-4.22.1.orig/src/hooks/abstracthook.cc centerim-4.22.1/src/hooks/abstracthook.cc
--- centerim-4.22.1.orig/src/hooks/abstracthook.cc 2007-10-02 17:24:40.000000000 +0200
+++ centerim-4.22.1/src/hooks/abstracthook.cc 2007-10-02 17:33:30.000000000 +0200
@@ -40,6 +40,8 @@
#include <time.h>
+#define NOTIFBUF 512
+
time_t timer_current = time(0);
abstracthook::abstracthook(protocolname aproto)
@@ -342,7 +344,7 @@ bool abstracthook::regattempt(unsigned i
void abstracthook::log(logevent ev, ...) {
va_list ap;
- char buf[512];
+ char buf[NOTIFBUF];
static map<logevent, string> lst;
if(lst.empty()) {
@@ -357,7 +359,8 @@ void abstracthook::log(logevent ev, ...)
}
va_start(ap, ev);
- vsprintf(buf, lst[ev].c_str(), ap);
+ vsnprintf(buf, NOTIFBUF, lst[ev].c_str(), ap);
+ buf[NOTIFBUF-1] = '\0';
va_end(ap);
face.log((string) "+ [" + conf.getprotocolname(proto) + "] " + buf);
@@ -754,7 +757,7 @@ string abstracthook::getTimezoneIDtoStri
if(id > 24 || id < -24) {
return "Unspecified";
} else {
- char buf[32];
+ static char buf[32];
sprintf(buf, "GMT %s%d:%s", id > 0 ? "-" : "+", abs(id/2), id % 2 == 0 ? "00" : "30");
return buf;
}
diff -Nurp centerim-4.22.1.orig/src/hooks/aimhook.cc centerim-4.22.1/src/hooks/aimhook.cc
--- centerim-4.22.1.orig/src/hooks/aimhook.cc 2007-10-02 17:24:40.000000000 +0200
+++ centerim-4.22.1/src/hooks/aimhook.cc 2007-10-02 17:35:20.000000000 +0200
@@ -32,6 +32,8 @@
#include "imlogger.h"
#include "eventmanager.h"
+#define NOTIFBUF 512
+
aimhook ahook;
aimhook::aimhook()
@@ -294,7 +296,8 @@ void aimhook::loadprofile() {
if(access(fname.c_str(), R_OK)) {
char sbuf[512];
- sprintf(sbuf, _("I do really enjoy the default AIM profile of centerim %s."), VERSION);
+ snprintf(sbuf, NOTIFBUF, _("I do really enjoy the default AIM profile of centerim %s."), VERSION);
+ sbuf[NOTIFBUF-1] = '\0';
profile.info = sbuf;
saveprofile();
}
diff -Nurp centerim-4.22.1.orig/src/hooks/irchook.cc centerim-4.22.1/src/hooks/irchook.cc
--- centerim-4.22.1.orig/src/hooks/irchook.cc 2007-10-02 17:24:40.000000000 +0200
+++ centerim-4.22.1/src/hooks/irchook.cc 2007-10-02 17:40:22.000000000 +0200
@@ -35,6 +35,8 @@
#include <iterator>
+#define NOTIFBUF 512
+
// ----------------------------------------------------------------------------
irchook irhook;
@@ -610,11 +612,12 @@ void irchook::rawcommand(const string &c
void irchook::channelfatal(string room, const char *fmt, ...) {
va_list ap;
- char buf[1024];
+ char buf[NOTIFBUF];
vector<channelInfo>::iterator i;
va_start(ap, fmt);
- vsprintf(buf, fmt, ap);
+ vsnprintf(buf, NOTIFBUF, fmt, ap);
+ buf[NOTIFBUF-1] = '\0';
va_end(ap);
if(room.substr(0, 1) != "#")
@@ -1197,7 +1200,7 @@ void irchook::errorhandler(void *connect
void irchook::nickchanged(void *connection, void *cli, ...) {
va_list ap;
icqcontact *c;
- char buf[100];
+ char buf[NOTIFBUF];
va_start(ap, cli);
char *oldnick = va_arg(ap, char *);
@@ -1219,7 +1222,8 @@ void irchook::nickchanged(void *connecti
}
- sprintf(buf, _("The user has changed their nick from %s to %s"), oldnick, newnick);
+ snprintf(buf, NOTIFBUF, _("The user has changed their nick from %s to %s"), oldnick, newnick);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(c, buf));
}
}
@@ -1255,18 +1259,20 @@ const char * const command, const char *
void irchook::subreply(void *conn, void *cli, const char * const nick,
const char * const command, const char * const args) {
- char buf[512];
+ char buf[NOTIFBUF];
if(!strcmp(command, "PING")) {
map<string, time_t>::iterator i = irhook.pingtime.find(up(nick));
if(i != irhook.pingtime.end()) {
- sprintf(buf, _("PING reply from the user: %d second(s)"), time(0)-i->second);
+ snprintf(buf, NOTIFBUF, _("PING reply from the user: %d second(s)"), time(0)-i->second);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(nick, irc), buf));
}
} else if(!strcmp(command, "VERSION")) {
- sprintf(buf, _("The remote is using %s"), args);
+ snprintf(buf, NOTIFBUF, _("The remote is using %s"), args);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(nick, irc), buf));
}
@@ -1379,8 +1385,9 @@ void irchook::chatuserjoined(void *conn,
if(strlen(email))
uname += (string) " (" + email + ")";
- char buf[512];
- sprintf(buf, _("%s has joined."), uname.c_str());
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("%s has joined."), uname.c_str());
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(room, irc), buf));
}
}
@@ -1397,15 +1404,17 @@ void irchook::chatuserleft(void *conn, v
if(conf.getourid(irc).nickname != who) {
string text;
string text2;
- char buf[512];
+ char buf[NOTIFBUF];
- sprintf(buf, _("%s has left"), who); text = buf;
+ snprintf(buf, NOTIFBUF, _("%s has left"), who); text = buf;
+ buf[NOTIFBUF-1] = '\0';
if(reason)
if(strlen(reason)) {
if(strlen(reason) > 450) reason[450] = 0;
text2 = irhook.rushtmlconv( "wk", reason );
- sprintf(buf, _("reason: %s"), text2.c_str() );
+ snprintf(buf, NOTIFBUF, _("reason: %s"), reason);
+ buf[NOTIFBUF-1] = '\0';
text += (string) "; " + buf + ".";
}
@@ -1425,13 +1434,15 @@ void irchook::chatuserkicked(void *conn,
if(conf.getourid(irc).nickname != who) {
string text;
- char buf[512];
+ char buf[NOTIFBUF];
- sprintf(buf, _("%s has been kicked by %s"), who, by); text = buf;
+ snprintf(buf, NOTIFBUF, _("%s has been kicked by %s"), who, by); text = buf;
+ buf[NOTIFBUF-1] = '\0';
if(reason)
if(strlen(reason)) {
- sprintf(buf, _("reason: %s"), reason);
+ snprintf(buf, NOTIFBUF, _("reason: %s"), reason);
+ buf[NOTIFBUF-1] = '\0';
text += (string) "; " + buf + ".";
}
@@ -1454,14 +1465,16 @@ void irchook::chatgottopic(void *conn, v
return;
string text;
- char buf[1024];
+ char buf[NOTIFBUF];
text = irhook.rushtmlconv( "wk", topic );
- sprintf(buf, _("Channel topic now is: %s"), text.c_str());
+ snprintf(buf, NOTIFBUF, _("Channel topic now is: %s"), text.c_str());
+ buf[NOTIFBUF-1] = '\0';
text = buf;
if(author)
if(strlen(author)) {
- sprintf(buf, _("set by %s"), author);
+ snprintf(buf, NOTIFBUF, _("set by %s"), author);
+ buf[NOTIFBUF-1] = '\0';
text += (string) "; " + buf + ".";
}
@@ -1478,8 +1491,9 @@ void irchook::chatuseropped(void *conn,
va_end(ap);
if(by) {
- char buf[512];
- sprintf(buf, _("%s has been opped by %s."), who, by);
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("%s has been opped by %s."), who, by);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(room, irc), buf));
}
}
@@ -1494,8 +1508,9 @@ void irchook::chatuserdeopped(void *conn
va_end(ap);
if(by) {
- char buf[512];
- sprintf(buf, _("%s has been deopped by %s."), who, by);
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("%s has been deopped by %s."), who, by);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(room, irc), buf));
}
}
@@ -1508,10 +1523,10 @@ void irchook::chatopped(void *conn, void
char *by = va_arg(ap, char *);
va_end(ap);
- char buf[512];
- if(by) sprintf(buf, _("%s has opped us."), by);
- else strcpy(buf, _("you are an op here"));
-
+ char buf[NOTIFBUF];
+ if(by) snprintf(buf, NOTIFBUF, _("%s has opped us."), by);
+ else strncpy(buf, _("you are an op here"), NOTIFBUF);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(room, irc), buf));
}
@@ -1523,8 +1538,9 @@ void irchook::chatdeopped(void *conn, vo
char *by = va_arg(ap, char *);
va_end(ap);
- char buf[512];
- sprintf(buf, _("%s has deopped us."), by);
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("%s has deopped us."), by);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(imcontact(room, irc), buf));
}
diff -Nurp centerim-4.22.1.orig/src/hooks/jabberhook.cc centerim-4.22.1/src/hooks/jabberhook.cc
--- centerim-4.22.1.orig/src/hooks/jabberhook.cc 2007-10-02 17:24:40.000000000 +0200
+++ centerim-4.22.1/src/hooks/jabberhook.cc 2007-10-02 17:33:30.000000000 +0200
@@ -36,6 +36,8 @@
#define DEFAULT_CONFSERV "conference.jabber.org"
#define PERIOD_KEEPALIVE 30
+#define NOTIFBUF 512
+
static void jidsplit(const string &jid, string &user, string &host, string &rest) {
int pos;
user = jid;
@@ -1350,8 +1352,9 @@ void jabberhook::gotversion(const imcont
if(vinfo.size() > 128)
vinfo.erase(128);
- char buf[256];
- sprintf(buf, _("The remote is using %s"), vinfo.c_str());
+ char buf[NOTIFBUF];
+ snprintf(buf, NOTIFBUF, _("The remote is using %s"), vinfo.c_str());
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(ic, buf));
}
}
diff -Nurp centerim-4.22.1.orig/src/hooks/ljhook.cc centerim-4.22.1/src/hooks/ljhook.cc
--- centerim-4.22.1.orig/src/hooks/ljhook.cc 2007-10-02 17:24:40.000000000 +0200
+++ centerim-4.22.1/src/hooks/ljhook.cc 2007-10-02 17:43:10.000000000 +0200
@@ -37,6 +37,8 @@ ljhook lhook;
#define PERIOD_FRIENDS 3600
+#define NOTIFBUF 512
+
ljhook::ljhook(): abstracthook(livejournal), fonline(false), sdest(0) {
fcapabs.insert(hookcapab::nochat);
}
@@ -654,7 +656,7 @@ void ljhook::messageack_cb(MessageEvent
map<string, string> nfriendof;
map<string, string>::const_iterator in;
vector<string>::iterator il;
- char buf[512];
+ char buf[NOTIFBUF];
for(i = 1; i <= count; i++) {
username = params[(string) "friendof_" + i2str(i) + "_user"];
@@ -669,8 +671,9 @@ void ljhook::messageack_cb(MessageEvent
if(!foempty) {
bd = (string) "http://" + conf.getourid(proto).server + "/users/" + in->first;
- snprintf(buf, sizeof(buf), _("The user %s (%s) has added you to his/her friend list\n\nJournal address: %s"),
+ snprintf(buf, NOTIFBUF, _("The user %s (%s) has added you to his/her friend list\n\nJournal address: %s"),
in->first.c_str(), in->second.c_str(), bd.c_str());
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(self, buf));
}
@@ -679,8 +682,9 @@ void ljhook::messageack_cb(MessageEvent
for(il = friendof.begin(); il != friendof.end(); ) {
if(nfriendof.find(*il) == nfriendof.end()) {
bd = (string) "http://" + conf.getourid(proto).server + "/users/" + *il;
- snprintf(buf, sizeof(buf), _("The user %s has removed you from his/her friend list\n\nJournal address: %s"),
+ snprintf(buf, NOTIFBUF, _("The user %s has removed you from his/her friend list\n\nJournal address: %s"),
il->c_str(), bd.c_str());
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(self, buf));
friendof.erase(il);
il = friendof.begin();
Binary files centerim-4.22.1.orig/src/hooks/.ljhook.cc.rej.swp and centerim-4.22.1/src/hooks/.ljhook.cc.rej.swp differ
diff -Nurp centerim-4.22.1.orig/src/hooks/yahoohook.cc centerim-4.22.1/src/hooks/yahoohook.cc
--- centerim-4.22.1.orig/src/hooks/yahoohook.cc 2007-10-02 17:24:40.000000000 +0200
+++ centerim-4.22.1/src/hooks/yahoohook.cc 2007-10-02 17:33:30.000000000 +0200
@@ -47,6 +47,8 @@
#define PERIOD_REFRESH 60
#define PERIOD_CLOSE 6
+#define NOTIFBUF 512
+
int yahoohook::yfd::connection_tags = 0;
char pager_host[255], pager_port[255], filetransfer_host[255],
@@ -852,7 +854,7 @@ void yahoohook::got_conf_invite(int id,
icqconf::imaccount acc = conf.getourid(yahoo);
string confname = (string) "#" + room, inviter, text;
vector<string>::iterator ic;
- char buf[1024];
+ char buf[NOTIFBUF];
int i;
imcontact cont(confname, yahoo);
@@ -864,10 +866,11 @@ void yahoohook::got_conf_invite(int id,
inviter.erase(i);
}
- sprintf(buf, _("The user %s has invited you to the %s conference, the topic there is: %s"),
+ snprintf(buf, NOTIFBUF, _("The user %s has invited you to the %s conference, the topic there is: %s"),
yhook.rusconv("wk", inviter).c_str(),
yhook.rusconv("wk", room).c_str(),
yhook.rusconv("wk", msg).c_str());
+ buf[NOTIFBUF-1] = '\0';
text = (string) buf + "\n\n" + _("Current conference members are: ");
yhook.confmembers[room].push_back(inviter);
@@ -896,20 +899,22 @@ void yahoohook::got_conf_invite(int id,
void yahoohook::conf_userdecline(int id, char *who, char *room, char *msg) {
icqcontact *c = clist.get(imcontact((string) "#" + room, yahoo));
- char buf[512];
+ char buf[NOTIFBUF];
if(c) {
- sprintf(buf, _("The user %s has declined your invitation to join the conference"), who);
+ snprintf(buf, NOTIFBUF, _("The user %s has declined your invitation to join the conference"), who);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(c, buf));
}
}
void yahoohook::conf_userjoin(int id, char *who, char *room) {
icqcontact *c = clist.get(imcontact((string) "#" + room, yahoo));
- char buf[512];
+ char buf[NOTIFBUF];
if(c) {
- sprintf(buf, _("The user %s has joined the conference"), who);
+ snprintf(buf, NOTIFBUF, _("The user %s has joined the conference"), who);
+ buf[NOTIFBUF-1] = '\0';
if(find(yhook.confmembers[room].begin(), yhook.confmembers[room].end(), who) == yhook.confmembers[room].end())
yhook.confmembers[room].push_back(who);
@@ -920,11 +925,12 @@ void yahoohook::conf_userjoin(int id, ch
void yahoohook::conf_userleave(int id, char *who, char *room) {
icqcontact *c = clist.get(imcontact((string) "#" + room, yahoo));
- char buf[512];
+ char buf[NOTIFBUF];
vector<string>::iterator im;
if(c) {
- sprintf(buf, _("The user %s has left the conference"), who);
+ snprintf(buf, NOTIFBUF, _("The user %s has left the conference"), who);
+ buf[NOTIFBUF-1] = '\0';
em.store(imnotification(c, buf));
im = find(yhook.confmembers[room].begin(), yhook.confmembers[room].end(), who);
@@ -989,10 +995,11 @@ void yahoohook::game_notify(int id, char
}
void yahoohook::mail_notify(int id, char *from, char *subj, int cnt) {
- char buf[1024];
+ char buf[NOTIFBUF];
if(from && subj) {
- sprintf(buf, _("+ [yahoo] e-mail from %s, %s"), from, subj);
+ snprintf(buf, NOTIFBUF, _("+ [yahoo] e-mail from %s, %s"), from, subj);
+ buf[NOTIFBUF-1] = '\0';
face.log(buf);
clist.get(contactroot)->playsound(imevent::email);
}
@@ -1146,11 +1153,12 @@ void yahoohook::webcam_data_request(int
int yahoohook::ylog(char *fmt, ...) {
if(conf.getdebug()) {
- char buf[512];
+ char buf[NOTIFBUF];
va_list ap;
va_start(ap, fmt);
- vsprintf(buf, fmt, ap);
+ vsnprintf(buf, NOTIFBUF, fmt, ap);
+ buf[NOTIFBUF-1] = '\0';
va_end(ap);
face.log(buf);