Bug#414069: CVE-2007-0999: still vulnerable to format string
exploits
Kees Cook
kees at outflux.net
Fri Mar 9 02:27:09 CET 2007
Package: ekiga
Version: 2.0.3-4
Severity: grave
Tags: patch, security
Hello! Unfortunately, it seems the upstream changes for CVE-2007-1006
weren't sufficient to solve the problems. Upstream is preparing 2.0.6
to be released[1], but in the meantime, I've attached the patch I'm
using in Ubuntu for 2.0.3.
[1] http://bugzilla.gnome.org/show_bug.cgi?id=415526
--
Kees Cook @outflux.net
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 51_fix-format-strings.dpatch by Kees Cook <kees at ubuntu.com>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: No description.
@DPATCH@
diff -urNad ekiga-2.0.3~/lib/gui/gmdialog.h ekiga-2.0.3/lib/gui/gmdialog.h
--- ekiga-2.0.3~/lib/gui/gmdialog.h 2006-03-12 07:46:42.000000000 -0800
+++ ekiga-2.0.3/lib/gui/gmdialog.h 2007-03-08 17:00:30.144521663 -0800
@@ -127,7 +127,7 @@
const char *,
const char *,
const char *,
- ...);
+ ...) G_GNUC_PRINTF(4,5);
/**
@@ -140,7 +140,7 @@
GtkWidget *gnomemeeting_error_dialog (GtkWindow *parent,
const char *,
const char *format,
- ...);
+ ...) G_GNUC_PRINTF(3,4);
/**
@@ -153,7 +153,7 @@
GtkWidget *gnomemeeting_warning_dialog (GtkWindow *parent,
const char *,
const char *format,
- ...);
+ ...) G_GNUC_PRINTF(3,4);
/**
@@ -166,7 +166,7 @@
GtkWidget *gnomemeeting_message_dialog (GtkWindow *parent,
const char *,
const char *format,
- ...);
+ ...) G_GNUC_PRINTF(3,4);
/**
@@ -179,7 +179,7 @@
GtkWidget *gnomemeeting_progress_dialog (GtkWindow *parent,
const char *,
const char *format,
- ...);
+ ...) G_GNUC_PRINTF(3,4);
G_END_DECLS
diff -urNad ekiga-2.0.3~/lib/gui/gmstatusbar.c ekiga-2.0.3/lib/gui/gmstatusbar.c
--- ekiga-2.0.3~/lib/gui/gmstatusbar.c 2006-03-12 07:46:42.000000000 -0800
+++ ekiga-2.0.3/lib/gui/gmstatusbar.c 2007-03-08 17:00:30.148521870 -0800
@@ -48,7 +48,7 @@
gboolean,
gboolean,
const char *,
- ...);
+ va_list args);
static int gm_statusbar_clear_msg_cb (gpointer);
@@ -100,7 +100,7 @@
gboolean flash_message,
gboolean info_message,
const char *msg,
- ...)
+ va_list args)
{
gint id = 0;
gint msg_id = 0;
@@ -119,17 +119,12 @@
gtk_statusbar_pop (GTK_STATUSBAR (sb), id);
if (msg) {
-
- va_list args;
char buffer [1025];
- va_start (args, msg);
vsnprintf (buffer, 1024, msg, args);
msg_id = gtk_statusbar_push (GTK_STATUSBAR (sb), id, buffer);
- va_end (args);
-
if (flash_message)
gtk_timeout_add (15000, gm_statusbar_clear_msg_cb,
GINT_TO_POINTER (msg_id));
diff -urNad ekiga-2.0.3~/lib/gui/gmstatusbar.h ekiga-2.0.3/lib/gui/gmstatusbar.h
--- ekiga-2.0.3~/lib/gui/gmstatusbar.h 2006-03-12 07:46:42.000000000 -0800
+++ ekiga-2.0.3/lib/gui/gmstatusbar.h 2007-03-08 17:00:30.148521870 -0800
@@ -94,7 +94,7 @@
*/
void gm_statusbar_flash_message (GmStatusbar *,
const char *msg,
- ...);
+ ...) G_GNUC_PRINTF(2,3);
/* DESCRIPTION : /
@@ -105,7 +105,7 @@
*/
void gm_statusbar_push_message (GmStatusbar *,
const char *msg,
- ...);
+ ...) G_GNUC_PRINTF(2,3);
/* DESCRIPTION : /
@@ -116,7 +116,7 @@
*/
void gm_statusbar_push_info_message (GmStatusbar *,
const char *msg,
- ...);
+ ...) G_GNUC_PRINTF(2,3);
G_END_DECLS
diff -urNad ekiga-2.0.3~/lib/gui/gmtexttagaddon.h ekiga-2.0.3/lib/gui/gmtexttagaddon.h
--- ekiga-2.0.3~/lib/gui/gmtexttagaddon.h 2006-03-12 07:46:42.000000000 -0800
+++ ekiga-2.0.3/lib/gui/gmtexttagaddon.h 2007-03-08 17:00:30.148521870 -0800
@@ -97,7 +97,7 @@
**/
void gtk_text_tag_add_actions_to_regex (GtkTextTag *tag,
const gchar *first_action_name,
- ...);
+ ...) G_GNUC_PRINTF(2,3);
/**
* gtk_text_tag_set_regex_display:
diff -urNad ekiga-2.0.3~/src/devices/videoinput.cpp ekiga-2.0.3/src/devices/videoinput.cpp
--- ekiga-2.0.3~/src/devices/videoinput.cpp 2006-05-15 23:38:34.000000000 -0700
+++ ekiga-2.0.3/src/devices/videoinput.cpp 2007-03-08 17:00:30.148521870 -0800
@@ -392,7 +392,7 @@
gnomemeeting_warning_dialog_on_widget (GTK_WINDOW (main_window),
VIDEO_DEVICES_KEY "enable_preview",
dialog_title,
- dialog_msg);
+ "%s", dialog_msg);
g_free (dialog_msg);
g_free (dialog_title);
g_free (tmp_msg);
@@ -706,7 +706,7 @@
gdk_threads_enter ();
gnomemeeting_error_dialog (GTK_WINDOW (druid_window),
_("Failed to open the device"),
- dialog_msg);
+ "%s", dialog_msg);
gdk_threads_leave ();
g_free (dialog_msg);
diff -urNad ekiga-2.0.3~/src/endpoints/accountshandler.cpp ekiga-2.0.3/src/endpoints/accountshandler.cpp
--- ekiga-2.0.3~/src/endpoints/accountshandler.cpp 2006-05-13 10:32:49.000000000 -0700
+++ ekiga-2.0.3/src/endpoints/accountshandler.cpp 2007-03-08 17:00:30.148521870 -0800
@@ -202,8 +202,8 @@
a->host?a->host:"");
gnomemeeting_threads_enter ();
- gm_main_window_push_message (main_window, msg);
- gm_history_window_insert (history_window, msg);
+ gm_main_window_push_message (main_window, "%s", msg);
+ gm_history_window_insert (history_window, "%s", msg);
gm_accounts_window_update_account_state (accounts_window,
FALSE,
a->host,
@@ -312,8 +312,8 @@
msg = g_strdup_printf (_("Registered to %s"), a->host);
gnomemeeting_threads_enter ();
- gm_main_window_push_message (main_window, msg);
- gm_history_window_insert (history_window, msg);
+ gm_main_window_push_message (main_window, "%s", msg);
+ gm_history_window_insert (history_window, "%s", msg);
gm_accounts_window_update_account_state (accounts_window,
FALSE,
a->host,
@@ -343,8 +343,8 @@
h323EP->RemoveAliasName (a->username);
gnomemeeting_threads_enter ();
- gm_main_window_push_message (main_window, msg);
- gm_history_window_insert (history_window, msg);
+ gm_main_window_push_message (main_window, "%s", msg);
+ gm_history_window_insert (history_window, "%s", msg);
gm_accounts_window_update_account_state (accounts_window,
FALSE,
a->host,
diff -urNad ekiga-2.0.3~/src/endpoints/manager.cpp ekiga-2.0.3/src/endpoints/manager.cpp
--- ekiga-2.0.3~/src/endpoints/manager.cpp 2006-08-29 12:23:34.000000000 -0700
+++ ekiga-2.0.3/src/endpoints/manager.cpp 2007-03-08 17:03:18.973281968 -0800
@@ -660,8 +660,8 @@
gnomemeeting_threads_enter ();
msg = g_strdup_printf (_("Forwarding call to %s"),
(const char*) forward_party);
- gm_main_window_flash_message (main_window, msg);
- gm_history_window_insert (history_window, msg);
+ gm_main_window_flash_message (main_window, "%s", msg);
+ gm_history_window_insert (history_window, "%s", msg);
gnomemeeting_threads_leave ();
g_free (msg);
@@ -814,9 +814,9 @@
/* Update the log and status bar */
msg = g_strdup_printf (_("Call from %s"), (const char *) utf8_name);
gnomemeeting_threads_enter ();
- gm_main_window_flash_message (main_window, msg);
- gm_chat_window_push_info_message (chat_window, NULL, msg);
- gm_history_window_insert (history_window, msg);
+ gm_main_window_flash_message (main_window, "%s", msg);
+ gm_chat_window_push_info_message (chat_window, NULL, "%s", msg);
+ gm_history_window_insert (history_window, "%s", msg);
gnomemeeting_threads_leave ();
g_free (msg);
@@ -854,9 +854,9 @@
/* Display the action message */
gnomemeeting_threads_enter ();
if (short_reason)
- gm_main_window_flash_message (main_window, short_reason);
+ gm_main_window_flash_message (main_window, "%s", short_reason);
if (long_reason)
- gm_history_window_insert (history_window, long_reason);
+ gm_history_window_insert (history_window, "%s", long_reason);
gnomemeeting_threads_leave ();
/* Update the current state if action is 0 or 4.
@@ -1001,8 +1001,8 @@
utf8_name, utf8_app);
msg = g_strdup_printf (_("Connected with %s"), utf8_name);
gm_main_window_set_status (main_window, msg);
- gm_main_window_flash_message (main_window, msg);
- gm_chat_window_push_info_message (chat_window, NULL, msg);
+ gm_main_window_flash_message (main_window, "%s", msg);
+ gm_chat_window_push_info_message (chat_window, NULL, "%s", msg);
gm_main_window_update_calling_state (main_window, GMManager::Connected);
gm_chat_window_update_calling_state (chat_window,
utf8_name,
@@ -1272,11 +1272,11 @@
t.AsString (0),
msg_reason,
utf8_app);
- gm_history_window_insert (history_window, msg_reason);
+ gm_history_window_insert (history_window, "%s", msg_reason);
gm_main_window_push_message (main_window,
GetMissedCallsNumber (),
GetMWI ());
- gm_main_window_flash_message (main_window, msg_reason);
+ gm_main_window_flash_message (main_window, "%s", msg_reason);
gm_chat_window_push_info_message (chat_window, NULL, "");
gnomemeeting_threads_leave ();
@@ -1902,7 +1902,7 @@
/* Update the GUI and menus wrt opened channels */
gnomemeeting_threads_enter ();
- gm_history_window_insert (history_window, msg);
+ gm_history_window_insert (history_window, "%s", msg);
gm_main_window_update_sensitivity (main_window, is_video, is_video?is_receiving_video:is_receiving_audio, is_video?is_transmitting_video:is_transmitting_audio);
gm_main_window_set_channel_pause (main_window, FALSE, is_video);
gm_main_window_set_call_info (main_window,
@@ -2058,7 +2058,7 @@
gdk_threads_enter ();
- gm_main_window_push_info_message (main_window, msg);
+ gm_main_window_push_info_message (main_window, "%s", msg);
gm_main_window_update_stats (main_window,
lost_packets_per,
late_packets_per,
diff -urNad ekiga-2.0.3~/src/endpoints/sip.cpp ekiga-2.0.3/src/endpoints/sip.cpp
--- ekiga-2.0.3~/src/endpoints/sip.cpp 2006-06-15 14:08:42.000000000 -0700
+++ ekiga-2.0.3/src/endpoints/sip.cpp 2007-03-08 17:00:30.148521870 -0800
@@ -226,8 +226,8 @@
wasRegistering);
#endif
- gm_history_window_insert (history_window, msg);
- gm_main_window_flash_message (main_window, msg);
+ gm_history_window_insert (history_window, "%s", msg);
+ gm_main_window_flash_message (main_window, "%s", msg);
if (endpoint.GetCallingState() == GMManager::Standby)
gm_main_window_set_account_info (main_window,
endpoint.GetRegisteredAccounts());
@@ -319,8 +319,8 @@
NULL);
}
- gm_history_window_insert (history_window, msg);
- gm_main_window_push_message (main_window, msg);
+ gm_history_window_insert (history_window, "%s", msg);
+ gm_main_window_push_message (main_window, "%s", msg);
gnomemeeting_threads_leave ();
/* Signal the SIP Endpoint */
diff -urNad ekiga-2.0.3~/src/endpoints/urlhandler.cpp ekiga-2.0.3/src/endpoints/urlhandler.cpp
--- ekiga-2.0.3~/src/endpoints/urlhandler.cpp 2006-05-17 13:32:32.000000000 -0700
+++ ekiga-2.0.3/src/endpoints/urlhandler.cpp 2007-03-08 17:00:30.152522078 -0800
@@ -471,8 +471,8 @@
else
msg = g_strdup_printf (_("Transferring call to %s"),
(const char *) call_address);
- gm_history_window_insert (history_window, msg);
- gm_main_window_push_message (main_window, msg);
+ gm_history_window_insert (history_window, "%s", msg);
+ gm_main_window_push_message (main_window, "%s", msg);
g_free (msg);
}
gnomemeeting_threads_leave ();
@@ -527,7 +527,7 @@
if (call_address.Find ("+type=directory") != P_MAX_INDEX) {
- gm_main_window_flash_message (main_window, _("User not found"));
+ gm_main_window_flash_message (main_window, "%s", _("User not found"));
gm_calls_history_add_call (PLACED_CALL,
NULL,
call_address,
@@ -538,7 +538,7 @@
}
else {
- gm_main_window_flash_message (main_window, _("Failed to call user"));
+ gm_main_window_flash_message (main_window, "%s", _("Failed to call user"));
gm_calls_history_add_call (PLACED_CALL,
NULL,
call_address,
diff -urNad ekiga-2.0.3~/src/gui/accounts.cpp ekiga-2.0.3/src/gui/accounts.cpp
--- ekiga-2.0.3~/src/gui/accounts.cpp 2006-08-26 05:09:06.000000000 -0700
+++ ekiga-2.0.3/src/gui/accounts.cpp 2007-03-08 17:00:30.152522078 -0800
@@ -688,7 +688,7 @@
dialog =
gtk_message_dialog_new (GTK_WINDOW (accounts_window),
GTK_DIALOG_MODAL, GTK_MESSAGE_QUESTION,
- GTK_BUTTONS_YES_NO, confirm_msg);
+ GTK_BUTTONS_YES_NO, "%s", confirm_msg);
g_free (confirm_msg);
gtk_dialog_set_default_response (GTK_DIALOG (dialog),
diff -urNad ekiga-2.0.3~/src/gui/addressbook.cpp ekiga-2.0.3/src/gui/addressbook.cpp
--- ekiga-2.0.3~/src/gui/addressbook.cpp 2006-05-17 11:32:12.000000000 -0700
+++ ekiga-2.0.3/src/gui/addressbook.cpp 2007-03-08 17:00:30.152522078 -0800
@@ -3154,7 +3154,7 @@
dialog =
gtk_message_dialog_new (GTK_WINDOW (parent_window),
GTK_DIALOG_MODAL, GTK_MESSAGE_QUESTION,
- GTK_BUTTONS_YES_NO, confirm_msg);
+ GTK_BUTTONS_YES_NO, "%s", confirm_msg);
g_free (confirm_msg);
gtk_dialog_set_default_response (GTK_DIALOG (dialog),
@@ -3631,7 +3631,7 @@
dialog =
gtk_message_dialog_new (GTK_WINDOW (addressbook_window),
GTK_DIALOG_MODAL, GTK_MESSAGE_QUESTION,
- GTK_BUTTONS_YES_NO, confirm_msg);
+ GTK_BUTTONS_YES_NO, "%s", confirm_msg);
g_free (confirm_msg);
gtk_dialog_set_default_response (GTK_DIALOG (dialog),
diff -urNad ekiga-2.0.3~/src/gui/chat.cpp ekiga-2.0.3/src/gui/chat.cpp
--- ekiga-2.0.3~/src/gui/chat.cpp 2006-05-06 13:02:31.000000000 -0700
+++ ekiga-2.0.3/src/gui/chat.cpp 2007-03-08 17:00:30.152522078 -0800
@@ -1684,10 +1684,12 @@
va_list args;
va_start (args, msg);
+ char *buffer = g_strdup_vprintf(msg, args);
contact_url = gtk_entry_get_text (GTK_ENTRY (twp->remote_url));
if (!url || GMURL (contact_url) == GMURL (url))
- gm_statusbar_push_info_message (GM_STATUSBAR (tw->statusbar), msg, args);
+ gm_statusbar_push_info_message (GM_STATUSBAR (tw->statusbar), "%s", buffer);
+ g_free (buffer);
va_end (args);
}
diff -urNad ekiga-2.0.3~/src/gui/chat.h ekiga-2.0.3/src/gui/chat.h
--- ekiga-2.0.3~/src/gui/chat.h 2006-05-06 13:02:31.000000000 -0700
+++ ekiga-2.0.3/src/gui/chat.h 2007-03-08 17:01:31.679714630 -0800
@@ -115,7 +115,7 @@
void gm_chat_window_push_info_message (GtkWidget *chat_window,
const char *url,
const char *msg,
- ...);
+ ...) G_GNUC_PRINTF(3,4);
G_END_DECLS
diff -urNad ekiga-2.0.3~/src/gui/history.h ekiga-2.0.3/src/gui/history.h
--- ekiga-2.0.3~/src/gui/history.h 2006-05-06 09:58:05.000000000 -0700
+++ ekiga-2.0.3/src/gui/history.h 2007-03-08 17:02:07.657581470 -0800
@@ -55,6 +55,6 @@
void
gm_history_window_insert (GtkWidget *log_window,
const char *format,
- ...);
+ ...) G_GNUC_PRINTF(2,3);
#endif /* _LOG_WINDOW_H_ */
diff -urNad ekiga-2.0.3~/src/gui/main.cpp ekiga-2.0.3/src/gui/main.cpp
--- ekiga-2.0.3~/src/gui/main.cpp 2007-03-08 17:00:29.628494887 -0800
+++ ekiga-2.0.3/src/gui/main.cpp 2007-03-08 17:00:30.156522285 -0800
@@ -2304,7 +2304,7 @@
info = g_strdup_printf (_("Missed calls: %d - Voice Mails: %s"),
ep->GetMissedCallsNumber (),
(const char *) ep->GetMWI ());
- gm_main_window_push_info_message (GTK_WIDGET (data), info);
+ gm_main_window_push_info_message (GTK_WIDGET (data), "%s", info);
g_free (info);
@@ -4250,7 +4250,7 @@
va_start (args, msg);
vsnprintf (buffer, 1024, msg, args);
- gm_statusbar_flash_message (GM_STATUSBAR (mw->statusbar), buffer);
+ gm_statusbar_flash_message (GM_STATUSBAR (mw->statusbar), "%s", buffer);
va_end (args);
}
@@ -4270,7 +4270,7 @@
mw = gm_mw_get_mw (main_window);
info = g_strdup_printf (_("Missed calls: %d - Voice Mails: %s"), missed, vm);
- gm_main_window_push_info_message (main_window, info);
+ gm_main_window_push_info_message (main_window, "%s", info);
g_free (info);
}
@@ -4293,7 +4293,7 @@
va_start (args, msg);
vsnprintf (buffer, 1024, msg, args);
- gm_statusbar_push_message (GM_STATUSBAR (mw->statusbar), buffer);
+ gm_statusbar_push_message (GM_STATUSBAR (mw->statusbar), "%s", buffer);
va_end (args);
}
@@ -4305,6 +4305,8 @@
{
GmWindow *mw = NULL;
+ char buffer [1025];
+
g_return_if_fail (main_window != NULL);
mw = gm_mw_get_mw (main_window);
@@ -4312,7 +4314,8 @@
va_list args;
va_start (args, msg);
- gm_statusbar_push_info_message (GM_STATUSBAR (mw->statusbar), msg, args);
+ vsnprintf (buffer, 1024, msg, args);
+ gm_statusbar_push_info_message (GM_STATUSBAR (mw->statusbar), "%s", buffer);
va_end (args);
}
@@ -4519,7 +4522,7 @@
msg = g_strdup_printf (_("Ekiga got an invalid value for the GConf key %s.\n\nIt probably means that your GConf schemas have not been correctly installed or the that permissions are not correct.\n\nPlease check the FAQ (http://www.ekiga.org/), the troubleshooting section of the GConf site (http://www.gnome.org/projects/gconf/) or the mailing list archives for more information (http://mail.gnome.org) about this problem."), key_name);
dialog = gnomemeeting_error_dialog (GTK_WINDOW (main_window),
- _("Gconf key error"), msg);
+ _("Gconf key error"), "%s", msg);
g_signal_handlers_disconnect_by_func (G_OBJECT (dialog),
(gpointer) gtk_widget_destroy,
diff -urNad ekiga-2.0.3~/src/gui/main.h ekiga-2.0.3/src/gui/main.h
--- ekiga-2.0.3~/src/gui/main.h 2006-05-06 09:27:57.000000000 -0700
+++ ekiga-2.0.3/src/gui/main.h 2007-03-08 17:02:44.131474063 -0800
@@ -338,7 +338,7 @@
*/
void gm_main_window_flash_message (GtkWidget *main_window,
const char *msg,
- ...);
+ ...) G_GNUC_PRINTF(2,3);
/* DESCRIPTION : /
@@ -359,7 +359,7 @@
*/
void gm_main_window_push_message (GtkWidget *main_window,
const char *msg,
- ...);
+ ...) G_GNUC_PRINTF(2,3);
/* DESCRIPTION : /
@@ -369,7 +369,7 @@
*/
void gm_main_window_push_info_message (GtkWidget *main_window,
const char *msg,
- ...);
+ ...) G_GNUC_PRINTF(2,3);
/* DESCRIPTION : /
* BEHAVIOR : Sets the given URL as called URL.
diff -urNad ekiga-2.0.3~/src/gui/misc.cpp ekiga-2.0.3/src/gui/misc.cpp
--- ekiga-2.0.3~/src/gui/misc.cpp 2006-05-06 07:51:11.000000000 -0700
+++ ekiga-2.0.3/src/gui/misc.cpp 2007-03-08 17:00:30.156522285 -0800
@@ -113,7 +113,7 @@
gdk_threads_enter ();
gnomemeeting_error_dialog (GTK_WINDOW (main_window),
_("Error"),
- (gchar *) data);
+ "%s", (gchar *) data);
gdk_threads_leave ();
return FALSE;
More information about the Pkg-gnome-maintainers
mailing list