NetBSD Problem Report #38624
From ccatrian@eml.cc Sat May 10 16:06:48 2008
Return-Path: <ccatrian@eml.cc>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 4E26E63B293
for <gnats-bugs@gnats.netbsd.org>; Sat, 10 May 2008 16:06:48 +0000 (UTC)
Message-Id: <1210435637.23083@core.cjc.cl>
Date: Sat, 10 May 2008 12:07:17 -0400
From: "César Catrián Carreño" <ccatrian@eml.cc>
To: "gnats bugs" <gnats-bugs@gnats.netbsd.org>
Subject: Security update for centerim 4.22.1nb3
X-Send-Pr-Version: gtk-send-pr 0.4.9
X-GNATS-Notify:
>Number: 38624
>Category: pkg
>Synopsis: Security update for centerim 4.22.1nb3
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: pkg-manager
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat May 10 16:10:00 +0000 2008
>Closed-Date: Tue May 13 15:17:17 +0000 2008
>Last-Modified: Fri May 16 12:15:02 +0000 2008
>Originator: César Catrián Carreño
>Release: NetBSD 4.99.44 i386
>Organization:
>Environment:
System: NetBSD 4.99.44 (Basado en GENERIC: 1.781) #0: Sat Mar 22 18:07:59 CLT 2008
cetrox@core.cjc.cl:/home/cetrox/src/netbsd-current/src/sys/arch/i386/compile/SAT
>Description:
These patches upgrade centerim to 4.22.5 , and solve a shell-command-injection vulnerability, detailed at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1467 .
As read in the advisory, the versions affected by the vulnerability are =< 4.22.3 , so it is required to fix the pkg-vulnerabilities file, as is marked to match "centerim-[0-9]*".
It is required to remove the patches patch-aa, patch-ac, patch-au, patch-av, patch-aw, patch-ax, patch-ay, patch-az and patch-ba from the repository, as they were updated upstream (most of them). Other patches are applied without errors.
>How-To-Repeat:
>Fix:
--- chat/centerim/Makefile.orig 2008-05-08 22:21:37.000000000 -0400
+++ chat/centerim/Makefile 2008-05-10 11:25:00.000000000 -0400
@@ -1,8 +1,7 @@
# $NetBSD: Makefile,v 1.6 2008/01/18 05:06:22 tnn Exp $
#
-DISTNAME= centerim-4.22.1
-PKGREVISION= 3
+DISTNAME= centerim-4.22.5
CATEGORIES= chat
MASTER_SITES= http://www.centerim.org/download/releases/ \
http://transacid.de/centerim/releases/
@@ -23,7 +22,7 @@
CONFIGURE_ARGS+= --with-ssl --with-openssl=${SSLBASE:Q}
LIBS+= ${LDFLAGS}
-REPLACE_PERL= misc/cicqconv
+REPLACE_PERL= misc/cimconv
INCOMPAT_CURSES+= NetBSD-1.[45]*-* NetBSD-1.6-* NetBSD-1.6.[1-9]-*
INCOMPAT_CURSES+= NetBSD-1.6_*-* NetBSD-1.6.[1-9]_*-* NetBSD-1.6[A-T]-*
--- chat/centerim/PLIST.orig 2008-05-10 11:20:03.000000000 -0400
+++ chat/centerim/PLIST 2008-05-10 11:21:23.000000000 -0400
@@ -1,8 +1,8 @@
@comment $NetBSD: PLIST,v 1.2 2007/08/30 10:50:55 jnemeth Exp $
bin/centerim
-bin/cicqconv
+bin/cimconv
man/man1/centerim.1
-man/man1/cicqconv.1
+man/man1/cimconv.1
share/centerim/email.wav
share/centerim/msg.wav
share/centerim/offline.wav
@@ -24,5 +24,6 @@
share/locale/ru/LC_MESSAGES/centerim.mo
share/locale/sv/LC_MESSAGES/centerim.mo
share/locale/uk/LC_MESSAGES/centerim.mo
-share/locale/zh_TW.Big5/LC_MESSAGES/centerim.mo
+share/locale/zh_CN/LC_MESSAGES/centerim.mo
+share/locale/zh_TW/LC_MESSAGES/centerim.mo
@dirrm share/centerim
--- chat/centerim/distinfo.orig 2008-05-08 22:22:31.000000000 -0400
+++ chat/centerim/distinfo 2008-05-10 10:59:37.000000000 -0400
@@ -1,10 +1,8 @@
$NetBSD: distinfo,v 1.2 2007/12/22 23:29:03 jdolecek Exp $
-SHA1 (centerim-4.22.1.tar.gz) = 221b3e505d5ea432977db7e5c0cebc85b4f928f2
-RMD160 (centerim-4.22.1.tar.gz) = 165b1acad70fa5d38b045510045b438c89776f3f
-Size (centerim-4.22.1.tar.gz) = 2606696 bytes
-SHA1 (patch-aa) = 244ccb35ceb53715af2134d27ab4c591ed62dd30
-SHA1 (patch-ac) = b32ff8df936ea66f3ff029ba322d4a94f1ebe4e6
+SHA1 (centerim-4.22.5.tar.gz) = 422c368064f47886585720c1c639515acff21ae9
+RMD160 (centerim-4.22.5.tar.gz) = 94ade501f8ba46ff24bf4b3cc283533924c3e2f4
+Size (centerim-4.22.5.tar.gz) = 2803217 bytes
SHA1 (patch-ad) = bfe19ca98facfbb23a87dd28a176980fb4e986de
SHA1 (patch-al) = d0c627ffc4ec2a7d179367dd2ddbbfd5ba52a377
SHA1 (patch-am) = 942bab1a28fd79a40ac824e58855af35fb139141
@@ -14,10 +12,3 @@
SHA1 (patch-aq) = 03be56591d3c925a6ffa48a1b87eb61a582f25c6
SHA1 (patch-ar) = c74e757e3ef6bf1f6bc9575955f5b8f73ac4b51d
SHA1 (patch-as) = b74310eb515c425cc98528f2b0384652370cef18
-SHA1 (patch-au) = 542111ddc738cc377c037ad910cedc0772707faf
-SHA1 (patch-av) = bf032d4447349d3b4f75c43f58eca3e0342b9f9d
-SHA1 (patch-aw) = d0238209328a6da5ae9f74d37f0fc44cf964b528
-SHA1 (patch-ax) = a96edcc859b30fde6e6577a833005fab8d45eabf
-SHA1 (patch-ay) = d7511f39004f2a86bda14b265ab2c4d03214dc2d
-SHA1 (patch-az) = 4542871c64fffb311cc464bc0b25fb59ef2db3b3
-SHA1 (patch-ba) = dee59621310b246097543257991e57cfb05b3ef3
>Release-Note:
>Audit-Trail:
From: "OBATA Akio" <obache@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/38624: Security update for centerim 4.22.1nb3
Date: Tue, 13 May 2008 18:11:52 +0900
On Sun, 11 May 2008 01:10:00 +0900, CXXsar CatriXXn CarreXXo <ccatrian@eml.cc> wrote:
> It is required to remove the patches patch-aa, patch-ac, patch-au, patch-av, patch-aw, patch-ax, patch-ay, patch-az and patch-ba from the repository, as they were updated upstream (most of them). Other patches are applied without errors.
Some patches need to keep.
patch-aa: Use __sun instead of __sun__ for portability.
Break pre-NetBSD 3.0
patch-ac: situation is not changed
patch-av: avoid to return auto array
State-Changed-From-To: open->closed
State-Changed-By: obache@NetBSD.org
State-Changed-When: Tue, 13 May 2008 15:17:17 +0000
State-Changed-Why:
Updated. Thanks for the PR!
From: OBATA Akio <obache@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/38624 CVS commit: pkgsrc/chat/centerim
Date: Tue, 13 May 2008 15:15:51 +0000 (UTC)
Module Name: pkgsrc
Committed By: obache
Date: Tue May 13 15:15:51 UTC 2008
Modified Files:
pkgsrc/chat/centerim: Makefile PLIST distinfo
pkgsrc/chat/centerim/patches: patch-aa patch-ac patch-an patch-av
Added Files:
pkgsrc/chat/centerim/patches: patch-bb
Removed Files:
pkgsrc/chat/centerim/patches: patch-au patch-aw patch-ax patch-ay
patch-az patch-ba
Log Message:
Update centerim to 4.22.5.
Based on patch provided in PR 38624.
'cicqconv' command is renamed for 'cimconv', conflict with centericq is gone away.
2008-04-08 New version (4.22.5) released.
This release fixes various segfaults in the Yahoo protocol. It also introduces a
bar which displays all open chats nicely.
2008-03-29 New version (4.22.4) released.
This release fixes the possible url exploit described in CVE-2008-1467. It also
makes CenterIM ready for the Yahoo protocol change kicking in on 2nd april 2008.
2008-03-11 New version (4.22.3) released.
This version fixes the various ICQ contact list issues (e.g adding contacts
should now work).
2007-12-08 New version (4.22.2) released.
More than 90 fixes/improvements have been added to centerim since our last
release in June. The main fixes included are:
* Fixed bug in msn login when the server sent a NOT message
* Fixed bug in ICQ protocol which prevented others from seeing your presence
(partial)
* New version tracking/updating (Thanks to David Riebenbauer for this helpful
feature)
* Added an "Out for Lunch" state
To generate a diff of this commit:
cvs rdiff -r1.6 -r1.7 pkgsrc/chat/centerim/Makefile
cvs rdiff -r1.2 -r1.3 pkgsrc/chat/centerim/PLIST \
pkgsrc/chat/centerim/distinfo
cvs rdiff -r1.1.1.1 -r1.2 pkgsrc/chat/centerim/patches/patch-aa \
pkgsrc/chat/centerim/patches/patch-ac \
pkgsrc/chat/centerim/patches/patch-an \
pkgsrc/chat/centerim/patches/patch-av
cvs rdiff -r1.1.1.1 -r0 pkgsrc/chat/centerim/patches/patch-au \
pkgsrc/chat/centerim/patches/patch-aw \
pkgsrc/chat/centerim/patches/patch-ax \
pkgsrc/chat/centerim/patches/patch-ay \
pkgsrc/chat/centerim/patches/patch-az
cvs rdiff -r1.1 -r0 pkgsrc/chat/centerim/patches/patch-ba
cvs rdiff -r0 -r1.1 pkgsrc/chat/centerim/patches/patch-bb
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: "Tyler R. Retzlaff" <rtr@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/38624 CVS commit: [pkgsrc-2008Q1] pkgsrc/chat/centerim
Date: Fri, 16 May 2008 12:12:14 +0000 (UTC)
Module Name: pkgsrc
Committed By: rtr
Date: Fri May 16 12:12:14 UTC 2008
Modified Files:
pkgsrc/chat/centerim [pkgsrc-2008Q1]: Makefile PLIST distinfo
pkgsrc/chat/centerim/patches [pkgsrc-2008Q1]: patch-aa patch-ac
patch-an patch-av
Added Files:
pkgsrc/chat/centerim/patches [pkgsrc-2008Q1]: patch-bb
Removed Files:
pkgsrc/chat/centerim/patches [pkgsrc-2008Q1]: patch-au patch-aw
patch-ax patch-ay patch-az patch-ba
Log Message:
pullup ticket #2383 - requested by obache
centerim: update package bug & security fixes
revisions pulled up:
- pkgsrc/chat/centerim/Makefile 1.7
- pkgsrc/chat/centerim/PLIST 1.3
- pkgsrc/chat/centerim/distinfo 1.3
- pkgsrc/chat/centerim/patches/patch-aa 1.2
- pkgsrc/chat/centerim/patches/patch-ac 1.2
- pkgsrc/chat/centerim/patches/patch-an 1.2
- pkgsrc/chat/centerim/patches/patch-av 1.2
- pkgsrc/chat/centerim/patches/patch-au r0
- pkgsrc/chat/centerim/patches/patch-aw r0
- pkgsrc/chat/centerim/patches/patch-ax r0
- pkgsrc/chat/centerim/patches/patch-ay r0
- pkgsrc/chat/centerim/patches/patch-az r0
- pkgsrc/chat/centerim/patches/patch-ba r0
- pkgsrc/chat/centerim/patches/patch-bb 1.1
Module Name: pkgsrc
Committed By: obache
Date: Tue May 13 15:15:51 UTC 2008
Modified Files:
pkgsrc/chat/centerim: Makefile PLIST distinfo
pkgsrc/chat/centerim/patches: patch-aa patch-ac patch-an patch-av
Added Files:
pkgsrc/chat/centerim/patches: patch-bb
Removed Files:
pkgsrc/chat/centerim/patches: patch-au patch-aw patch-ax patch-ay
patch-az patch-ba
Log Message:
Update centerim to 4.22.5.
Based on patch provided in PR 38624.
'cicqconv' command is renamed for 'cimconv', conflict with centericq is gone away.
2008-04-08 New version (4.22.5) released.
This release fixes various segfaults in the Yahoo protocol. It also introduces a
bar which displays all open chats nicely.
2008-03-29 New version (4.22.4) released.
This release fixes the possible url exploit described in CVE-2008-1467. It also
makes CenterIM ready for the Yahoo protocol change kicking in on 2nd april 2008.
2008-03-11 New version (4.22.3) released.
This version fixes the various ICQ contact list issues (e.g adding contacts
should now work).
2007-12-08 New version (4.22.2) released.
More than 90 fixes/improvements have been added to centerim since our last
release in June. The main fixes included are:
* Fixed bug in msn login when the server sent a NOT message
* Fixed bug in ICQ protocol which prevented others from seeing your presence
(partial)
* New version tracking/updating (Thanks to David Riebenbauer for this helpful
feature)
* Added an "Out for Lunch" state
To generate a diff of this commit:
cvs rdiff -r1.6 -r1.6.2.1 pkgsrc/chat/centerim/Makefile
cvs rdiff -r1.2 -r1.2.6.1 pkgsrc/chat/centerim/PLIST
cvs rdiff -r1.2 -r1.2.4.1 pkgsrc/chat/centerim/distinfo
cvs rdiff -r1.1.1.1 -r1.1.1.1.6.1 pkgsrc/chat/centerim/patches/patch-aa \
pkgsrc/chat/centerim/patches/patch-ac \
pkgsrc/chat/centerim/patches/patch-an \
pkgsrc/chat/centerim/patches/patch-av
cvs rdiff -r1.1.1.1 -r0 pkgsrc/chat/centerim/patches/patch-au \
pkgsrc/chat/centerim/patches/patch-aw \
pkgsrc/chat/centerim/patches/patch-ax \
pkgsrc/chat/centerim/patches/patch-ay \
pkgsrc/chat/centerim/patches/patch-az
cvs rdiff -r1.1 -r0 pkgsrc/chat/centerim/patches/patch-ba
cvs rdiff -r0 -r1.1.2.2 pkgsrc/chat/centerim/patches/patch-bb
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home