Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 300903 - <net-im/gg-transport-2.2.4: uses embedded libgadu instead of net-libs/libgadu
Summary: <net-im/gg-transport-2.2.4: uses embedded libgadu instead of net-libs/libgadu
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: 404175
Blocks:
  Show dependency tree
 
Reported: 2010-01-13 21:06 UTC by skolima
Modified: 2014-12-12 00:39 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
adding epatch and autotools to ebuild (gg-transport-2.2.2-r1.diff,1011 bytes, patch)
2010-01-14 04:41 UTC, Kacper Kowalik (Xarthisius) (RETIRED) 		no flags Details | Diff
unbundling libgadu and updating build system (gg-transport-2.2.2-libgadu.patch,3.05 KB, patch)
2010-01-14 04:42 UTC, Kacper Kowalik (Xarthisius) (RETIRED) 		no flags Details | Diff
libgadu-1.9.0rc2 ebuild for test (libgadu-1.9.0-r2.ebuild,958 bytes, text/plain)
2010-01-14 10:36 UTC, skolima 		no flags Details
gg-transport configuration patch, adding current server list (current_servers.diff,3.63 KB, patch)
2010-01-15 10:19 UTC, skolima 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description skolima 2010-01-13 21:06:15 UTC 
net-im/gg-transport uses it's own copy of deprecated libgadu (1.6-rc3) instead of system libgadu (1.8.2 as of now, containing security fixes)

Reproducible: Always



Expected Results:  
gg-transport should build with system-wide libgadu
Comment 1 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2010-01-14 04:41:44 UTC 
Created attachment 216448 [details, diff]
adding epatch and autotools to ebuild
Comment 2 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2010-01-14 04:42:37 UTC 
Created attachment 216450 [details, diff]
unbundling libgadu and updating build system
Comment 3 skolima 2010-01-14 10:36:56 UTC 
Created attachment 216478 [details]
libgadu-1.9.0rc2 ebuild for test

I am currently testing above gg-transport ebuild patches and running gg-transport using libgadu-1.9.0-rc2. So far so good.
Comment 4 Peter Volkov (RETIRED) gentoo-dev 2010-01-14 21:45:23 UTC 
Reassigning since this issue has security impact.

NEWS file has this:

* Libgadu is now included in the sources. External libgadu is not
  required any more and won't be used even if available. Most available
  builds of libgadu didn't work well with the transport and changes in
  libgadu often break jggtrans.

Probably all issues were resolved.
Comment 5 Peter Volkov (RETIRED) gentoo-dev 2010-01-14 21:46:21 UTC 
And just found another security issue gg-transport:
http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/114327
Comment 6 skolima 2010-01-15 10:19:41 UTC 
Created attachment 216584 [details, diff]
gg-transport configuration patch, adding current server list

The configuration file shipped with jggtrans claims that a reasonable server list is included in the source code - this is not true, there is only a single, no longer used server hardcoded. In cases where the hub does not work, transport would not be able to connect. Attached patch contains a current list of working servers to try if the hub fails.
Comment 7 Maciej Mrozowski gentoo-dev 2010-02-02 14:49:39 UTC 
Just for the record, libgadu-1.9.0rc is handled in bug 289719
Comment 8 Krzysztof Pawlik (RETIRED) gentoo-dev 2010-04-17 23:16:35 UTC 
I've just committed 2.2.4 which uses systems libgadu.

Security: can this bug be closed?
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:39:56 UTC 
This issue was resolved and addressed in
 GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml
by GLSA coordinator Sean Amoss (ackle).