net-im/gg-transport uses it's own copy of deprecated libgadu (1.6-rc3) instead of system libgadu (1.8.2 as of now, containing security fixes) Reproducible: Always Expected Results: gg-transport should build with system-wide libgadu
Created attachment 216448 [details, diff] adding epatch and autotools to ebuild
Created attachment 216450 [details, diff] unbundling libgadu and updating build system
Created attachment 216478 [details] libgadu-1.9.0rc2 ebuild for test I am currently testing above gg-transport ebuild patches and running gg-transport using libgadu-1.9.0-rc2. So far so good.
Reassigning since this issue has security impact. NEWS file has this: * Libgadu is now included in the sources. External libgadu is not required any more and won't be used even if available. Most available builds of libgadu didn't work well with the transport and changes in libgadu often break jggtrans. Probably all issues were resolved.
And just found another security issue gg-transport: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/114327
Created attachment 216584 [details, diff] gg-transport configuration patch, adding current server list The configuration file shipped with jggtrans claims that a reasonable server list is included in the source code - this is not true, there is only a single, no longer used server hardcoded. In cases where the hub does not work, transport would not be able to connect. Attached patch contains a current list of working servers to try if the hub fails.
Just for the record, libgadu-1.9.0rc is handled in bug 289719
I've just committed 2.2.4 which uses systems libgadu. Security: can this bug be closed?
Searching the NVD for libgadu I see one DoS that may impact the previous versions. http://web.nvd.nist.gov/view/vuln/search-results?query=libgadu&search_type=all&cves=on Using google translate on the upstream homepage I see two issues that may be relevant: DoS in <1.8.2 https://translate.googleusercontent.com/translate_c?act=url&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&twu=1&u=http://toxygen.net/libgadu/releases/1.8.2.html&usg=ALkJrhj2xoPp4I50IZdlXfTNFeq5gPwgvg "memory overwrite" in <1.7.1 https://translate.googleusercontent.com/translate_c?act=url&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=auto&tl=en&twu=1&u=http://toxygen.net/libgadu/releases/1.7.1.html&usg=ALkJrhjJ0ZduJGC6J-ZHZSSRUYRIRp58AA Rating this B2; GLSA request filed for gg-transport.
This issue was resolved and addressed in GLSA 201412-10 at http://security.gentoo.org/glsa/glsa-201412-10.xml by GLSA coordinator Sean Amoss (ackle).