Karol Pasternak found two bugs in libgadu, They can provide attacker to execute remote code or crash gg client.
net-im already working on ebuilds.
centericq-4.20.0-r3 in portage. It forces centericq to use external gadu-gadu library.
Arches, plz test and mark centericq-4.20.0-r3 (and the external lib it needs) stable. Thanks.
eek! please change the libgadu $DEPEND entry from >=net-libs/libgadu-20050719 to gg? ( >=net-libs/libgadu-20050719 ) if the gg USE flag is off, the user doesn't want it to be built with gadu-gadu support.
applying the patch for using the external libgadu is also unnecessary when USE="-gg" is used btw...
Back to ebuild status
blah, i seem to fail removing CC'ed arches today :(
kopete checking for external libgadu is also broken. look at the code (from kopete/protocols/configure.in.in): int main() { #if defined __GG_LIBGADU_HAVE_PTHREAD && defined GG_LOGIN60 int maj, min, date; sscanf( gg_libgadu_version(), "%u.%u.%u", &maj,&min,&date ); if ( maj != 1 ) { return 1; } if ( ( min == 4 || min == 5 ) && date < 20040520 ) { return 1; } if ( min == 5 ){ return 0; } #endif return 1; } currently gg_libgadu_version() returns only date of release, not minor and major version: #include <libgadu.h> #include <stdio.h> #include <string.h> int main() { int maj, min, date; sscanf( gg_libgadu_version(), "%u.%u.%u", &maj,&min,&date ); printf("%u %u %u", maj, min, date); } after executing this program we've got: 20050719 0 3086475252 so the condition 'if ( maj !=1 ) from configure is always true and thus kopete'll *never* link against external libgadu
Created attachment 64068 [details, diff] external-libgadu.patch just a workaround until upstream won't fix that
net-im, any comments to the patch by Marcin 'aye' Kryczek and the useflag issue? Are you working on a new ebuild?
Fixed optional gg depenency in centericq ebuild. Kopete has his own patch provided by upstream.
Arches, please test and mark 4.20.0-r3 stable.
ppc stable
x86 done
sparc stable. note that gadu-gadu support doesn't seem to be working right (at least on sparc, seems the same on x86 according to sekretarz) so he just removed it for now, that being the reason i didn't stable libgadu yet.
ready for glsa
GLSA 200507-26