Revision bump, security bug #214204. This disables external actions (openurl and detectmusic) completely.

(Portage version: 2.1.4.4)

3 files changed, 232 insertions, 1 deletions

diff --git a/net-im/centerim/ChangeLog b/net-im/centerim/ChangeLog
index 4a6de72ef729..34ad1d2f67b6 100644
--- a/net-im/centerim/ChangeLog
+++ b/net-im/centerim/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-im/centerim
 # Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-im/centerim/ChangeLog,v 1.13 2008/03/12 19:17:49 swegener Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-im/centerim/ChangeLog,v 1.14 2008/03/27 15:34:11 swegener Exp $
+
+*centerim-4.22.3-r1 (27 Mar 2008)
+
+  27 Mar 2008; Sven Wegener <swegener@gentoo.org>
+  +files/centerim-4.22.3-url-escape.patch, +centerim-4.22.3-r1.ebuild:
+  Revision bump, security bug #214204. This disables external actions
+  (openurl and detectmusic) completely.
 
 *centerim-4.22.3 (12 Mar 2008)
 
diff --git a/net-im/centerim/centerim-4.22.3-r1.ebuild b/net-im/centerim/centerim-4.22.3-r1.ebuild
new file mode 100644
index 000000000000..ac59b1c7fd2f
--- /dev/null
+++ b/net-im/centerim/centerim-4.22.3-r1.ebuild
@@ -0,0 +1,119 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-im/centerim/centerim-4.22.3-r1.ebuild,v 1.1 2008/03/27 15:34:11 swegener Exp $
+
+inherit eutils
+
+PROTOCOL_IUSE="aim gadu icq irc jabber lj msn rss yahoo"
+IUSE="${PROTOCOL_IUSE} bidi nls ssl crypt jpeg otr"
+
+DESCRIPTION="CenterIM is a fork of CenterICQ - a ncurses ICQ/Yahoo!/AIM/IRC/MSN/Jabber/GaduGadu/RSS/LiveJournal Client"
+if [[ ${PV} = *_p* ]] # is this a snaphot?
+then
+	SRC_URI="http://www.centerim.org/download/snapshots/${PN}-${PV/*_p/}.tar.gz"
+else
+	SRC_URI="http://www.centerim.org/download/releases/${P}.tar.gz"
+fi
+HOMEPAGE="http://www.centerim.org/"
+SLOT="0"
+LICENSE="GPL-2"
+KEYWORDS="~amd64 ~x86"
+
+DEPEND=">=sys-libs/ncurses-5.2
+	bidi? ( dev-libs/fribidi )
+	ssl? ( >=dev-libs/openssl-0.9.6g )
+	jpeg? ( media-libs/jpeg )
+	jabber? (
+		otr? ( net-libs/libotr )
+		crypt? ( >=app-crypt/gpgme-1.0.2 )
+	)
+	msn? (
+		net-misc/curl
+		dev-libs/openssl
+	)"
+
+RDEPEND="${DEPEND}
+	nls? ( sys-devel/gettext )"
+
+S="${WORKDIR}"/${P/_p*}
+
+check_protocol_iuse() {
+	local flag
+
+	for flag in ${PROTOCOL_IUSE}
+	do
+		use ${flag} && return 0
+	done
+
+	return 1
+}
+
+pkg_setup() {
+	if ! check_protocol_iuse
+	then
+		eerror
+		eerror "Please activate at least one of the following protocol USE flags:"
+		eerror "${PROTOCOL_IUSE}"
+		eerror
+		die "Please activate at least one protocol USE flag!"
+	fi
+
+	if use msn && ! built_with_use net-misc/curl ssl
+	then
+		eerror
+		eerror "As of right now, the msn use flags requires curl to be built"
+		eerror "with SSL support. Make sure ssl is in your USE flags and"
+		eerror "re-emerge net-misc/curl."
+		eerror
+		die "net-misc/curl dependencie issue"
+	fi
+
+	if use otr && ! use jabber
+	then
+		eerror
+		eerror "Support for OTR is only supported with Jabber!"
+		eerror
+		die "Support for OTR is only supported with Jabber!"
+	fi
+
+	if use gadu && ! use jpeg
+	then
+		ewarn
+		ewarn "You need jpeg support to be able to register Gadu-Gadu accounts!"
+		ewarn
+	fi
+}
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	epatch "${FILESDIR}"/${P}-url-escape.patch
+}
+
+src_compile() {
+	econf \
+		$(use_with ssl) \
+		$(use_enable aim) \
+		$(use_with bidi fribidi) \
+		$(use_with jpeg libjpeg) \
+		$(use_with otr libotr) \
+		$(use_enable gadu gg) \
+		$(use_enable icq) \
+		$(use_enable irc) \
+		$(use_enable jabber) \
+		$(use_enable lj) \
+		$(use_enable msn) \
+		$(use_enable nls locales-fix) \
+		$(use_enable nls) \
+		$(use_enable rss) \
+		$(use_enable yahoo) \
+		|| die "econf failed"
+	emake || die "emake failed"
+}
+
+src_install () {
+	emake DESTDIR="${D}" install || die "emake install failed"
+
+	dodoc AUTHORS ChangeLog FAQ README THANKS TODO
+}
diff --git a/net-im/centerim/files/centerim-4.22.3-url-escape.patch b/net-im/centerim/files/centerim-4.22.3-url-escape.patch
new file mode 100644
index 000000000000..38570382c1c8
--- /dev/null
+++ b/net-im/centerim/files/centerim-4.22.3-url-escape.patch
@@ -0,0 +1,105 @@
+This patch disables external actions completely. Historically we created a
+security-wise broken external action for opening URLs. We ignore them now and
+unconditionally use the configured browser.
+
+https://bugs.gentoo.org/show_bug.cgi?id=214204
+
+--- centerim-4.22.3/src/centerim.cc
++++ centerim-4.22.3/src/centerim.cc
+@@ -755,7 +755,7 @@
+ 
+ void centerim::checkconfigs() {
+     static const char *configs[] = {
+-	"sounds", "colorscheme", "actions", "external", "keybindings", 0
++	"sounds", "colorscheme", "external", "keybindings", 0
+     };
+ 
+     struct stat st;
+@@ -778,12 +778,9 @@
+ 			face.redraw();
+ 			break;
+ 		    case 2:
+-			conf.loadactions();
+-			break;
+-		    case 3:
+ 			external.load();
+ 			break;
+-		    case 4:
++		    case 3:
+ 			conf.loadkeys();
+ 			break;
+ 		}
+@@ -1147,8 +1144,13 @@
+ 	    break;
+ 
+ 	case icqface::open:
+-	    if(const imurl *m = static_cast<const imurl *>(&ev))
+-		conf.execaction("openurl", m->geturl());
++	    if(const imurl *m = static_cast<const imurl *>(&ev)) {
++	        face.log (_("+ Opening URL %s"), m->geturl().c_str());
++	        if (fork () == 0) {
++	            execlp(conf.getbrowser().c_str(), conf.getbrowser().c_str(), m->geturl().c_str(), NULL);
++	            exit (-1);
++	        }
++	    }
+ 	    break;
+ 
+ 	case icqface::accept:
+--- centerim-4.22.3/src/icqconf.cc
++++ centerim-4.22.3/src/icqconf.cc
+@@ -212,7 +212,6 @@
+     loadmainconfig();
+     loadkeys();
+     loadcolors();
+-    loadactions();
+     loadcaptcha();
+     external.load();
+ }
+@@ -500,7 +499,7 @@
+ 	    if(param == "sort_by_activity") setsortmode(icqconf::sort_by_activity); else
+ 	    if(param == "sort_by_name") setsortmode(icqconf::sort_by_name); else
+ 	    if(param == "smtp") setsmtphost(buf); else
+-	    if(param == "browser") setbrowser(browser); else
++	    if(param == "browser") setbrowser(buf); else
+ 	    if(param == "http_proxy") sethttpproxyhost(buf); else
+ 	    if(param == "log") makelog = true; else
+ 	    if(param == "proxy_connect") proxyconnect = true; else
+--- centerim-4.22.3/src/icqdialogs.cc
++++ centerim-4.22.3/src/icqdialogs.cc
+@@ -2060,7 +2060,6 @@
+ 			break;
+ 
+ 		    case 20: LJP_LIST("mood", moods, _("(none/custom)")); break;
+-		    case 21: LJP_STR("music", _("Currently playing: ")); break;
+ 		    case 22: LJP_LIST("picture", pictures, _("(default)")); break;
+ 		    case 23: LJP_STR("mood", _("Current mood: ")); break;
+ 		    case 25: LJP_STR("taglist", _("Tags for the entry: ")); break;
+@@ -2070,9 +2069,6 @@
+ 		    case 33: LJP_BOOL("backdated"); break;
+ 		}
+ 
+-	    } else if(b == 1) {
+-		ev->setfield("music", conf.execaction("detectmusic"));
+-
+ 	    } else if(b == 2) {
+ 		r = true;
+ 
+--- centerim-4.22.3/src/icqface.cc
++++ centerim-4.22.3/src/icqface.cc
+@@ -2245,8 +2245,14 @@
+ 	for(i = extractedurls.begin(); i != extractedurls.end(); ++i)
+ 	    m.additem(" " + *i);
+ 
+-	if(n = m.open())
+-	    conf.execaction("openurl", extractedurls[n-1]);
++	if(n = m.open()) {
++	    log(_("+ Opening URL %s"), extractedurls[n-1].c_str());
++
++	    if (fork () == 0) {
++	        execlp(conf.getbrowser().c_str(), conf.getbrowser().c_str(), extractedurls[n-1].c_str(), NULL);
++		exit (-1);
++	    }
++	}
+ 
+ 	restoreworkarea();
+     }