Control: tags -1 + patch Hi
Attached are proposed debdiffs for unstable (and wheezy-security). Have altough not (yet) tested the resulting packages. Regards, Salvatore
diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog 2014-07-04 17:15:24.000000000 +0200
+++ quassel-0.10.0/debian/changelog 2014-10-28 17:17:23.000000000 +0100
@@ -1,3 +1,12 @@
+quassel (0.10.0-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add CVE-2014-8483.patch patch.
+ CVE-2014-8483: out-of-bounds read on a heap-allocated array.
+ (Closes: #766962)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Tue, 28 Oct 2014 17:16:45 +0100
+
quassel (0.10.0-2) unstable; urgency=low
* Fixing security issue where quassel core certificate is
diff -Nru quassel-0.10.0/debian/patches/CVE-2014-8483.patch
quassel-0.10.0/debian/patches/CVE-2014-8483.patch
--- quassel-0.10.0/debian/patches/CVE-2014-8483.patch 1970-01-01
01:00:00.000000000 +0100
+++ quassel-0.10.0/debian/patches/CVE-2014-8483.patch 2014-10-28
17:03:58.000000000 +0100
@@ -0,0 +1,52 @@
+From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001
+From: Manuel Nickschas <sputn...@quassel-irc.org>
+Date: Tue, 21 Oct 2014 21:20:07 +0200
+Subject: [PATCH] Check for invalid input in encrypted buffers
+
+The ECB Blowfish decryption function assumed that encrypted input would
+always come in blocks of 12 characters, as specified. However, buggy
+clients or annoying people may not adhere to that assumption, causing
+the core to crash while trying to process the invalid base64 input.
+
+With this commit we make sure that we're not overstepping the bounds of
+the input string while decoding it; instead we bail out early and display
+the original input. Fixes #1314.
+
+Thanks to Tucos for finding that one!
+---
+ src/core/cipher.cpp | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp
+index 7cc75d0..7d1fe46 100644
+--- a/src/core/cipher.cpp
++++ b/src/core/cipher.cpp
+@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText,
bool direction)
+ }
+ else
+ {
++ // ECB Blowfish encodes in blocks of 12 chars, so anything else is
malformed input
++ if ((temp.length() % 12) != 0)
++ return cipherText;
++
+ temp = b64ToByte(temp);
+ while ((temp.length() % 8) != 0) temp.append('\0');
+ }
+@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText,
bool direction)
+ if (!cipher.ok())
+ return cipherText;
+
+- if (direction)
++ if (direction) {
++ // Sanity check
++ if ((temp2.length() % 8) != 0)
++ return cipherText;
++
+ temp2 = byteToB64(temp2);
++ }
+
+ return temp2;
+ }
+--
+1.7.10.4
+
diff -Nru quassel-0.10.0/debian/patches/series
quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series 2012-04-25 00:18:37.000000000
+0200
+++ quassel-0.10.0/debian/patches/series 2014-10-28 17:16:01.000000000
+0100
@@ -1,2 +1,2 @@
01_default_network_channel.patch
-
+CVE-2014-8483.patch
diff -Nru quassel-0.8.0/debian/changelog quassel-0.8.0/debian/changelog
--- quassel-0.8.0/debian/changelog 2014-07-03 14:47:30.000000000 +0200
+++ quassel-0.8.0/debian/changelog 2014-10-28 17:11:03.000000000 +0100
@@ -1,3 +1,12 @@
+quassel (0.8.0-1+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Add CVE-2014-8483.patch patch.
+ CVE-2014-8483: out-of-bounds read on a heap-allocated array.
+ (Closes: #766962)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Tue, 28 Oct 2014 17:10:53 +0100
+
quassel (0.8.0-1+deb7u2) wheezy; urgency=medium
* Fixing security issue where quassel core certificate is
diff -Nru quassel-0.8.0/debian/patches/CVE-2014-8483.patch
quassel-0.8.0/debian/patches/CVE-2014-8483.patch
--- quassel-0.8.0/debian/patches/CVE-2014-8483.patch 1970-01-01
01:00:00.000000000 +0100
+++ quassel-0.8.0/debian/patches/CVE-2014-8483.patch 2014-10-28
17:03:41.000000000 +0100
@@ -0,0 +1,47 @@
+From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001
+From: Manuel Nickschas <sputn...@quassel-irc.org>
+Date: Tue, 21 Oct 2014 21:20:07 +0200
+Subject: [PATCH] Check for invalid input in encrypted buffers
+
+The ECB Blowfish decryption function assumed that encrypted input would
+always come in blocks of 12 characters, as specified. However, buggy
+clients or annoying people may not adhere to that assumption, causing
+the core to crash while trying to process the invalid base64 input.
+
+With this commit we make sure that we're not overstepping the bounds of
+the input string while decoding it; instead we bail out early and display
+the original input. Fixes #1314.
+
+Thanks to Tucos for finding that one!
+---
+ src/core/cipher.cpp | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/src/core/cipher.cpp
++++ b/src/core/cipher.cpp
+@@ -342,6 +342,10 @@ QByteArray Cipher::blowfishECB(QByteArra
+ }
+ else
+ {
++ // ECB Blowfish encodes in blocks of 12 chars, so anything else is
malformed input
++ if ((temp.length() % 12) != 0)
++ return cipherText;
++
+ temp = b64ToByte(temp);
+ while((temp.length() % 8) != 0) temp.append('\0');
+ }
+@@ -354,8 +358,13 @@ QByteArray Cipher::blowfishECB(QByteArra
+ if(!cipher.ok())
+ return cipherText;
+
+- if(direction)
++ if(direction) {
++ // Sanity check
++ if ((temp2.length() % 8) != 0)
++ return cipherText;
++
+ temp2 = byteToB64(temp2);
++ }
+
+ return temp2;
+ }
diff -Nru quassel-0.8.0/debian/patches/series
quassel-0.8.0/debian/patches/series
--- quassel-0.8.0/debian/patches/series 2014-03-09 13:41:48.000000000 +0100
+++ quassel-0.8.0/debian/patches/series 2014-10-28 16:58:37.000000000 +0100
@@ -1,3 +1,3 @@
01_default_network_channel.patch
CVE-2013-6404.patch
-
+CVE-2014-8483.patch
signature.asc
Description: Digital signature
