Hi, attached is a patch for a 0-day NMU fixing the described vulnerability.
It will be also archived on: http://people.debian.org/~nion/nmu-diff/gnome-peercast-0.5.4-1.1_0.5.4-1.2.patch Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u gnome-peercast-0.5.4/debian/changelog gnome-peercast-0.5.4/debian/changelog
--- gnome-peercast-0.5.4/debian/changelog
+++ gnome-peercast-0.5.4/debian/changelog
@@ -1,3 +1,13 @@
+gnome-peercast (0.5.4-1.2) unstable; urgency=high
+
+ * Non-maintainer upload by security team.
+ * This update addresses the following security issue:
+ - CVE-2007-6454: Use the methods from the String class to copy buffers
+ rather than strcpy to fix Heap-based buffer overflow in the handshakeHTTP
+ function possibly leading to arbitrary code execution (Closes: #466539).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Tue, 26 Feb 2008 15:11:40 +0100
+
gnome-peercast (0.5.4-1.1) unstable; urgency=high
* Non-maintainer upload.
only in patch2:
unchanged:
--- gnome-peercast-0.5.4.orig/peercast/core/common/servhs.cpp
+++ gnome-peercast-0.5.4/peercast/core/common/servhs.cpp
@@ -313,13 +313,13 @@
mount[-1] = 0; // password preceeds
break;
}
- strcpy(loginPassword,in+7);
+ loginPassword.set(in+7);
- LOG_DEBUG("ICY client: %s %s",loginPassword,mount?mount:"unknown");
+ LOG_DEBUG("ICY client: %s %s",loginPassword.cstr(),mount?mount:"unknown");
}
if (mount)
- strcpy(loginMount,mount);
+ loginMount.set(mount);
handshakeICY(Channel::SRC_ICECAST,isHTTP);
sock = NULL; // socket is taken over by channel, so don`t close it
@@ -329,7 +329,7 @@
if (!isAllowed(ALLOW_BROADCAST))
throw HTTPException(HTTP_SC_UNAVAILABLE,503);
- strcpy(loginPassword,servMgr->password); // pwd already checked
+ loginPassword.set(servMgr->password); // pwd already checked
sock->writeLine("OK2");
sock->writeLine("icy-caps:11");
@@ -1611,15 +1611,15 @@
while (http.nextHeader())
{
LOG_DEBUG("ICY %s",http.cmdLine);
- readICYHeader(http,info,loginPassword);
+ readICYHeader(http,info,loginPassword.cstr());
}
// check password before anything else, if needed
- if (strcmp(servMgr->password,loginPassword)!=0)
+ if (servMgr->password != loginPassword)
{
- if (!sock->host.isLocalhost() || strlen(loginPassword))
+ if (!sock->host.isLocalhost() || !loginPassword.isEmpty())
throw HTTPException(HTTP_SC_UNAUTHORIZED,401);
}
@@ -1633,7 +1633,7 @@
info.id = chanMgr->broadcastID;
- info.id.encode(NULL,info.name.cstr(),loginMount,info.bitrate);
+ info.id.encode(NULL,info.name.cstr(),loginMount.cstr(),info.bitrate);
LOG_DEBUG("Incoming source: %s : %s",info.name.cstr(),ChanInfo::getTypeStr(info.contentType));
@@ -1654,7 +1654,7 @@
info.comment = chanMgr->broadcastMsg;
info.bcID = chanMgr->broadcastID;
- c = chanMgr->createChannel(info,loginMount);
+ c = chanMgr->createChannel(info,loginMount.cstr());
if (!c)
throw HTTPException(HTTP_SC_UNAVAILABLE,503);
only in patch2:
unchanged:
--- gnome-peercast-0.5.4.orig/peercast/core/common/servent.cpp
+++ gnome-peercast-0.5.4/peercast/core/common/servent.cpp
@@ -184,8 +184,8 @@
nsSwitchNum = 0;
pack.func = 255;
lastConnect = lastPing = lastPacket = 0;
- loginPassword[0] = 0;
- loginMount[0] = 0;
+ loginPassword.clear();
+ loginMount.clear();
bytesPerSecond = 0;
priorityConnect = false;
pushSock = NULL;
only in patch2:
unchanged:
--- gnome-peercast-0.5.4.orig/peercast/core/common/servent.h
+++ gnome-peercast-0.5.4/peercast/core/common/servent.h
@@ -254,8 +254,8 @@
ThreadInfo thread;
- char loginPassword[64];
- char loginMount[64];
+ String loginPassword;
+ String loginMount;
bool priorityConnect;
bool addMetadata;
pgpQSfVAd8lK2.pgp
Description: PGP signature
