Re: Security issues in package ekg

[Marcin Owsiany <porridge@debian.org>]

On Wed, Mar 21, 2007 at 02:37:42PM +0000, Marcin Owsiany wrote:
> The following low/medium severity security issues have recently been
> identified in ekg. (The numbers are cvsps patchsets which fixed the
> problem in upstream CVS.)
> 
> 2661: A memory leak in handling image messages, which may cause memory
> exhaustion resulting in a DoS (ekg program crash). Exploitable by a
> hostile GG user.
> 
> 2694: off-by-one in token OCR function, which may cause a null pointer
> dereference resulting in a DoS (ekg program crash). Exploitable by MiTM
> (hostile HTTP proxy or TCP stream injection) or a hostile GG server.
> 
> 2699: potential memory exhaust in token OCR function, which may cause
> memory exhaustion resulting in a DoS (ekg program crash). Exploitability
> same as in 2694.
> 
> ----------------+-------------------+---------------+-----------------------------
> Dist            | Contains version  | Vulnerable to | Version (to be) fixed in
> ----------------+-------------------+---------------+-----------------------------
> UPSTREAM        | 1.7-RC2           | ALL           | 1.7-RC3 (already released)
> sarge           | 1:1.5+20050411-5  | 2661 only (*) | 1:1.5+20050411-7
> sid,etch        | 1:1.7~rc2-1       | ALL           | 1:1.7~rc2+1-1

Em, the "version to be fixed in" for sid/etch is wrong. There will be no
upstream tarball change, so I need just to change the debian revision.

I would like to use 1:1.7~rc2-2 and upload to unstable with
urgency=high.  Then, if the release team would let this propagate to
frozen, we would have a single upload taking care of both sid and etch
(there would be no other changes - see proposed interdiff attached).

Please let me know if this is acceptable.

If not, please let me know what target distribution I should use to put
the fixes into etch.

Marcin
-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

diff -u ekg-1.7~rc2/debian/changelog ekg-1.7~rc2/debian/changelog
--- ekg-1.7~rc2/debian/changelog	2006-08-27 13:21:14.268465000 +0100
+++ ekg-1.7~rc2/debian/changelog	2007-03-25 12:24:40.326003199 +0100
@@ -1,3 +1,21 @@
+ekg (1:1.7~rc2-2) unstable; urgency=high
+
+  * Patched three medium severity security issues in src/events.c (no other
+    changes):
+    - CVE-2007-1663 A memory leak in handling image messages, which may cause
+      memory exhaustion resulting in a DoS (ekg program crash). Exploitable by
+      a hostile GG user.
+    - CVE-2007-1664 off-by-one in token OCR function, which may cause a null
+      pointer dereference resulting in a DoS (ekg program crash). Exploitable
+      by MiTM (hostile HTTP proxy or TCP stream injection) or a hostile GG
+      server.
+    - CVE-2007-1665 potential memory exhaust in token OCR function, which may
+      cause memory exhaustion resulting in a DoS (ekg program crash).
+      Exploitable by MiTM (hostile HTTP proxy or TCP stream injection) or a
+      hostile GG server.
+
+ -- Marcin Owsiany <porridge@debian.org>  Sun, 25 Mar 2007 12:22:07 +0100
+
 ekg (1:1.7~rc2-1) unstable; urgency=low
 
   * New upstream release candidate
only in patch2:
unchanged:
--- ekg-1.7~rc2.orig/src/events.c	2006-08-24 19:57:55.000000000 +0100
+++ ekg-1.7~rc2/src/events.c	2007-03-25 12:22:01.744092449 +0100
@@ -522,8 +522,10 @@
 		}
 
 		/* ignorujemy wiadomości bez treści zawierające jedynie obrazek(ki) */
-		if (config_ignore_empty_msg && imageno && strlen(e->event.msg.message) == 0)
+		if (config_ignore_empty_msg && imageno && strlen(e->event.msg.message) == 0) {
+			list_destroy(images, 1);
 			return;
+		}
 	}
 
 #ifdef HAVE_OPENSSL
@@ -567,6 +569,7 @@
 
 	switch (python_handle_result) {
 		case 0:
+			list_destroy(images, 1);
 			return;
 		case 2:
 			hide = 1;
@@ -586,6 +589,7 @@
 			config_last_sysmsg_changed = 1;
 		}
 
+		list_destroy(images, 1);
 		return;
 	}
 	
@@ -594,14 +598,17 @@
 			e->event.msg.sender, e->event.msg.recipients,
 			e->event.msg.recipients_count, 0);
 
-		if (c && c->ignore)
+		if (c && c->ignore) {
+			list_destroy(images, 1);
 			return;
+		}
 	}
 
 	if ((!u && config_ignore_unknown_sender) || ignored_check(e->event.msg.sender) & IGNORE_MSG) {
 		if (config_log_ignored)
 			put_log(e->event.msg.sender, "%sign,%ld,%s,%s,%s,%s\n", (chat) ? "chatrecv" : "msgrecv", e->event.msg.sender, ((u && u->display) ? u->display : ""), log_timestamp(time(NULL)), log_timestamp(e->event.msg.time), e->event.msg.message);
 
+		list_destroy(images, 1);
 		return;
 	}
 
@@ -1513,6 +1520,11 @@
 		goto err2;
 	}
 
+	if (file->SWidth <= 0 || file->SWidth > 1024 || file->SHeight <= 0 || file->SHeight > 1024) {
+		snprintf(errbuf, sizeof(errbuf), "Invalid image size: %d,%d", file->SWidth, file->SHeight);
+		goto err3;
+	}
+
 	if (DGifSlurp(file) != GIF_OK) {
 		snprintf (errbuf, sizeof(errbuf), "DGifSlurp(): %d", GifLastError());
 		goto err3;
@@ -1735,7 +1747,7 @@
 	int cur_char = 0;	/* Kolejny znaczek z chars[]. */
 
 	memset (mappings, 0, sizeof(mappings));
-	buf = bptr = (char *) xmalloc(token->sx * (token->sy + 1));
+	buf = bptr = (char *) xmalloc(token->sx * (token->sy + 1) + 1);
 
 #ifdef TOKEN_GIF_PAL
 	for (i = 0; i < token->sx * token->sy; i++) {

Attachment: signature.asc
Description: Digital signature