On Wed, Mar 21, 2007 at 02:37:42PM +0000, Marcin Owsiany wrote: > The following low/medium severity security issues have recently been > identified in ekg. (The numbers are cvsps patchsets which fixed the > problem in upstream CVS.) > > 2661: A memory leak in handling image messages, which may cause memory > exhaustion resulting in a DoS (ekg program crash). Exploitable by a > hostile GG user. > > 2694: off-by-one in token OCR function, which may cause a null pointer > dereference resulting in a DoS (ekg program crash). Exploitable by MiTM > (hostile HTTP proxy or TCP stream injection) or a hostile GG server. > > 2699: potential memory exhaust in token OCR function, which may cause > memory exhaustion resulting in a DoS (ekg program crash). Exploitability > same as in 2694. > > ----------------+-------------------+---------------+----------------------------- > Dist | Contains version | Vulnerable to | Version (to be) fixed in > ----------------+-------------------+---------------+----------------------------- > UPSTREAM | 1.7-RC2 | ALL | 1.7-RC3 (already released) > sarge | 1:1.5+20050411-5 | 2661 only (*) | 1:1.5+20050411-7 > sid,etch | 1:1.7~rc2-1 | ALL | 1:1.7~rc2+1-1 Em, the "version to be fixed in" for sid/etch is wrong. There will be no upstream tarball change, so I need just to change the debian revision. I would like to use 1:1.7~rc2-2 and upload to unstable with urgency=high. Then, if the release team would let this propagate to frozen, we would have a single upload taking care of both sid and etch (there would be no other changes - see proposed interdiff attached). Please let me know if this is acceptable. If not, please let me know what target distribution I should use to put the fixes into etch. Marcin -- Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
diff -u ekg-1.7~rc2/debian/changelog ekg-1.7~rc2/debian/changelog --- ekg-1.7~rc2/debian/changelog 2006-08-27 13:21:14.268465000 +0100 +++ ekg-1.7~rc2/debian/changelog 2007-03-25 12:24:40.326003199 +0100 @@ -1,3 +1,21 @@ +ekg (1:1.7~rc2-2) unstable; urgency=high + + * Patched three medium severity security issues in src/events.c (no other + changes): + - CVE-2007-1663 A memory leak in handling image messages, which may cause + memory exhaustion resulting in a DoS (ekg program crash). Exploitable by + a hostile GG user. + - CVE-2007-1664 off-by-one in token OCR function, which may cause a null + pointer dereference resulting in a DoS (ekg program crash). Exploitable + by MiTM (hostile HTTP proxy or TCP stream injection) or a hostile GG + server. + - CVE-2007-1665 potential memory exhaust in token OCR function, which may + cause memory exhaustion resulting in a DoS (ekg program crash). + Exploitable by MiTM (hostile HTTP proxy or TCP stream injection) or a + hostile GG server. + + -- Marcin Owsiany <porridge@debian.org> Sun, 25 Mar 2007 12:22:07 +0100 + ekg (1:1.7~rc2-1) unstable; urgency=low * New upstream release candidate only in patch2: unchanged: --- ekg-1.7~rc2.orig/src/events.c 2006-08-24 19:57:55.000000000 +0100 +++ ekg-1.7~rc2/src/events.c 2007-03-25 12:22:01.744092449 +0100 @@ -522,8 +522,10 @@ } /* ignorujemy wiadomości bez treści zawierające jedynie obrazek(ki) */ - if (config_ignore_empty_msg && imageno && strlen(e->event.msg.message) == 0) + if (config_ignore_empty_msg && imageno && strlen(e->event.msg.message) == 0) { + list_destroy(images, 1); return; + } } #ifdef HAVE_OPENSSL @@ -567,6 +569,7 @@ switch (python_handle_result) { case 0: + list_destroy(images, 1); return; case 2: hide = 1; @@ -586,6 +589,7 @@ config_last_sysmsg_changed = 1; } + list_destroy(images, 1); return; } @@ -594,14 +598,17 @@ e->event.msg.sender, e->event.msg.recipients, e->event.msg.recipients_count, 0); - if (c && c->ignore) + if (c && c->ignore) { + list_destroy(images, 1); return; + } } if ((!u && config_ignore_unknown_sender) || ignored_check(e->event.msg.sender) & IGNORE_MSG) { if (config_log_ignored) put_log(e->event.msg.sender, "%sign,%ld,%s,%s,%s,%s\n", (chat) ? "chatrecv" : "msgrecv", e->event.msg.sender, ((u && u->display) ? u->display : ""), log_timestamp(time(NULL)), log_timestamp(e->event.msg.time), e->event.msg.message); + list_destroy(images, 1); return; } @@ -1513,6 +1520,11 @@ goto err2; } + if (file->SWidth <= 0 || file->SWidth > 1024 || file->SHeight <= 0 || file->SHeight > 1024) { + snprintf(errbuf, sizeof(errbuf), "Invalid image size: %d,%d", file->SWidth, file->SHeight); + goto err3; + } + if (DGifSlurp(file) != GIF_OK) { snprintf (errbuf, sizeof(errbuf), "DGifSlurp(): %d", GifLastError()); goto err3; @@ -1735,7 +1747,7 @@ int cur_char = 0; /* Kolejny znaczek z chars[]. */ memset (mappings, 0, sizeof(mappings)); - buf = bptr = (char *) xmalloc(token->sx * (token->sy + 1)); + buf = bptr = (char *) xmalloc(token->sx * (token->sy + 1) + 1); #ifdef TOKEN_GIF_PAL for (i = 0; i < token->sx * token->sy; i++) {
Attachment:
signature.asc
Description: Digital signature