mixmaster update for etch r1
Hey,
I would like to update mixmaster in etch's first point release to fix a
grave bug that unfortunately was only discovered after the release.
The same source has already been uploaded to unstable as 3.0b2-5.
Please let me know if I may upload the package.
diff -u mixmaster-3.0b2/debian/changelog mixmaster-3.0b2/debian/changelog
--- mixmaster-3.0b2/debian/changelog
+++ mixmaster-3.0b2/debian/changelog
@@ -1,3 +1,28 @@
+mixmaster (3.0b2-4.etch1) stable; urgency=high
+
+ * Backport a fix from upstream:
+ In two functions in keymgt.c we had allocated a buffer of 33 bytes
+ when if fact we were using one more - 34 - bytes. This buffer
+ overflow is exposed when building with gcc 4.x, it never was exposed
+ with previous compilers because they apparently layed out the stack
+ differently.
+ The result of this buffer overflow is that a single 0-byte will be
+ written at the end of the buffer. At that position on the stack
+ there is (at least in the previous build) a saved local variable
+ from a calling function. This local variable is a pointer to a
+ BUFFER struct and this pointer has its least significant byte
+ set to zero.
+ This prevents mixmaster from properly decrypting incoming type2
+ messages. It's not likely that this can be exploited to execute
+ arbitrary code, tho evidence or argument to the contrary are of course
+ welcome.
+ Upstream patch:
+ http://svn.noreply.org/cgi-bin/viewcvs.cgi/trunk/Mix/Src/keymgt.c?rev=929&r1=766&r2=929
+ Closes: #418662
+ Thanks to Hauke Lampe and Colin Tuckley.
+
+ -- Peter Palfrader <weasel@debian.org> Mon, 23 Apr 2007 17:14:50 +0200
+
mixmaster (3.0b2-4) unstable; urgency=low
[ Christian Perrier ]
only in patch2:
unchanged:
--- mixmaster-3.0b2.orig/Src/keymgt.c
+++ mixmaster-3.0b2/Src/keymgt.c
@@ -14,6 +14,8 @@
#include <time.h>
#include <assert.h>
+#define KEY_ID_LEN 32
+
int getv2seckey(byte keyid[], BUFFER *key);
static int getv2pubkey(byte keyid[], BUFFER *key);
@@ -39,7 +41,7 @@
{
FILE *keyring;
BUFFER *iv, *pass, *temp;
- char idstr[33];
+ char idstr[KEY_ID_LEN+2];
char line[LINELEN];
int err = -1;
char *res;
@@ -78,7 +80,7 @@
} while ( res != NULL && strchr(line, ':') != NULL );
if (res == NULL)
break;
- if (keyid && !streq(line, idstr))
+ if (keyid && (strncmp(line, idstr, KEY_ID_LEN) != 0))
continue;
if (created != 0 && (created > time(NULL))) {
errlog(ERRORMSG, "Key is not valid yet (creation date in the future): %s", idstr);
@@ -126,7 +128,7 @@
{
FILE *keyring;
BUFFER *b, *temp, *iv;
- char idstr[33];
+ char idstr[KEY_ID_LEN+2];
char line[LINELEN];
int err = 0;
@@ -149,7 +151,7 @@
line[strlen(line)-1] = '\0';
if ((strlen(line) > 0) && (line[strlen(line)-1] == '\r'))
line[strlen(line)-1] = '\0';
- if (!streq(line, idstr))
+ if (strncmp(line, idstr, KEY_ID_LEN) != 0)
continue;
fgets(line, sizeof(line), keyring); /* ignore length */
for (;;) {
$ debdiff mixmaster_3.0b2-4_i386.changes mixmaster_3.0b2-4.etch1_i386.changes
File lists identical (after any substitutions)
Control files: lines which differ (wdiff format)
------------------------------------------------
Version: [-3.0b2-4-] {+3.0b2-4.etch1+}
Installed-Size: [-596-] {+600+}
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
Reply to: