Re: nufw stable update for CVE-2007-5723
Pierre Chifflier wrote:
>> CVE-2007-5723[0]:
>> | Heap-based buffer overflow in the samp_send function in nuauth/sasl.c
>> | in NuFW before 2.2.7 allows remote attackers to cause a denial of
>> | service via unspecified input on which base64 encoding is performed.
>> | NOTE: some of these details are obtained from third party information.
>>=20
>> Unfortunately the vulnerability described above is not important enough
>> to get it fixed via regular security update in Debian stable. It does
>> not warrant a DSA.
>>=20
>> However it would be nice if this could get fixed via a regular point upda=
> te[1].
>> Please contact the release team for this.
>>=20
> Hi,
>
> While I'm perfectly ok for a regular point update, there is a problem :
> version in stable (etch) is 1.0.23, which is unmaintained upstream, and
> has security problems. It will be extremely difficult to extract a
> patch, given the number of changes in the code.
> The good thing to do would be to package the 2.2.x branch, which is
> technically easy (I maintain packages for etch on packages.inl.fr, and
> upgrade from 1.x is not a problem), but would require a package upgrade.
>
> Would it be ok to package a recent version, and propose it on
> stable-updates ?
Use the source. First of all, it's not difficult to extract the patch:
diff -Naur nufw-2.2.6/src/nuauth/sasl.c nufw-2.2.7/src/nuauth/sasl.c
--- nufw-2.2.6/src/nuauth/sasl.c 2007-10-08 18:09:30.000000000 +0200
+++ nufw-2.2.7/src/nuauth/sasl.c 2007-10-17 11:14:31.000000000 +0200
@@ -193,7 +193,8 @@
unsigned len, alloclen;
int result;
- alloclen = ((length / 3) + 1) * 4 + 1;
+ /* prefix ("S: ") + base64 length + 1 nul byte */
+ alloclen = 3 + ((length+2)/3)*4 + 1;
buf = g_new(char, alloclen);
- result = sasl_encode64(buffer, length, buf + 3, alloclen, &len);
+ result = sasl_encode64(buffer, length, buf + 3, alloclen - 3, &len);
if (result != SASL_OK) {
Validating this against the code in Etch shows that the affected code isn't
present.
Cheers,
Moritz
Reply to: