Bug#684140: marked as done (unblock: libotr/3.2.1-1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#684140: marked as done (unblock: libotr/3.2.1-1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 07 Aug 2012 12:51:10 +0000
Message-id: <[🔎] handler.684140.D684140.134434371620251.ackdone@bugs.debian.org>
References: <b58c8aadd312c1a529cfd45871b217a2@mail.adsl.funky-badger.org> <[🔎] 20120807103807.15979.86808.reportbug@morgoth.esiee.fr>

Your message dated Tue, 07 Aug 2012 13:48:26 +0100
with message-id <b58c8aadd312c1a529cfd45871b217a2@mail.adsl.funky-badger.org>
and subject line Re: Bug#684140: unblock: libotr/3.2.1-1
has caused the Debian Bug report #684140,
regarding unblock: libotr/3.2.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
684140: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684140
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: libotr/3.2.1-1
From: Thibaut VARENE <varenet@debian.org>
Date: Tue, 07 Aug 2012 12:38:07 +0200
Message-id: <[🔎] 20120807103807.15979.86808.reportbug@morgoth.esiee.fr>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libotr

Fixes security hole (possible buffer overflow in base64 routines): #684121

The only change from 3.2.0-4 (currently in wheezy) and 3.2.1-1 is the security
fix, see the attached debdiff.

unblock libotr/3.2.1-1

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: ia64

Kernel: Linux 2.6.29.2 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

diff -Nru libotr-3.2.0/ChangeLog libotr-3.2.1/ChangeLog
--- libotr-3.2.0/ChangeLog	2008-06-15 22:16:34.000000000 +0200
+++ libotr-3.2.1/ChangeLog	2012-08-07 12:21:35.000000000 +0200
@@ -1,3 +1,20 @@
+2012-07-27
+
+	* src/version.h: Update libotr version number to 3.2.1
+
+2012-07-19
+
+	* src/b64.[ch], src/proto.c, toolkit/parse.c: Clean up the
+	previous b64 patch and apply it to all places where
+	otrl_base64_decode() is called.
+
+2012-07-17
+
+	* src/b64.c: Use ceil instead of floor to compute the size
+	of the data buffer.  This prevents a one-byte heap buffer
+	overflow.  Thanks to Justin Ferguson <jnferguson@gmail.com>
+	for the report.
+
 2008-06-15:
 
 	* README: Release version 3.2.0.
diff -Nru libotr-3.2.0/debian/changelog libotr-3.2.1/debian/changelog
--- libotr-3.2.0/debian/changelog	2011-12-26 18:34:38.000000000 +0100
+++ libotr-3.2.1/debian/changelog	2012-08-07 12:25:12.000000000 +0200
@@ -1,3 +1,9 @@
+libotr (3.2.1-1) unstable; urgency=high
+
+  * Fix potential buffer overflow in base64 routines (Closes: #684121)
+
+ -- Thibaut VARENE <varenet@debian.org>  Tue, 07 Aug 2012 12:24:15 +0200
+
 libotr (3.2.0-4) unstable; urgency=low
 
   * lintian cleanup:
diff -Nru libotr-3.2.0/src/b64.c libotr-3.2.1/src/b64.c
--- libotr-3.2.0/src/b64.c	2008-05-27 14:35:28.000000000 +0200
+++ libotr-3.2.1/src/b64.c	2012-08-07 12:21:31.000000000 +0200
@@ -55,7 +55,7 @@
 \******************************************************************* */
 
 /* system headers */
-#include <stdlib.h>
+#include <stdio.h>
 #include <string.h>
 
 /* libotr headers */
@@ -147,8 +147,9 @@
  * base64 decode data.  Skip non-base64 chars, and terminate at the
  * first '=', or the end of the buffer.
  *
- * The buffer data must contain at least (base64len / 4) * 3 bytes of
- * space.  This function will return the number of bytes actually used.
+ * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes
+ * of space.  This function will return the number of bytes actually
+ * used.
  */
 size_t otrl_base64_decode(unsigned char *data, const char *base64data,
 	size_t base64len)
@@ -234,13 +235,18 @@
 	return -2;
     }
 
+    /* Skip over the "?OTR:" */
+    otrtag += 5;
+    msglen -= 5;
+
     /* Base64-decode the message */
-    rawlen = ((msglen-5) / 4) * 3;   /* maximum possible */
+    rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen);   /* maximum possible */
     rawmsg = malloc(rawlen);
     if (!rawmsg && rawlen > 0) {
 	return -1;
     }
-    rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5);  /* actual size */
+
+    rawlen = otrl_base64_decode(rawmsg, otrtag, msglen);  /* actual size */
 
     *bufp = rawmsg;
     *lenp = rawlen;
diff -Nru libotr-3.2.0/src/b64.h libotr-3.2.1/src/b64.h
--- libotr-3.2.0/src/b64.h	2008-05-27 14:35:28.000000000 +0200
+++ libotr-3.2.1/src/b64.h	2012-08-07 12:21:31.000000000 +0200
@@ -20,6 +20,19 @@
 #ifndef __B64_H__
 #define __B64_H__
 
+#include <stdlib.h>
+
+/* Base64 encodes blocks of this many bytes: */
+#define OTRL_B64_DECODED_LEN 3
+/* into blocks of this many bytes: */
+#define OTRL_B64_ENCODED_LEN 4
+
+/* An encoded block of length encoded_len can turn into a maximum of
+ * this many decoded bytes: */
+#define OTRL_B64_MAX_DECODED_SIZE(encoded_len) \
+    (((encoded_len + OTRL_B64_ENCODED_LEN - 1) / OTRL_B64_ENCODED_LEN) \
+	* OTRL_B64_DECODED_LEN)
+
 /*
  * base64 encode data.  Insert no linebreaks or whitespace.
  *
@@ -33,8 +46,9 @@
  * base64 decode data.  Skip non-base64 chars, and terminate at the
  * first '=', or the end of the buffer.
  *
- * The buffer data must contain at least (base64len / 4) * 3 bytes of
- * space.  This function will return the number of bytes actually used.
+ * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes
+ * of space.  This function will return the number of bytes actually
+ * used.
  */
 size_t otrl_base64_decode(unsigned char *data, const char *base64data,
 	size_t base64len);
diff -Nru libotr-3.2.0/src/proto.c libotr-3.2.1/src/proto.c
--- libotr-3.2.0/src/proto.c	2008-05-27 14:35:28.000000000 +0200
+++ libotr-3.2.1/src/proto.c	2012-08-07 12:21:31.000000000 +0200
@@ -537,13 +537,17 @@
 	msglen = strlen(otrtag);
     }
 
+    /* Skip over the "?OTR:" */
+    otrtag += 5;
+    msglen -= 5;
+
     /* Base64-decode the message */
-    rawlen = ((msglen-5) / 4) * 3;   /* maximum possible */
+    rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen);   /* maximum possible */
     rawmsg = malloc(rawlen);
     if (!rawmsg && rawlen > 0) {
 	return gcry_error(GPG_ERR_ENOMEM);
     }
-    rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5);  /* actual size */
+    rawlen = otrl_base64_decode(rawmsg, otrtag, msglen);  /* actual size */
 
     bufp = rawmsg;
     lenp = rawlen;
@@ -606,14 +610,18 @@
 	msglen = strlen(otrtag);
     }
 
+    /* Skip over the "?OTR:" */
+    otrtag += 5;
+    msglen -= 5;
+
     /* Base64-decode the message */
-    rawlen = ((msglen-5) / 4) * 3;   /* maximum possible */
+    rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen);   /* maximum possible */
     rawmsg = malloc(rawlen);
     if (!rawmsg && rawlen > 0) {
 	err = gcry_error(GPG_ERR_ENOMEM);
 	goto err;
     }
-    rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5);  /* actual size */
+    rawlen = otrl_base64_decode(rawmsg, otrtag, msglen);  /* actual size */
 
     bufp = rawmsg;
     lenp = rawlen;
diff -Nru libotr-3.2.0/src/version.h libotr-3.2.1/src/version.h
--- libotr-3.2.0/src/version.h	2008-05-27 14:35:28.000000000 +0200
+++ libotr-3.2.1/src/version.h	2012-08-07 12:21:35.000000000 +0200
@@ -20,10 +20,10 @@
 #ifndef __VERSION_H__
 #define __VERSION_H__
 
-#define OTRL_VERSION "3.2.0"
+#define OTRL_VERSION "3.2.1"
 
 #define OTRL_VERSION_MAJOR 3
 #define OTRL_VERSION_MINOR 2
-#define OTRL_VERSION_SUB 0
+#define OTRL_VERSION_SUB 1
 
 #endif
diff -Nru libotr-3.2.0/toolkit/parse.c libotr-3.2.1/toolkit/parse.c
--- libotr-3.2.0/toolkit/parse.c	2008-05-27 14:35:28.000000000 +0200
+++ libotr-3.2.1/toolkit/parse.c	2012-08-07 12:21:33.000000000 +0200
@@ -64,7 +64,8 @@
 {
     const char *header, *footer;
     unsigned char *raw;
-	
+    size_t rawlen;
+
     /* Find the header */
     header = strstr(msg, "?OTR:");
     if (!header) return NULL;
@@ -75,8 +76,10 @@
     footer = strchr(header, '.');
     if (!footer) footer = header + strlen(header);
 
-    raw = malloc((footer-header) / 4 * 3);
-    if (raw == NULL && (footer-header >= 4)) return NULL;
+    rawlen = OTRL_B64_MAX_DECODED_SIZE(footer-header);
+
+    raw = malloc(rawlen);
+    if (raw == NULL && rawlen > 0) return NULL;
     *lenp = otrl_base64_decode(raw, header, footer-header);
 
     return raw;

--- End Message ---

--- Begin Message ---

To: Thibaut VARENE <varenet@debian.org>, <684140-done@bugs.debian.org>

Subject: Re: Bug#684140: unblock: libotr/3.2.1-1

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Tue, 07 Aug 2012 13:48:26 +0100

Message-id: <b58c8aadd312c1a529cfd45871b217a2@mail.adsl.funky-badger.org>

In-reply-to: <[🔎] 20120807103807.15979.86808.reportbug@morgoth.esiee.fr>

References: <[🔎] 20120807103807.15979.86808.reportbug@morgoth.esiee.fr>
On 07.08.2012 11:38, Thibaut VARENE wrote:
Please unblock package libotr
Fixes security hole (possible buffer overflow in base64 routines):#684121
I'm not convinced that grave / urgency=high is appropriate for a"security hole" that upstream says is "just a DoS". Unblocked, in anycase.
Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#684140: unblock: libotr/3.2.1-1
  - From: Thibaut VARENE <varenet@debian.org>

Prev by Date: Bug#684141: unblock: boinc/7.0.27+dfsg-5
Next by Date: Bug#684125: marked as done (unblock: libmath-random-mt-perl/1.15-2)
Previous by thread: Bug#684140: unblock: libotr/3.2.1-1
Next by thread: Bug#684141: unblock: boinc/7.0.27+dfsg-5
Index(es):
- Date
- Thread