Bug#688366: unblock: libguac/0.6.0-2

To: submit@bugs.debian.org
Subject: Bug#688366: unblock: libguac/0.6.0-2
From: Michael Jumper <mike.jumper@guac-dev.org>
Date: Fri, 21 Sep 2012 22:18:39 -0700
Message-id: <[🔎] CALKeL-Nn94TRsEvqyfw8STyFDuzwp6ue8fAXH=4TryaLoje+Tg@mail.gmail.com>
Reply-to: Michael Jumper <mike.jumper@guac-dev.org>, 688366@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libguac

Version 0.6.0-2 contains a fix for a security vulnerability
(http://security-tracker.debian.org/tracker/CVE-2012-4415), but is being
blocked because of the freeze.

unblock libguac/0.6.0-2

Thanks.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru libguac-0.6.0/debian/changelog libguac-0.6.0/debian/changelog
--- libguac-0.6.0/debian/changelog      2012-06-01 13:52:13.000000000 -0700
+++ libguac-0.6.0/debian/changelog      2012-09-11 11:30:15.000000000 -0700
@@ -1,3 +1,11 @@
+libguac (0.6.0-2) unstable; urgency=high
+
+  * CVE-2012-4415: Buffer overflow in guac_client_plugin_open
+    - debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch,
+      thanks to Timo Juhani Lindfors for discovering the flaw
+
+ -- Michael Jumper <zhangmaike@users.sourceforge.net>  Sun, 26 Aug
2012 18:47:52 -0700
+
 libguac (0.6.0-1) unstable; urgency=low

   * Merged latest changes from 0.6.0
diff -Nru libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch
libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch
--- libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch
    1969-12-31 16:00:00.000000000 -0800
+++ libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch
    2012-09-11 11:28:19.000000000 -0700
@@ -0,0 +1,82 @@
+From 7dcefa744b4a38825619c00ae8b47e5bae6e38c0 Mon Sep 17 00:00:00 2001
+From: Michael Jumper <zhangmaike@users.sourceforge.net>
+Date: Thu, 23 Aug 2012 11:50:06 -0700
+Subject: [PATCH] Define library prefix/suffix with macros, explicitly
define and enforce limit on protocol name length, and overall library
name length.
+
+---
+ include/client.h |   32 ++++++++++++++++++++++++++++++++
+ src/client.c     |    9 +++++----
+ 2 files changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/include/client.h b/include/client.h
+index 57852c5..1ceafe9 100644
+--- a/include/client.h
++++ b/include/client.h
+@@ -50,6 +50,38 @@
+  * @file client.h
+  */
+
++/**
++ * String prefix which begins the library filename of all client plugins.
++ */
++#define GUAC_PROTOCOL_LIBRARY_PREFIX "libguac-client-"
++
++/**
++ * String suffix which ends the library filename of all client plugins.
++ */
++#define GUAC_PROTOCOL_LIBRARY_SUFFIX ".so"
++
++/**
++ * The maximum number of characters (COUNTING NULL TERMINATOR) to allow
++ * for protocol names within the library filename of client plugins.
++ */
++#define GUAC_PROTOCOL_NAME_LIMIT 256
++
++/**
++ * The maximum number of characters (INCLUDING NULL TERMINATOR) that a
++ * character array containing the concatenation of the library prefix,
++ * protocol name, and suffix can contain, assuming the protocol name is
++ * limited to GUAC_PROTOCOL_NAME_LIMIT characters.
++ */
++#define GUAC_PROTOCOL_LIBRARY_LIMIT (                                  \
++                                                                       \
++      sizeof(GUAC_PROTOCOL_LIBRARY_PREFIX) - 1 /* "libguac-client-" */ \
++    +        GUAC_PROTOCOL_NAME_LIMIT      - 1 /* [up to 256 chars] */ \
++    + sizeof(GUAC_PROTOCOL_LIBRARY_SUFFIX) - 1 /* ".so"             */ \
++    + 1                                        /* NULL terminator   */ \
++                                                                       \
++)
++
++
+ typedef struct guac_client guac_client;
+ typedef struct guac_client_plugin guac_client_plugin;
+
+diff --git a/src/client.c b/src/client.c
+index 759c4f3..90491b5 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -164,16 +164,17 @@ guac_client_plugin*
guac_client_plugin_open(const char* protocol) {
+     const char** client_args;
+
+     /* Pluggable client */
+-    char protocol_lib[256] = "libguac-client-";
+-
++    char protocol_lib[GUAC_PROTOCOL_LIBRARY_LIMIT] =
++        GUAC_PROTOCOL_LIBRARY_PREFIX;
++
+     union {
+         guac_client_init_handler* client_init;
+         void* obj;
+     } alias;
+
+     /* Add protocol and .so suffix to protocol_lib */
+-    strcat(protocol_lib, protocol);
+-    strcat(protocol_lib, ".so");
++    strncat(protocol_lib, protocol, GUAC_PROTOCOL_NAME_LIMIT-1);
++    strcat(protocol_lib, GUAC_PROTOCOL_LIBRARY_SUFFIX);
+
+     /* Load client plugin */
+     client_plugin_handle = dlopen(protocol_lib, RTLD_LAZY);
+--
+1.7.2.5
+
diff -Nru libguac-0.6.0/debian/patches/series
libguac-0.6.0/debian/patches/series
--- libguac-0.6.0/debian/patches/series 2012-05-30 23:47:45.000000000 -0700
+++ libguac-0.6.0/debian/patches/series 2012-09-11 11:28:19.000000000 -0700
@@ -1 +1,2 @@
 0001-remove-requirement-for-m4-dir.patch
+0002-guac_client_plugin_open-buffer-overflow.patch

Reply to:

Follow-Ups:
- Bug#688366: marked as done (unblock: libguac/0.6.0-2)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: NEW changes in stable-new
Next by Date: NEW changes in stable-new
Previous by thread: Bug#687916: zabbix: new RC bug in testing
Next by thread: Bug#688366: marked as done (unblock: libguac/0.6.0-2)
Index(es):
- Date
- Thread