Bug#688366: marked as done (unblock: libguac/0.6.0-2)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#688366: marked as done (unblock: libguac/0.6.0-2)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 23 Sep 2012 17:27:06 +0000
Message-id: <[🔎] handler.688366.D688366.134842100330355.ackdone@bugs.debian.org>
References: <1348420908.21568.26.camel@jacala.jungle.funky-badger.org> <[🔎] CALKeL-Nn94TRsEvqyfw8STyFDuzwp6ue8fAXH=4TryaLoje+Tg@mail.gmail.com>

Your message dated Sun, 23 Sep 2012 18:21:48 +0100
with message-id <1348420908.21568.26.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#688366: unblock: libguac/0.6.0-2
has caused the Debian Bug report #688366,
regarding unblock: libguac/0.6.0-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
688366: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688366
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: unblock: libguac/0.6.0-2
From: Michael Jumper <mike.jumper@guac-dev.org>
Date: Fri, 21 Sep 2012 22:18:39 -0700
Message-id: <[🔎] CALKeL-Nn94TRsEvqyfw8STyFDuzwp6ue8fAXH=4TryaLoje+Tg@mail.gmail.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libguac

Version 0.6.0-2 contains a fix for a security vulnerability
(http://security-tracker.debian.org/tracker/CVE-2012-4415), but is being
blocked because of the freeze.

unblock libguac/0.6.0-2

Thanks.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru libguac-0.6.0/debian/changelog libguac-0.6.0/debian/changelog
--- libguac-0.6.0/debian/changelog      2012-06-01 13:52:13.000000000 -0700
+++ libguac-0.6.0/debian/changelog      2012-09-11 11:30:15.000000000 -0700
@@ -1,3 +1,11 @@
+libguac (0.6.0-2) unstable; urgency=high
+
+  * CVE-2012-4415: Buffer overflow in guac_client_plugin_open
+    - debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch,
+      thanks to Timo Juhani Lindfors for discovering the flaw
+
+ -- Michael Jumper <zhangmaike@users.sourceforge.net>  Sun, 26 Aug
2012 18:47:52 -0700
+
 libguac (0.6.0-1) unstable; urgency=low

   * Merged latest changes from 0.6.0
diff -Nru libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch
libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch
--- libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch
    1969-12-31 16:00:00.000000000 -0800
+++ libguac-0.6.0/debian/patches/0002-guac_client_plugin_open-buffer-overflow.patch
    2012-09-11 11:28:19.000000000 -0700
@@ -0,0 +1,82 @@
+From 7dcefa744b4a38825619c00ae8b47e5bae6e38c0 Mon Sep 17 00:00:00 2001
+From: Michael Jumper <zhangmaike@users.sourceforge.net>
+Date: Thu, 23 Aug 2012 11:50:06 -0700
+Subject: [PATCH] Define library prefix/suffix with macros, explicitly
define and enforce limit on protocol name length, and overall library
name length.
+
+---
+ include/client.h |   32 ++++++++++++++++++++++++++++++++
+ src/client.c     |    9 +++++----
+ 2 files changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/include/client.h b/include/client.h
+index 57852c5..1ceafe9 100644
+--- a/include/client.h
++++ b/include/client.h
+@@ -50,6 +50,38 @@
+  * @file client.h
+  */
+
++/**
++ * String prefix which begins the library filename of all client plugins.
++ */
++#define GUAC_PROTOCOL_LIBRARY_PREFIX "libguac-client-"
++
++/**
++ * String suffix which ends the library filename of all client plugins.
++ */
++#define GUAC_PROTOCOL_LIBRARY_SUFFIX ".so"
++
++/**
++ * The maximum number of characters (COUNTING NULL TERMINATOR) to allow
++ * for protocol names within the library filename of client plugins.
++ */
++#define GUAC_PROTOCOL_NAME_LIMIT 256
++
++/**
++ * The maximum number of characters (INCLUDING NULL TERMINATOR) that a
++ * character array containing the concatenation of the library prefix,
++ * protocol name, and suffix can contain, assuming the protocol name is
++ * limited to GUAC_PROTOCOL_NAME_LIMIT characters.
++ */
++#define GUAC_PROTOCOL_LIBRARY_LIMIT (                                  \
++                                                                       \
++      sizeof(GUAC_PROTOCOL_LIBRARY_PREFIX) - 1 /* "libguac-client-" */ \
++    +        GUAC_PROTOCOL_NAME_LIMIT      - 1 /* [up to 256 chars] */ \
++    + sizeof(GUAC_PROTOCOL_LIBRARY_SUFFIX) - 1 /* ".so"             */ \
++    + 1                                        /* NULL terminator   */ \
++                                                                       \
++)
++
++
+ typedef struct guac_client guac_client;
+ typedef struct guac_client_plugin guac_client_plugin;
+
+diff --git a/src/client.c b/src/client.c
+index 759c4f3..90491b5 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -164,16 +164,17 @@ guac_client_plugin*
guac_client_plugin_open(const char* protocol) {
+     const char** client_args;
+
+     /* Pluggable client */
+-    char protocol_lib[256] = "libguac-client-";
+-
++    char protocol_lib[GUAC_PROTOCOL_LIBRARY_LIMIT] =
++        GUAC_PROTOCOL_LIBRARY_PREFIX;
++
+     union {
+         guac_client_init_handler* client_init;
+         void* obj;
+     } alias;
+
+     /* Add protocol and .so suffix to protocol_lib */
+-    strcat(protocol_lib, protocol);
+-    strcat(protocol_lib, ".so");
++    strncat(protocol_lib, protocol, GUAC_PROTOCOL_NAME_LIMIT-1);
++    strcat(protocol_lib, GUAC_PROTOCOL_LIBRARY_SUFFIX);
+
+     /* Load client plugin */
+     client_plugin_handle = dlopen(protocol_lib, RTLD_LAZY);
+--
+1.7.2.5
+
diff -Nru libguac-0.6.0/debian/patches/series
libguac-0.6.0/debian/patches/series
--- libguac-0.6.0/debian/patches/series 2012-05-30 23:47:45.000000000 -0700
+++ libguac-0.6.0/debian/patches/series 2012-09-11 11:28:19.000000000 -0700
@@ -1 +1,2 @@
 0001-remove-requirement-for-m4-dir.patch
+0002-guac_client_plugin_open-buffer-overflow.patch

--- End Message ---

--- Begin Message ---

To: Michael Jumper <mike.jumper@guac-dev.org>, 688366-done@bugs.debian.org

Subject: Re: Bug#688366: unblock: libguac/0.6.0-2

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sun, 23 Sep 2012 18:21:48 +0100

Message-id: <1348420908.21568.26.camel@jacala.jungle.funky-badger.org>

In-reply-to: <[🔎] CALKeL-Nn94TRsEvqyfw8STyFDuzwp6ue8fAXH=4TryaLoje+Tg@mail.gmail.com>

References: <[🔎] CALKeL-Nn94TRsEvqyfw8STyFDuzwp6ue8fAXH=4TryaLoje+Tg@mail.gmail.com>
On Fri, 2012-09-21 at 22:18 -0700, Michael Jumper wrote:
> Please unblock package libguac
> 
> Version 0.6.0-2 contains a fix for a security vulnerability
> (http://security-tracker.debian.org/tracker/CVE-2012-4415), but is being
> blocked because of the freeze.

Unblocked; thanks.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#688366: unblock: libguac/0.6.0-2
  - From: Michael Jumper <mike.jumper@guac-dev.org>

Prev by Date: Bug#688557: unblock: uswsusp/1.0+20110509-3
Next by Date: Bug#688262: marked as done (unblock: dbtoepub/0+svn9150-2)
Previous by thread: Bug#688366: unblock: libguac/0.6.0-2
Next by thread: Bug#688391: unblock: caribou/0.4.4-1
Index(es):
- Date
- Thread