Bug#768012: unblock: quassel/0.10.0-2.1
Hi Emilio, Thomas, Jonathan,
On Fri, Nov 07, 2014 at 04:31:34PM +0000, Emilio Pozuelo Monfort wrote:
> On 06/11/14 07:54, Salvatore Bonaccorso wrote:
> >Hi Release Team, hi Thomas
> >
> >This unblock request cannot be done this way anymore as there was a
> >new upstream version upload to unstable, which also does not seem to
> >contain the fix, see https://bugs.debian.org/766962#68 (commit
> >8b5ecd226f9208af3074b33d3b7cf5e14f55b138 upstream is only after the
> >0.11.0 release).
> >
> >I would like to see this fixed also in Jessie, as we did already
> >DSA-3063-1 for wheezy.
> >
> >Can you either accept and unblock of another upload of quassel to
> >unstable, say 1:0.10.0-2.1 (or prepared by Thomas, so not using a NMU
> >version numbering) or would you prefer an upload trough tpu?
>
> Either way is fine with me.
Ok I just have uploaded quassel bumping epoch and also using -2.2 (as
suggested on IRC, as epoch is not included in filenames). The
changelog is:
----cut---------cut---------cut---------cut---------cut---------cut-----
quassel (1:0.10.0-2.2) unstable; urgency=high
* Non-maintainer upload.
* Increment Debian revision and epoch to re-upload 0.10.0-2.1 to
unstable containing the fix for #766962 / CVE-2014-8483:
out-of-bounds read in ECB Blowfish decryption.
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 08 Nov 2014 14:14:56 +0100
quassel (0.10.0-2.1) unstable; urgency=high
* Non-maintainer upload.
* Add CVE-2014-8483.patch patch.
CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
(Closes: #766962)
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 02 Nov 2014 19:10:58 +0100
----cut---------cut---------cut---------cut---------cut---------cut-----
It fixes bug #766962, which for wheezy was addressed in DSA-3063-1.
Attached is also the full debdiff between 0.10.0-2 and the now
uploaded version.
Thomas: I have done so as I have not heard bak from you in the last
days, hope this is okay so far. Please note that the upstream version
0.11.0 does not yet contain the fix, it only is later commited in the
git repository for quassel (git describe shows 0.11.0-3-g8b5ecd2).
could you please merge the changelogs when you will upload later a
quassel version?
Regards,
Salvatore
diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog 2014-07-04 17:15:24.000000000 +0200
+++ quassel-0.10.0/debian/changelog 2014-11-08 14:29:37.000000000 +0100
@@ -1,3 +1,21 @@
+quassel (1:0.10.0-2.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Increment Debian revision and epoch to re-upload 0.10.0-2.1 to
+ unstable containing the fix for #766962 / CVE-2014-8483:
+ out-of-bounds read in ECB Blowfish decryption.
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sat, 08 Nov 2014 14:14:56 +0100
+
+quassel (0.10.0-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add CVE-2014-8483.patch patch.
+ CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
+ (Closes: #766962)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 02 Nov 2014 19:10:58 +0100
+
quassel (0.10.0-2) unstable; urgency=low
* Fixing security issue where quassel core certificate is
diff -Nru quassel-0.10.0/debian/patches/CVE-2014-8483.patch quassel-0.10.0/debian/patches/CVE-2014-8483.patch
--- quassel-0.10.0/debian/patches/CVE-2014-8483.patch 1970-01-01 01:00:00.000000000 +0100
+++ quassel-0.10.0/debian/patches/CVE-2014-8483.patch 2014-10-28 17:03:58.000000000 +0100
@@ -0,0 +1,52 @@
+From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001
+From: Manuel Nickschas <sputnick@quassel-irc.org>
+Date: Tue, 21 Oct 2014 21:20:07 +0200
+Subject: [PATCH] Check for invalid input in encrypted buffers
+
+The ECB Blowfish decryption function assumed that encrypted input would
+always come in blocks of 12 characters, as specified. However, buggy
+clients or annoying people may not adhere to that assumption, causing
+the core to crash while trying to process the invalid base64 input.
+
+With this commit we make sure that we're not overstepping the bounds of
+the input string while decoding it; instead we bail out early and display
+the original input. Fixes #1314.
+
+Thanks to Tucos for finding that one!
+---
+ src/core/cipher.cpp | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp
+index 7cc75d0..7d1fe46 100644
+--- a/src/core/cipher.cpp
++++ b/src/core/cipher.cpp
+@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
+ }
+ else
+ {
++ // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
++ if ((temp.length() % 12) != 0)
++ return cipherText;
++
+ temp = b64ToByte(temp);
+ while ((temp.length() % 8) != 0) temp.append('\0');
+ }
+@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
+ if (!cipher.ok())
+ return cipherText;
+
+- if (direction)
++ if (direction) {
++ // Sanity check
++ if ((temp2.length() % 8) != 0)
++ return cipherText;
++
+ temp2 = byteToB64(temp2);
++ }
+
+ return temp2;
+ }
+--
+1.7.10.4
+
diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series 2012-04-25 00:18:37.000000000 +0200
+++ quassel-0.10.0/debian/patches/series 2014-10-28 17:16:01.000000000 +0100
@@ -1,2 +1,2 @@
01_default_network_channel.patch
-
+CVE-2014-8483.patch
Reply to: