[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#768012: marked as done (unblock: quassel/0.10.0-2.1)

Your message dated Sat, 08 Nov 2014 15:58:38 +0000
with message-id <545E3DAE.3090303@debian.org>
and subject line Re: Bug#768012: unblock: quassel/0.10.0-2.1
has caused the Debian Bug report #768012,
regarding unblock: quassel/0.10.0-2.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
768012: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768012
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi Release Team,

Could you please unblock quassel package uploaded as NMU to unstable?
It addresses #766962: It is an out-of-bound read which could cause
denial of service or disclosure of information from process memory,
see also https://www.debian.org/security/2014/dsa-3063 .

Full debdiff for the unstable upload attached.

unblock quassel/0.10.0-2.1

Thanks in advance!

Regards,
Salvatore

diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog	2014-07-04 17:15:24.000000000 +0200
+++ quassel-0.10.0/debian/changelog	2014-11-02 19:11:20.000000000 +0100
@@ -1,3 +1,12 @@
+quassel (0.10.0-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add CVE-2014-8483.patch patch.
+    CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
+    (Closes: #766962)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Sun, 02 Nov 2014 19:10:58 +0100
+
 quassel (0.10.0-2) unstable; urgency=low
 
   * Fixing security issue where quassel core certificate is 
diff -Nru quassel-0.10.0/debian/patches/CVE-2014-8483.patch quassel-0.10.0/debian/patches/CVE-2014-8483.patch
--- quassel-0.10.0/debian/patches/CVE-2014-8483.patch	1970-01-01 01:00:00.000000000 +0100
+++ quassel-0.10.0/debian/patches/CVE-2014-8483.patch	2014-10-28 17:03:58.000000000 +0100
@@ -0,0 +1,52 @@
+From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001
+From: Manuel Nickschas <sputnick@quassel-irc.org>
+Date: Tue, 21 Oct 2014 21:20:07 +0200
+Subject: [PATCH] Check for invalid input in encrypted buffers
+
+The ECB Blowfish decryption function assumed that encrypted input would
+always come in blocks of 12 characters, as specified. However, buggy
+clients or annoying people may not adhere to that assumption, causing
+the core to crash while trying to process the invalid base64 input.
+
+With this commit we make sure that we're not overstepping the bounds of
+the input string while decoding it; instead we bail out early and display
+the original input. Fixes #1314.
+
+Thanks to Tucos for finding that one!
+---
+ src/core/cipher.cpp |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp
+index 7cc75d0..7d1fe46 100644
+--- a/src/core/cipher.cpp
++++ b/src/core/cipher.cpp
+@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
+     }
+     else
+     {
++        // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
++        if ((temp.length() % 12) != 0)
++            return cipherText;
++
+         temp = b64ToByte(temp);
+         while ((temp.length() % 8) != 0) temp.append('\0');
+     }
+@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
+     if (!cipher.ok())
+         return cipherText;
+ 
+-    if (direction)
++    if (direction) {
++        // Sanity check
++        if ((temp2.length() % 8) != 0)
++            return cipherText;
++
+         temp2 = byteToB64(temp2);
++    }
+ 
+     return temp2;
+ }
+-- 
+1.7.10.4
+
diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series	2012-04-25 00:18:37.000000000 +0200
+++ quassel-0.10.0/debian/patches/series	2014-10-28 17:16:01.000000000 +0100
@@ -1,2 +1,2 @@
 01_default_network_channel.patch
-
+CVE-2014-8483.patch

--- End Message ---
--- Begin Message --- 
On 07/11/14 16:31, Emilio Pozuelo Monfort wrote:

On 06/11/14 07:54, Salvatore Bonaccorso wrote:

Hi Release Team, hi Thomas

This unblock request cannot be done this way anymore as there was a
new upstream version upload to unstable, which also does not seem to
contain the fix, see https://bugs.debian.org/766962#68 (commit
8b5ecd226f9208af3074b33d3b7cf5e14f55b138 upstream is only after the
0.11.0 release).

I would like to see this fixed also in Jessie, as we did already
DSA-3063-1 for wheezy.

Can you either accept and unblock of another upload of quassel to
unstable, say 1:0.10.0-2.1 (or prepared by Thomas, so not using a NMU
version numbering) or would you prefer an upload trough tpu?


Either way is fine with me.


Unblocked your new epoched version.

Emilio

--- End Message ---
Reply to: