Bug#781437: unblock: prosody/0.9.7-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package prosody
(explain the reason for the unblock here)
Security fix related to libidn (CVE-2015-2059)
(include/attach the debdiff against the package in testing)
gares@birba:~$ cat /tmp/debdiff
diff -Nru prosody-0.9.7/debian/changelog prosody-0.9.7/debian/changelog
--- prosody-0.9.7/debian/changelog 2014-10-25 10:42:47.000000000 +0200
+++ prosody-0.9.7/debian/changelog 2015-03-28 16:20:59.000000000 +0100
@@ -1,3 +1,10 @@
+prosody (0.9.7-2) unstable; urgency=high
+
+ * Apply upstream patch to validate UTF-8 strings before calling libidn
+ (related to CVE-2015-2059)
+
+ -- Enrico Tassi <gareuselesinge@debian.org> Sat, 28 Mar 2015 16:20:07 +0100
+
prosody (0.9.7-1) unstable; urgency=medium
* New upstream release, really a minor fix over 0.9.6
diff -Nru prosody-0.9.7/debian/patches/0005-Validate-UTF-8-strings-before-
calling-libidn.patch prosody-0.9.7/debian/patches/0005-Validate-UTF-8-strings-
before-calling-libidn.patch
--- prosody-0.9.7/debian/patches/0005-Validate-UTF-8-strings-before-calling-
libidn.patch 1970-01-01 01:00:00.000000000 +0100
+++ prosody-0.9.7/debian/patches/0005-Validate-UTF-8-strings-before-calling-
libidn.patch 2015-03-28 16:20:59.000000000 +0100
@@ -0,0 +1,110 @@
+From: Enrico Tassi <gares@fettunta.org>
+Date: Sat, 28 Mar 2015 16:17:35 +0100
+Subject: Validate UTF-8 strings before calling libidn
+
+---
+ util-src/encodings.c | 70
+++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 67 insertions(+), 3 deletions(-)
+
+diff --git a/util-src/encodings.c b/util-src/encodings.c
+index b9b6160..898add1 100644
+--- a/util-src/encodings.c
++++ b/util-src/encodings.c
+@@ -1,6 +1,7 @@
+ /* Prosody IM
+ -- Copyright (C) 2008-2010 Matthew Wild
+ -- Copyright (C) 2008-2010 Waqas Hussain
++-- Copyright (C) 1994-2015 Lua.org, PUC-Rio.
+ --
+ -- This project is MIT/X11 licensed. Please see the
+ -- COPYING file in the source package for more information.
+@@ -116,6 +117,65 @@ static const luaL_Reg Reg_base64[] =
+ { NULL, NULL }
+ };
+
++/******************* UTF-8 ********************/
++
++/*
++ * Adapted from Lua 5.3
++ * Needed because libidn does not validate that input is valid UTF-8
++ */
++
++#define MAXUNICODE 0x10FFFF
++
++/*
++ * Decode one UTF-8 sequence, returning NULL if byte sequence is invalid.
++ */
++static const char *utf8_decode (const char *o, int *val) {
++ static unsigned int limits[] = {0xFF, 0x7F, 0x7FF, 0xFFFF};
++ const unsigned char *s = (const unsigned char *)o;
++ unsigned int c = s[0];
++ unsigned int res = 0; /* final result */
++ if (c < 0x80) /* ascii? */
++ res = c;
++ else {
++ int count = 0; /* to count number of continuation bytes */
++ while (c & 0x40) { /* still have continuation bytes? */
++ int cc = s[++count]; /* read next byte */
++ if ((cc & 0xC0) != 0x80) /* not a continuation byte?
*/
++ return NULL; /* invalid byte sequence */
++ res = (res << 6) | (cc & 0x3F); /* add lower 6 bits
from cont. byte */
++ c <<= 1; /* to test next bit */
++ }
++ res |= ((c & 0x7F) << (count * 5)); /* add first byte */
++ if (count > 3 || res > MAXUNICODE || res <= limits[count] ||
(0xd800 <= res && res <= 0xdfff) )
++ return NULL; /* invalid byte sequence */
++ s += count; /* skip continuation bytes read */
++ }
++ if (val) *val = res;
++ return (const char *)s + 1; /* +1 to include first byte */
++}
++
++/*
++ * Check that a string is valid UTF-8
++ * Returns NULL if not
++ */
++const char* check_utf8 (lua_State *L, int idx, size_t *l) {
++ size_t pos, len;
++ const char *s = luaL_checklstring(L, 1, &len);
++ pos = 0;
++ while (pos <= len) {
++ const char *s1 = utf8_decode(s + pos, NULL);
++ if (s1 == NULL) { /* conversion error? */
++ return NULL;
++ }
++ pos = s1 - s;
++ }
++ if(l != NULL) {
++ *l = len;
++ }
++ return s;
++}
++
++
+ /***************** STRINGPREP *****************/
+ #ifdef USE_STRINGPREP_ICU
+
+@@ -212,8 +272,8 @@ static int stringprep_prep(lua_State *L, const
Stringprep_profile *profile)
+ lua_pushnil(L);
+ return 1;
+ }
+- s = lua_tolstring(L, 1, &len);
+- if (len >= 1024) {
++ s = check_utf8(L, 1, &len);
++ if (s == NULL || len >= 1024 || len != strlen(s)) {
+ lua_pushnil(L);
+ return 1; /* TODO return error message */
+ }
+@@ -320,7 +380,11 @@ static int Lidna_to_unicode(lua_State *L) /**
idna.to_unicode(s) */
+ static int Lidna_to_ascii(lua_State *L) /** idna.to_ascii(s) */
+ {
+ size_t len;
+- const char *s = luaL_checklstring(L, 1, &len);
++ const char *s = check_utf8(L, 1, &len);
++ if (s == NULL || len != strlen(s)) {
++ lua_pushnil(L);
++ return 1; /* TODO return error message */
++ }
+ char* output = NULL;
+ int ret = idna_to_ascii_8z(s, &output, IDNA_USE_STD3_ASCII_RULES);
+ if (ret == IDNA_SUCCESS) {
diff -Nru prosody-0.9.7/debian/patches/series
prosody-0.9.7/debian/patches/series
--- prosody-0.9.7/debian/patches/series 2014-10-25 10:42:47.000000000 +0200
+++ prosody-0.9.7/debian/patches/series 2015-03-28 16:20:59.000000000 +0100
@@ -2,3 +2,4 @@
0002-prosody-lua51.patch
0003-dpkg-buildflags.patch
0004-fix-package.path-of-ejabberd2prosody.patch
+0005-Validate-UTF-8-strings-before-calling-libidn.patch
unblock prosody/0.9.7-2
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Reply to: