[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#781437: marked as done (unblock: prosody/0.9.7-2)



Your message dated Thu, 02 Apr 2015 16:53:01 +0200
with message-id <551D57CD.10707@thykier.net>
and subject line Re: Bug#781437: unblock: prosody/0.9.7-2
has caused the Debian Bug report #781437,
regarding unblock: prosody/0.9.7-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
781437: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781437
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package prosody

(explain the reason for the unblock here)

Security fix related to libidn (CVE-2015-2059)

(include/attach the debdiff against the package in testing)

gares@birba:~$ cat /tmp/debdiff
diff -Nru prosody-0.9.7/debian/changelog prosody-0.9.7/debian/changelog
--- prosody-0.9.7/debian/changelog      2014-10-25 10:42:47.000000000 +0200
+++ prosody-0.9.7/debian/changelog      2015-03-28 16:20:59.000000000 +0100
@@ -1,3 +1,10 @@
+prosody (0.9.7-2) unstable; urgency=high
+
+  * Apply upstream patch to validate UTF-8 strings before calling libidn
+    (related to CVE-2015-2059)
+
+ -- Enrico Tassi <gareuselesinge@debian.org>  Sat, 28 Mar 2015 16:20:07 +0100
+
 prosody (0.9.7-1) unstable; urgency=medium

   * New upstream release, really a minor fix over 0.9.6
diff -Nru prosody-0.9.7/debian/patches/0005-Validate-UTF-8-strings-before-
calling-libidn.patch prosody-0.9.7/debian/patches/0005-Validate-UTF-8-strings-
before-calling-libidn.patch
--- prosody-0.9.7/debian/patches/0005-Validate-UTF-8-strings-before-calling-
libidn.patch        1970-01-01 01:00:00.000000000 +0100
+++ prosody-0.9.7/debian/patches/0005-Validate-UTF-8-strings-before-calling-
libidn.patch        2015-03-28 16:20:59.000000000 +0100
@@ -0,0 +1,110 @@
+From: Enrico Tassi <gares@fettunta.org>
+Date: Sat, 28 Mar 2015 16:17:35 +0100
+Subject: Validate UTF-8 strings before calling libidn
+
+---
+ util-src/encodings.c | 70
+++++++++++++++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 67 insertions(+), 3 deletions(-)
+
+diff --git a/util-src/encodings.c b/util-src/encodings.c
+index b9b6160..898add1 100644
+--- a/util-src/encodings.c
++++ b/util-src/encodings.c
+@@ -1,6 +1,7 @@
+ /* Prosody IM
+ -- Copyright (C) 2008-2010 Matthew Wild
+ -- Copyright (C) 2008-2010 Waqas Hussain
++-- Copyright (C) 1994-2015 Lua.org, PUC-Rio.
+ --
+ -- This project is MIT/X11 licensed. Please see the
+ -- COPYING file in the source package for more information.
+@@ -116,6 +117,65 @@ static const luaL_Reg Reg_base64[] =
+       { NULL,         NULL    }
+ };
+
++/******************* UTF-8 ********************/
++
++/*
++ * Adapted from Lua 5.3
++ * Needed because libidn does not validate that input is valid UTF-8
++ */
++
++#define MAXUNICODE    0x10FFFF
++
++/*
++ * Decode one UTF-8 sequence, returning NULL if byte sequence is invalid.
++ */
++static const char *utf8_decode (const char *o, int *val) {
++      static unsigned int limits[] = {0xFF, 0x7F, 0x7FF, 0xFFFF};
++      const unsigned char *s = (const unsigned char *)o;
++      unsigned int c = s[0];
++      unsigned int res = 0;  /* final result */
++      if (c < 0x80)  /* ascii? */
++              res = c;
++      else {
++              int count = 0;  /* to count number of continuation bytes */
++              while (c & 0x40) {  /* still have continuation bytes? */
++                      int cc = s[++count];  /* read next byte */
++                      if ((cc & 0xC0) != 0x80)  /* not a continuation byte?
*/
++                              return NULL;  /* invalid byte sequence */
++                      res = (res << 6) | (cc & 0x3F);  /* add lower 6 bits
from cont. byte */
++                      c <<= 1;  /* to test next bit */
++              }
++              res |= ((c & 0x7F) << (count * 5));  /* add first byte */
++              if (count > 3 || res > MAXUNICODE || res <= limits[count] ||
(0xd800 <= res && res <= 0xdfff) )
++                      return NULL;  /* invalid byte sequence */
++              s += count;  /* skip continuation bytes read */
++      }
++      if (val) *val = res;
++      return (const char *)s + 1;  /* +1 to include first byte */
++}
++
++/*
++ * Check that a string is valid UTF-8
++ * Returns NULL if not
++ */
++const char* check_utf8 (lua_State *L, int idx, size_t *l) {
++      size_t pos, len;
++      const char *s = luaL_checklstring(L, 1, &len);
++      pos = 0;
++      while (pos <= len) {
++              const char *s1 = utf8_decode(s + pos, NULL);
++              if (s1 == NULL) {  /* conversion error? */
++                      return NULL;
++              }
++              pos = s1 - s;
++      }
++      if(l != NULL) {
++              *l = len;
++      }
++      return s;
++}
++
++
+ /***************** STRINGPREP *****************/
+ #ifdef USE_STRINGPREP_ICU
+
+@@ -212,8 +272,8 @@ static int stringprep_prep(lua_State *L, const
Stringprep_profile *profile)
+               lua_pushnil(L);
+               return 1;
+       }
+-      s = lua_tolstring(L, 1, &len);
+-      if (len >= 1024) {
++      s = check_utf8(L, 1, &len);
++      if (s == NULL || len >= 1024 || len != strlen(s)) {
+               lua_pushnil(L);
+               return 1; /* TODO return error message */
+       }
+@@ -320,7 +380,11 @@ static int Lidna_to_unicode(lua_State *L)         /**
idna.to_unicode(s) */
+ static int Lidna_to_ascii(lua_State *L)               /** idna.to_ascii(s) */
+ {
+       size_t len;
+-      const char *s = luaL_checklstring(L, 1, &len);
++      const char *s = check_utf8(L, 1, &len);
++      if (s == NULL || len != strlen(s)) {
++              lua_pushnil(L);
++              return 1; /* TODO return error message */
++      }
+       char* output = NULL;
+       int ret = idna_to_ascii_8z(s, &output, IDNA_USE_STD3_ASCII_RULES);
+       if (ret == IDNA_SUCCESS) {
diff -Nru prosody-0.9.7/debian/patches/series
prosody-0.9.7/debian/patches/series
--- prosody-0.9.7/debian/patches/series 2014-10-25 10:42:47.000000000 +0200
+++ prosody-0.9.7/debian/patches/series 2015-03-28 16:20:59.000000000 +0100
@@ -2,3 +2,4 @@
 0002-prosody-lua51.patch
 0003-dpkg-buildflags.patch
 0004-fix-package.path-of-ejabberd2prosody.patch
+0005-Validate-UTF-8-strings-before-calling-libidn.patch


unblock prosody/0.9.7-2

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)

--- End Message ---
--- Begin Message ---
On 2015-03-29 11:53, Enrico Tassi wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package prosody
> 
> (explain the reason for the unblock here)
> 
> Security fix related to libidn (CVE-2015-2059)
> 
> (include/attach the debdiff against the package in testing)
> 
> [...]
> 
> unblock prosody/0.9.7-2
> 
> [...]

Unblocked, thanks.

~Niels

--- End Message ---

Reply to: