The following low/medium severity security issues have recently been identified in ekg. (The numbers are cvsps patchsets which fixed the problem in upstream CVS.) 2661: A memory leak in handling image messages, which may cause memory exhaustion resulting in a DoS (ekg program crash). Exploitable by a hostile GG user. 2694: off-by-one in token OCR function, which may cause a null pointer dereference resulting in a DoS (ekg program crash). Exploitable by MiTM (hostile HTTP proxy or TCP stream injection) or a hostile GG server. 2699: potential memory exhaust in token OCR function, which may cause memory exhaustion resulting in a DoS (ekg program crash). Exploitability same as in 2694. ----------------+-------------------+---------------+----------------------------- Dist | Contains version | Vulnerable to | Version (to be) fixed in ----------------+-------------------+---------------+----------------------------- UPSTREAM | 1.7-RC2 | ALL | 1.7-RC3 (already released) sarge | 1:1.5+20050411-5 | 2661 only (*) | 1:1.5+20050411-7 sid,etch | 1:1.7~rc2-1 | ALL | 1:1.7~rc2+1-1 sarge-volatile | 1:1.5+20050411-6 | 2661 only (*) | 1:1.5+20050411-8 ----------------+-------------------+---------------+----------------------------- (*) No GIF OCR code was in these versions, thus they are not vulnerable Please have a look at the attached minimal patches, I intend to apply them to respective versions of updated packages. Please allocate CVEs for the 3 above issues. I will prepare new packages once I have the CVEs. regards, Marcin -- Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
--- ekg/src/events.c:1.379 Thu Oct 19 23:55:28 2006
+++ ekg/src/events.c Sat Oct 21 02:02:45 2006
@@ -522,8 +522,10 @@
}
/* ignorujemy wiadomo�ci bez tre�ci zawieraj�ce jedynie obrazek(ki) */
- if (config_ignore_empty_msg && imageno && strlen(e->event.msg.message) == 0)
+ if (config_ignore_empty_msg && imageno && strlen(e->event.msg.message) == 0) {
+ list_destroy(images, 1);
return;
+ }
}
#ifdef HAVE_OPENSSL
@@ -558,6 +560,7 @@
switch (python_handle_result) {
case 0:
+ list_destroy(images, 1);
return;
case 2:
hide = 1;
@@ -577,6 +580,7 @@
config_last_sysmsg_changed = 1;
}
+ list_destroy(images, 1);
return;
}
@@ -585,14 +589,17 @@
e->event.msg.sender, e->event.msg.recipients,
e->event.msg.recipients_count, 0);
- if (c && c->ignore)
+ if (c && c->ignore) {
+ list_destroy(images, 1);
return;
+ }
}
if ((!u && config_ignore_unknown_sender) || ignored_check(e->event.msg.sender) & IGNORE_MSG) {
if (config_log_ignored)
put_log(e->event.msg.sender, "%sign,%ld,%s,%s,%s,%s\n", (chat) ? "chatrecv" : "msgrecv", e->event.msg.sender, ((u && u->display) ? u->display : ""), log_timestamp(time(NULL)), log_timestamp(e->event.msg.time), e->event.msg.message);
+ list_destroy(images, 1);
return;
}
--- ekg/src/events.c:1.382 Tue Feb 13 00:59:55 2007
+++ ekg/src/events.c Thu Feb 22 13:46:20 2007
@@ -1763,7 +1763,7 @@
int cur_char = 0; /* Kolejny znaczek z chars[]. */
memset (mappings, 0, sizeof(mappings));
- buf = bptr = (char *) xmalloc(token->sx * (token->sy + 1));
+ buf = bptr = (char *) xmalloc(token->sx * (token->sy + 1) + 1);
#ifdef TOKEN_GIF_PAL
for (i = 0; i < token->sx * token->sy; i++) {
--- events.c.orig 2007-03-21 14:04:29.573916201 +0000
+++ events.c 2007-03-21 14:06:01.131638201 +0000
@@ -1513,6 +1513,11 @@
goto err2;
}
+ if (file->SWidth <= 0 || file->SWidth > 1024 || file->SHeight <= 0 || file->SHeight > 1024) {
+ snprintf(errbuf, sizeof(errbuf), "Invalid image size: %d,%d", file->SWidth, file->SHeight);
+ goto err3;
+ }
+
if (DGifSlurp(file) != GIF_OK) {
snprintf (errbuf, sizeof(errbuf), "DGifSlurp(): %d", GifLastError());
goto err3;
Attachment:
signature.asc
Description: Digital signature