Re: Security issues in package ekg

[Marcin Owsiany <porridge@debian.org>]

On Wed, Mar 21, 2007 at 02:37:42PM +0000, Marcin Owsiany wrote:
> 2661: A memory leak in handling image messages, which may cause memory
> exhaustion resulting in a DoS (ekg program crash). Exploitable by a
> hostile GG user.
> 
> ----------------+-------------------+---------------+-----------------------------
> Dist            | Contains version  | Vulnerable to | Version (to be) fixed in
> ----------------+-------------------+---------------+-----------------------------
> sarge           | 1:1.5+20050411-5  | 2661 only (*) | 1:1.5+20050411-7
> sarge-volatile  | 1:1.5+20050411-6  | 2661 only (*) | 1:1.5+20050411-8

After closer examination it turned out that 1:1.5+20050411-[56] are not
vulnereble to any of the three aforementioned issues.

However, they STILL are vulnerable to CAN-2005-2370 and CAN-2005-2448 which
were missed back in 2005 when preparing DSA-767. I guess it's better to fix
that late rather than never, so I am currently preparing 1:1.5+20050411-7 (for
sarge) and 1:1.5+20050411-8 (for sarge-volatile) to patch them up (see the
interdiff for -7 in attachment, the one for -8 will be almost the same, just
applied to -6 instead of -5).

The version in etch/sid is not vulnerable to these two.

Here is the proposed text for the advisory:


  This advisory includes corrections for two problems in the libgadu3 library and
  the ekg program, which were missing from DSA-767.
  
  Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
  error in the Gadu library. By sending specially crafted messages, a
  remote attacker could crash the application using the library.
  (CAN-2005-2370)
  
  Marcin Slusarz discovered that the Gadu library did not properly
  handle endianess conversion in some cases. This caused invalid
  behavior on big endian architectures. (CAN-2005-2448)


I guess that these fixes can be issued as an update to DSA-767 and a
debian-volatile announcement, while CVE-2007-166[345] can be covered
just by a DTSA, since the two sets of vulnerabilities are disjoint.

Waiting for an authorization to upload to sarge-security.

Marcin
-- 
Marcin Owsiany <porridge@debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216

diff -u ekg-1.5+20050411/debian/changelog ekg-1.5+20050411/debian/changelog
--- ekg-1.5+20050411/debian/changelog	2007-03-25 13:03:36.648014199 +0100
+++ ekg-1.5+20050411/debian/changelog	2007-03-26 18:19:58.626928050 +0100
@@ -1,3 +1,15 @@
+ekg (1:1.5+20050411-7) stable-security; urgency=medium
+
+  * Security upload, fixing two problems missed when preparing DSA-767:
+    - Using revision -7, as -6 was used for a sarge-volatile upload (-7 does
+      not contain any changes from -6)
+  * Fixes a memory alignment error in libgadu, which could lead to a DoS on
+    some architectures (CAN-2005-2370)
+  * Fixes endianness conversion problems, which could cause invalid behavior
+    on big endian machines (CAN-2005-2448)
+
+ -- Marcin Owsiany <porridge@debian.org>  Mon, 26 Mar 2007 18:12:35 +0100
+
 ekg (1:1.5+20050411-5) stable-security; urgency=high
 
   * Security upload
diff -u ekg-1.5+20050411/lib/events.c ekg-1.5+20050411/lib/events.c
--- ekg-1.5+20050411/lib/events.c	2007-03-25 13:03:36.648014199 +0100
+++ ekg-1.5+20050411/lib/events.c	2007-03-26 18:20:22.224402800 +0100
@@ -173,8 +173,7 @@
 	struct gg_msg_image_reply *i = (void*) p;
 	struct gg_image_queue *q, *qq;
 
-	if (!p || !sess || !e)
-	{
+	if (!p || !sess || !e) {
 		errno = EFAULT;
 		return;
 	}
@@ -313,8 +312,11 @@
 					goto fail;
 				}
 			
-				for (i = 0; i < count; i++, p += sizeof(uin_t))
-					e->event.msg.recipients[i] = gg_fix32(*((uint32_t*) p));
+				for (i = 0; i < count; i++, p += sizeof(uint32_t)) {
+					uint32_t u;
+					memcpy(&u, p, sizeof(uint32_t));
+					e->event.msg.recipients[i] = gg_fix32(u);
+				}
 				
 				e->event.msg.recipients_count = count;
 				
@@ -323,7 +325,7 @@
 
 			case 0x02:		/* richtext */
 			{
-				unsigned short len;
+				uint16_t len;
 				char *buf;
 			
 				if (p + 3 > packet_end) {
@@ -331,7 +333,8 @@
 					goto malformed;
 				}
 
-				len = gg_fix16(*((unsigned short*) (p + 1)));
+				memcpy(&len, p + 1, sizeof(uint16_t));
+				len = gg_fix16(len);
 
 				if (!(buf = malloc(len))) {
 					gg_debug(GG_DEBUG_MISC, "// gg_handle_recv_msg() not enough memory for richtext data\n");
@@ -395,6 +398,8 @@
 					goto malformed;
 				}
 
+				rep->size = gg_fix32(rep->size);
+				rep->crc32 = gg_fix32(rep->crc32);
 				gg_image_queue_parse(e, p, (unsigned int)(packet_end - p), sess, gg_fix32(r->sender));
 
 				return 0;
@@ -483,7 +488,7 @@
 				goto fail;
 			}
 
-			if (gg_fix32(n->status) == GG_STATUS_BUSY_DESCR || gg_fix32(n->status == GG_STATUS_NOT_AVAIL_DESCR) || gg_fix32(n->status) == GG_STATUS_AVAIL_DESCR) {
+			if (gg_fix32(n->status) == GG_STATUS_BUSY_DESCR || gg_fix32(n->status) == GG_STATUS_NOT_AVAIL_DESCR || gg_fix32(n->status) == GG_STATUS_AVAIL_DESCR) {
 				e->type = GG_EVENT_NOTIFY_DESCR;
 				
 				if (!(e->event.notify_descr.notify = (void*) malloc(sizeof(*n) * 2))) {
@@ -520,7 +525,7 @@
 				for (i = 0; i < count; i++) {
 					e->event.notify[i].uin = gg_fix32(e->event.notify[i].uin);
 					e->event.notify[i].status = gg_fix32(e->event.notify[i].status);
-					e->event.notify[i].remote_port = gg_fix16(e->event.notify[i].remote_port);		
+					e->event.notify[i].remote_port = gg_fix16(e->event.notify[i].remote_port);
 				}
 			}
 
@@ -654,8 +659,11 @@
 
 				e->event.status60.descr = buf;
 
-				if (len > 4 && p[h->length - 5] == 0)
-					e->event.status60.time = *((int*) (p + h->length - 4));
+				if (len > 4 && p[h->length - 5] == 0) {
+					uint32_t t;
+					memcpy(&t, p + h->length - 4, sizeof(uint32_t));
+					e->event.status60.time = gg_fix32(t);
+				}
 			}
 
 			break;
@@ -1073,7 +1081,7 @@
 
 			if ((tmp = strchr(host, ':'))) {
 				*tmp = 0;
-				port = atoi(tmp+1);
+				port = atoi(tmp + 1);
 			}
 
 			addr.s_addr = inet_addr(host);
@@ -1411,7 +1419,7 @@
 			
 			if (sess->external_addr && sess->external_port > 1023) {
 				l.external_ip = sess->external_addr;
-				l.external_port = sess->external_port;
+				l.external_port = gg_fix16(sess->external_port);
 			}
 
 			gg_debug(GG_DEBUG_TRAFFIC, "// gg_watch_fd() sending GG_LOGIN60 packet\n");
only in patch2:
unchanged:
--- ekg-1.5+20050411.orig/src/commands.c	2005-03-17 17:30:29.000000000 +0000
+++ ekg-1.5+20050411/src/commands.c	2007-03-26 18:20:22.228403050 +0100
@@ -3486,6 +3486,7 @@
 
 	tmp = gg_crc32(0, image, size);
 	gg_debug(GG_DEBUG_MISC, "// crc32 = 0x%.8x, size = %d\n", tmp, size);
+	tmp = gg_fix32(tmp);
 	memcpy(format + 12, &tmp, 4);
 	tmp = gg_fix32(size);
 	memcpy(format + 8, &tmp, 4);
only in patch2:
unchanged:
--- ekg-1.5+20050411.orig/src/events.c	2005-04-09 22:08:36.000000000 +0100
+++ ekg-1.5+20050411/src/events.c	2007-03-26 18:20:22.228403050 +0100
@@ -498,7 +498,7 @@
 			if ((font & GG_FONT_IMAGE)) {
 				struct gg_msg_richtext_image *m = (void*) &p[i];
 
-				gg_debug(GG_DEBUG_MISC, "// ekg: inline image: sender=%d, size=%d, crc32=%.8x\n", e->event.msg.sender, m->size, m->crc32);
+				gg_debug(GG_DEBUG_MISC, "// ekg: inline image: sender=%d, size=%d, crc32=%.8x\n", e->event.msg.sender, gg_fix32(m->size), gg_fix32(m->crc32));
 
 				imageno++;

Attachment: signature.asc
Description: Digital signature