[Pkg-privacy-commits] [libotr] 01/01: Import debdiff for 3.2.1-1+deb7u2.

Intrigeri intrigeri at moszumanska.debian.org
Thu Mar 10 09:24:58 UTC 2016 

This is an automated email from the git hooks/post-receive script.

intrigeri pushed a commit to branch wheezy
in repository libotr.

commit 75ed1e9a71762e12ae13e40a6f10332e42e2e78b
Author: intrigeri <intrigeri at debian.org>
Date:   Thu Mar 10 09:24:04 2016 +0000

    Import debdiff for 3.2.1-1+deb7u2.
---
 debian/changelog                   |  8 +++++
 debian/patches/CVE-2016-2851.patch | 74 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 83 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 0999152..c600213 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libotr (3.2.1-1+deb7u2) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2016-2851: Integer overflow on 64-bit architectures when receiving 4GB
+    messages
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Mon, 07 Mar 2016 16:33:58 +0100
+
 libotr (3.2.1-1+deb7u1) stable; urgency=medium
 
   * Non-maintainer upload with maintainer's agreement.
diff --git a/debian/patches/CVE-2016-2851.patch b/debian/patches/CVE-2016-2851.patch
new file mode 100644
index 0000000..99043e4
--- /dev/null
+++ b/debian/patches/CVE-2016-2851.patch
@@ -0,0 +1,74 @@
+commit ecfd4f468690af6e66b5bf92315972b86071ac1c
+Author: Ian Goldberg <iang at cs.uwaterloo.ca>
+Date:   Thu Mar 3 13:32:41 2016 +0100
+
+    Prevent integer overflow on 64-bit architectures when receiving 4GB messages
+    
+    In several places in proto.c, the sizes of portions of incoming messages
+    were stored in variables of type int or unsigned int instead of size_t.
+    If a message arrives with very large sizes (for example unsigned int
+    datalen = UINT_MAX), then constructions like malloc(datalen+1) will turn
+    into malloc(0), which on some architectures returns a non-NULL pointer,
+    but UINT_MAX bytes will get written to that pointer.
+    
+    Ensure all calls to malloc or realloc cannot integer overflow like this.
+    
+    Thanks to Markus Vervier of X41 D-Sec GmbH <markus.vervier at x41-dsec.de>
+    for the report.
+    
+    Signed-off-by: Ian Goldberg <iang at cs.uwaterloo.ca>
+    Signed-off-by: David Goulet <dgoulet at ev0ke.net>
+
+[carnil: Backport to 3.2.1, adjusted for context]
+--- a/src/proto.c
++++ b/src/proto.c
+@@ -589,7 +589,7 @@ gcry_error_t otrl_proto_accept_data(char
+     unsigned int sender_keyid, recipient_keyid;
+     gcry_mpi_t sender_next_y = NULL;
+     unsigned char ctr[8];
+-    unsigned int datalen, reveallen;
++    size_t datalen, reveallen;
+     unsigned char *data = NULL;
+     unsigned char *nul = NULL;
+     unsigned char givenmac[20];
+@@ -769,7 +769,7 @@ OtrlFragmentResult otrl_proto_fragment_a
+ 	sscanf(tag, "?OTR,%hu,%hu,%n%*[^,],%n", &k, &n, &start, &end);
+ 	if (k > 0 && n > 0 && k <= n && start > 0 && end > 0 && start < end) {
+ 	    if (k == 1) {
+-		int fraglen = end - start - 1;
++		size_t fraglen = end - start - 1;
+ 		free(context->fragment);
+ 		context->fragment = malloc(fraglen + 1);
+ 		if (fraglen + 1 > fraglen && context->fragment) {
+@@ -787,7 +787,7 @@ OtrlFragmentResult otrl_proto_fragment_a
+ 		}
+ 	    } else if (n == context->fragment_n &&
+ 		    k == context->fragment_k + 1) {
+-		int fraglen = end - start - 1;
++		size_t fraglen = end - start - 1;
+ 		char *newfrag = realloc(context->fragment,
+ 			context->fragment_len + fraglen + 1);
+ 		if (context->fragment_len + fraglen + 1 > fraglen && newfrag) {
+@@ -841,10 +841,10 @@ gcry_error_t otrl_proto_fragment_create(
+ 	char ***fragments, const char *message)
+ {
+     char *fragdata;
+-    int fragdatalen = 0;
++    size_t fragdatalen = 0;
+     unsigned short curfrag = 0;
+-    int index = 0;
+-    int msglen = strlen(message);
++    size_t index = 0;
++    size_t msglen = strlen(message);
+     int headerlen = 19; /* Should vary by number of msgs */
+ 
+     char **fragmentarray = malloc(fragment_count * sizeof(char*));
+@@ -857,7 +857,7 @@ gcry_error_t otrl_proto_fragment_create(
+ 	int i;
+     	char *fragmentmsg;
+ 
+-	if (msglen - index < mms - headerlen) {
++	if (msglen - index < (size_t)(mms - headerlen)) {
+     	    fragdatalen = msglen - index;
+ 	} else {
+ 	    fragdatalen = mms - headerlen;
diff --git a/debian/patches/series b/debian/patches/series
index 394b845..4686473 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 disable_otr_v1.patch
+CVE-2016-2851.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/libotr.git

More information about the Pkg-privacy-commits mailing list