[Pkg-privacy-commits] [libotr] 01/01: Import debdiff for 4.1.0-2+deb8u1.

Intrigeri intrigeri at moszumanska.debian.org
Thu Mar 10 09:28:38 UTC 2016 

This is an automated email from the git hooks/post-receive script.

intrigeri pushed a commit to branch jessie
in repository libotr.

commit 1fc81926d0a8aa7b21e40efc689eb2c97ce3c71e
Author: intrigeri <intrigeri at debian.org>
Date:   Tue Mar 8 11:11:51 2016 +0000

    Import debdiff for 4.1.0-2+deb8u1.
---
 debian/changelog                        |  8 ++++
 debian/patches/0002-CVE-2016-2851.patch | 73 +++++++++++++++++++++++++++++++++
 debian/patches/series                   |  1 +
 3 files changed, 82 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ba5e8a5..8ddb581 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libotr (4.1.0-2+deb8u1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2016-2851: Integer overflow on 64-bit architectures when receiving 4GB
+    messages
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Mon, 07 Mar 2016 08:29:49 +0100
+
 libotr (4.1.0-2) unstable; urgency=medium
 
   * New patch:
diff --git a/debian/patches/0002-CVE-2016-2851.patch b/debian/patches/0002-CVE-2016-2851.patch
new file mode 100644
index 0000000..9189fed
--- /dev/null
+++ b/debian/patches/0002-CVE-2016-2851.patch
@@ -0,0 +1,73 @@
+commit ecfd4f468690af6e66b5bf92315972b86071ac1c
+Author: Ian Goldberg <iang at cs.uwaterloo.ca>
+Date:   Thu Mar 3 13:32:41 2016 +0100
+
+    Prevent integer overflow on 64-bit architectures when receiving 4GB messages
+    
+    In several places in proto.c, the sizes of portions of incoming messages
+    were stored in variables of type int or unsigned int instead of size_t.
+    If a message arrives with very large sizes (for example unsigned int
+    datalen = UINT_MAX), then constructions like malloc(datalen+1) will turn
+    into malloc(0), which on some architectures returns a non-NULL pointer,
+    but UINT_MAX bytes will get written to that pointer.
+    
+    Ensure all calls to malloc or realloc cannot integer overflow like this.
+    
+    Thanks to Markus Vervier of X41 D-Sec GmbH <markus.vervier at x41-dsec.de>
+    for the report.
+    
+    Signed-off-by: Ian Goldberg <iang at cs.uwaterloo.ca>
+    Signed-off-by: David Goulet <dgoulet at ev0ke.net>
+
+--- a/src/proto.c
++++ b/src/proto.c
+@@ -711,7 +711,7 @@ gcry_error_t otrl_proto_accept_data(char
+     unsigned int sender_keyid, recipient_keyid;
+     gcry_mpi_t sender_next_y = NULL;
+     unsigned char ctr[8];
+-    unsigned int datalen, reveallen;
++    size_t datalen, reveallen;
+     unsigned char *data = NULL;
+     unsigned char *nul = NULL;
+     unsigned char givenmac[20];
+@@ -912,7 +912,7 @@ OtrlFragmentResult otrl_proto_fragment_a
+ 
+     if (k > 0 && n > 0 && k <= n && start > 0 && end > 0 && start < end) {
+ 	if (k == 1) {
+-	    int fraglen = end - start - 1;
++	    size_t fraglen = end - start - 1;
+ 	    size_t newsize = fraglen + 1;
+ 	    free(context->context_priv->fragment);
+ 	    context->context_priv->fragment = NULL;
+@@ -933,7 +933,7 @@ OtrlFragmentResult otrl_proto_fragment_a
+ 	    }
+ 	} else if (n == context->context_priv->fragment_n &&
+ 		k == context->context_priv->fragment_k + 1) {
+-	    int fraglen = end - start - 1;
++	    size_t fraglen = end - start - 1;
+ 	    char *newfrag = NULL;
+ 	    size_t newsize = context->context_priv->fragment_len + fraglen + 1;
+ 	    /* Check for overflow */
+@@ -985,10 +985,10 @@ gcry_error_t otrl_proto_fragment_create(
+ 	char ***fragments, ConnContext *context, const char *message)
+ {
+     char *fragdata;
+-    int fragdatalen = 0;
++    size_t fragdatalen = 0;
+     int curfrag = 0;
+-    int index = 0;
+-    int msglen = strlen(message);
++    size_t index = 0;
++    size_t msglen = strlen(message);
+     /* Should vary by number of msgs */
+     int headerlen = context->protocol_version == 3 ? 37 : 19;
+ 
+@@ -1008,7 +1008,7 @@ gcry_error_t otrl_proto_fragment_create(
+ 	int i;
+ 	char *fragmentmsg;
+ 
+-	if (msglen - index < mms - headerlen) {
++	if (msglen - index < (size_t)(mms - headerlen)) {
+ 	    fragdatalen = msglen - index;
+ 	} else {
+ 	    fragdatalen = mms - headerlen;
diff --git a/debian/patches/series b/debian/patches/series
index 61fc09a..21d69a4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-Do-not-error-out-when-an-application-is-run-against-.patch
+0002-CVE-2016-2851.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/libotr.git

More information about the Pkg-privacy-commits mailing list