Hello community, here is the log from the commit of package libotr2 for openSUSE:Factory checked in at 2016-03-16 10:25:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libotr2 (Old) and /work/SRC/openSUSE:Factory/.libotr2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libotr2" Changes: -------- --- /work/SRC/openSUSE:Factory/libotr2/libotr2.changes 2013-06-25 14:42:15.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libotr2.new/libotr2.changes 2016-03-16 10:25:29.000000000 +0100 @@ -1,0 +2,8 @@ +Tue Mar 8 09:10:23 UTC 2016 - [email protected] + +- Fix an integer overflow bug that can cause a heap buffer + overflow (and from there remote code execution) on 64-bit + platforms - CVE-2016-2851 (boo#969785) + libotr-3.2.1-CVE-2016-2851.patch + +------------------------------------------------------------------- New: ---- libotr-3.2.1-CVE-2016-2851.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libotr2.spec ++++++ --- /var/tmp/diff_new_pack.Qee7AJ/_old 2016-03-16 10:25:30.000000000 +0100 +++ /var/tmp/diff_new_pack.Qee7AJ/_new 2016-03-16 10:25:30.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libotr2 # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,20 +19,17 @@ Name: libotr2 Version: 3.2.1 Release: 0 -Url: http://www.cypherpunks.ca/otr/ Summary: "Off The Record" messaging library toolkit License: LGPL-2.1+ Group: Development/Libraries/C and C++ +Url: http://www.cypherpunks.ca/otr/ Source: http://www.cypherpunks.ca/otr/libotr-%{version}.tar.gz -# http://www.cypherpunks.ca/otr/gpgkey.asc Source1: http://www.cypherpunks.ca/otr/libotr-%{version}.tar.gz.asc +# http://www.cypherpunks.ca/otr/gpgkey.asc Source2: libotr2.keyring -BuildRequires: libgcrypt-devel -BuildRequires: libtool +Patch0: libotr-3.2.1-CVE-2016-2851.patch +BuildRequires: libgcrypt-devel >= 1.2.0 BuildRequires: pkg-config -%if 0%{?suse_version} >= 1230 -BuildRequires: gpg-offline -%endif BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -78,24 +75,24 @@ conversation is compromised. %prep -%{?gpg_verify: %gpg_verify %{S:1}} %setup -q -n libotr-%{version} +%patch0 -p1 %build %ifarch %arm -export CFLAGS="$RPM_OPT_FLAGS -O1" +export CFLAGS="%{optflags} -O1" %else -export CFLAGS="$RPM_OPT_FLAGS" +export CFLAGS="%{optflags}" %endif %configure --disable-static --with-pic make %{?_smp_mflags} %check -%{__make} check +make %{?_smp_mflags} check %install -%{__make} DESTDIR=%{buildroot} install -%{__rm} -f %{buildroot}%{_libdir}/libotr.la +make %{?_smp_mflags} DESTDIR=%{buildroot} install +rm -f %{buildroot}%{_libdir}/libotr.la %files tools %defattr (-, root, root) @@ -117,7 +114,6 @@ %{_libdir}/pkgconfig/libotr.pc %post -n libotr2 -p /sbin/ldconfig - %postun -n libotr2 -p /sbin/ldconfig %changelog ++++++ libotr-3.2.1-CVE-2016-2851.patch ++++++ commit ecfd4f468690af6e66b5bf92315972b86071ac1c Author: Ian Goldberg <[email protected]> Date: Thu Mar 3 13:32:41 2016 +0100 Prevent integer overflow on 64-bit architectures when receiving 4GB messages In several places in proto.c, the sizes of portions of incoming messages were stored in variables of type int or unsigned int instead of size_t. If a message arrives with very large sizes (for example unsigned int datalen = UINT_MAX), then constructions like malloc(datalen+1) will turn into malloc(0), which on some architectures returns a non-NULL pointer, but UINT_MAX bytes will get written to that pointer. Ensure all calls to malloc or realloc cannot integer overflow like this. Thanks to Markus Vervier of X41 D-Sec GmbH <[email protected]> for the report. Signed-off-by: Ian Goldberg <[email protected]> Signed-off-by: David Goulet <[email protected]> Index: libotr-3.2.1/src/proto.c =================================================================== --- libotr-3.2.1.orig/src/proto.c +++ libotr-3.2.1/src/proto.c @@ -589,7 +589,7 @@ gcry_error_t otrl_proto_accept_data(char unsigned int sender_keyid, recipient_keyid; gcry_mpi_t sender_next_y = NULL; unsigned char ctr[8]; - unsigned int datalen, reveallen; + size_t datalen, reveallen; unsigned char *data = NULL; unsigned char *nul = NULL; unsigned char givenmac[20]; @@ -769,7 +769,7 @@ OtrlFragmentResult otrl_proto_fragment_a sscanf(tag, "?OTR,%hu,%hu,%n%*[^,],%n", &k, &n, &start, &end); if (k > 0 && n > 0 && k <= n && start > 0 && end > 0 && start < end) { if (k == 1) { - int fraglen = end - start - 1; + size_t fraglen = end - start - 1; free(context->fragment); context->fragment = malloc(fraglen + 1); if (fraglen + 1 > fraglen && context->fragment) { @@ -787,7 +787,7 @@ OtrlFragmentResult otrl_proto_fragment_a } } else if (n == context->fragment_n && k == context->fragment_k + 1) { - int fraglen = end - start - 1; + size_t fraglen = end - start - 1; char *newfrag = realloc(context->fragment, context->fragment_len + fraglen + 1); if (context->fragment_len + fraglen + 1 > fraglen && newfrag) { @@ -841,10 +841,10 @@ gcry_error_t otrl_proto_fragment_create( char ***fragments, const char *message) { char *fragdata; - int fragdatalen = 0; + size_t fragdatalen = 0; unsigned short curfrag = 0; - int index = 0; - int msglen = strlen(message); + size_t index = 0; + size_t msglen = strlen(message); int headerlen = 19; /* Should vary by number of msgs */ char **fragmentarray = malloc(fragment_count * sizeof(char*)); @@ -857,7 +857,7 @@ gcry_error_t otrl_proto_fragment_create( int i; char *fragmentmsg; - if (msglen - index < mms - headerlen) { + if (msglen - index < (size_t)(mms - headerlen)) { fragdatalen = msglen - index; } else { fragdatalen = mms - headerlen;
