Control: tags 766962 + pending Hi Thomas,
I've prepared an NMU for quassel (versioned as 0.10.0-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Note that Luciano Bello is planning to release a DSA for wheezy-security too. Regards, Salvatore
diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog --- quassel-0.10.0/debian/changelog 2014-07-04 17:15:24.000000000 +0200 +++ quassel-0.10.0/debian/changelog 2014-11-02 19:11:20.000000000 +0100 @@ -1,3 +1,12 @@ +quassel (0.10.0-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2014-8483.patch patch. + CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption. + (Closes: #766962) + + -- Salvatore Bonaccorso <car...@debian.org> Sun, 02 Nov 2014 19:10:58 +0100 + quassel (0.10.0-2) unstable; urgency=low * Fixing security issue where quassel core certificate is diff -Nru quassel-0.10.0/debian/patches/CVE-2014-8483.patch quassel-0.10.0/debian/patches/CVE-2014-8483.patch --- quassel-0.10.0/debian/patches/CVE-2014-8483.patch 1970-01-01 01:00:00.000000000 +0100 +++ quassel-0.10.0/debian/patches/CVE-2014-8483.patch 2014-10-28 17:03:58.000000000 +0100 @@ -0,0 +1,52 @@ +From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001 +From: Manuel Nickschas <sputn...@quassel-irc.org> +Date: Tue, 21 Oct 2014 21:20:07 +0200 +Subject: [PATCH] Check for invalid input in encrypted buffers + +The ECB Blowfish decryption function assumed that encrypted input would +always come in blocks of 12 characters, as specified. However, buggy +clients or annoying people may not adhere to that assumption, causing +the core to crash while trying to process the invalid base64 input. + +With this commit we make sure that we're not overstepping the bounds of +the input string while decoding it; instead we bail out early and display +the original input. Fixes #1314. + +Thanks to Tucos for finding that one! +--- + src/core/cipher.cpp | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp +index 7cc75d0..7d1fe46 100644 +--- a/src/core/cipher.cpp ++++ b/src/core/cipher.cpp +@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction) + } + else + { ++ // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input ++ if ((temp.length() % 12) != 0) ++ return cipherText; ++ + temp = b64ToByte(temp); + while ((temp.length() % 8) != 0) temp.append('\0'); + } +@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction) + if (!cipher.ok()) + return cipherText; + +- if (direction) ++ if (direction) { ++ // Sanity check ++ if ((temp2.length() % 8) != 0) ++ return cipherText; ++ + temp2 = byteToB64(temp2); ++ } + + return temp2; + } +-- +1.7.10.4 + diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series --- quassel-0.10.0/debian/patches/series 2012-04-25 00:18:37.000000000 +0200 +++ quassel-0.10.0/debian/patches/series 2014-10-28 17:16:01.000000000 +0100 @@ -1,2 +1,2 @@ 01_default_network_channel.patch - +CVE-2014-8483.patch
signature.asc
Description: Digital signature