Control: tags 766962 + pending Hi Thomas,
I've prepared an NMU for quassel (versioned as 0.10.0-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Note that Luciano Bello is planning to release a DSA for wheezy-security too. Regards, Salvatore
diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog 2014-07-04 17:15:24.000000000 +0200
+++ quassel-0.10.0/debian/changelog 2014-11-02 19:11:20.000000000 +0100
@@ -1,3 +1,12 @@
+quassel (0.10.0-2.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Add CVE-2014-8483.patch patch.
+ CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
+ (Closes: #766962)
+
+ -- Salvatore Bonaccorso <car...@debian.org> Sun, 02 Nov 2014 19:10:58 +0100
+
quassel (0.10.0-2) unstable; urgency=low
* Fixing security issue where quassel core certificate is
diff -Nru quassel-0.10.0/debian/patches/CVE-2014-8483.patch quassel-0.10.0/debian/patches/CVE-2014-8483.patch
--- quassel-0.10.0/debian/patches/CVE-2014-8483.patch 1970-01-01 01:00:00.000000000 +0100
+++ quassel-0.10.0/debian/patches/CVE-2014-8483.patch 2014-10-28 17:03:58.000000000 +0100
@@ -0,0 +1,52 @@
+From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001
+From: Manuel Nickschas <sputn...@quassel-irc.org>
+Date: Tue, 21 Oct 2014 21:20:07 +0200
+Subject: [PATCH] Check for invalid input in encrypted buffers
+
+The ECB Blowfish decryption function assumed that encrypted input would
+always come in blocks of 12 characters, as specified. However, buggy
+clients or annoying people may not adhere to that assumption, causing
+the core to crash while trying to process the invalid base64 input.
+
+With this commit we make sure that we're not overstepping the bounds of
+the input string while decoding it; instead we bail out early and display
+the original input. Fixes #1314.
+
+Thanks to Tucos for finding that one!
+---
+ src/core/cipher.cpp | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp
+index 7cc75d0..7d1fe46 100644
+--- a/src/core/cipher.cpp
++++ b/src/core/cipher.cpp
+@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
+ }
+ else
+ {
++ // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
++ if ((temp.length() % 12) != 0)
++ return cipherText;
++
+ temp = b64ToByte(temp);
+ while ((temp.length() % 8) != 0) temp.append('\0');
+ }
+@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
+ if (!cipher.ok())
+ return cipherText;
+
+- if (direction)
++ if (direction) {
++ // Sanity check
++ if ((temp2.length() % 8) != 0)
++ return cipherText;
++
+ temp2 = byteToB64(temp2);
++ }
+
+ return temp2;
+ }
+--
+1.7.10.4
+
diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series 2012-04-25 00:18:37.000000000 +0200
+++ quassel-0.10.0/debian/patches/series 2014-10-28 17:16:01.000000000 +0100
@@ -1,2 +1,2 @@
01_default_network_channel.patch
-
+CVE-2014-8483.patch
signature.asc
Description: Digital signature
