Hi, I will upload a 0-day NMU following the current release policy to close this bug. Attached is the patch I extracted from the new upstream release to fixing this. It will be also archived on: http://people.debian.org/~nion/nmu-diff/ihu-0.5.6-3_0.5.6-3.1.patch
Kind regards Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u ihu-0.5.6/debian/changelog ihu-0.5.6/debian/changelog
--- ihu-0.5.6/debian/changelog
+++ ihu-0.5.6/debian/changelog
@@ -1,3 +1,13 @@
+ihu (0.5.6-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by the testing-security team.
+ * Fix crash triggered by malformed received packages
+ where the size field is zero which is then passed to
+ Receiver::processPacket where denial of service situation
+ occurs due to a programming error (CVE-2007-6103; Closes: #453280).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Tue, 11 Dec 2007 10:07:17 +0100
+
ihu (0.5.6-3) unstable; urgency=low
* Put ${misc:Depends} into debian/control file.
--- ihu-0.5.6.orig/src/Packet.cpp
+++ ihu-0.5.6/src/Packet.cpp
@@ -144,7 +144,8 @@
void Packet::decrypt(Blowfish *blowfish)
{
- blowfish->decrypt(dataPtr, size - HEADER_SIZE);
+ if (dataLen > 0)
+ blowfish->decrypt(dataPtr, size - HEADER_SIZE);
}
int Packet::getSize()
only in patch2:
unchanged:
--- ihu-0.5.6.orig/src/Receiver.cpp
+++ ihu-0.5.6/src/Receiver.cpp
@@ -63,6 +63,8 @@
rate = 0;
calls = 0;
connects = 0;
+ frame_size = 0;
+ ring_buffer = NULL;
reset();
resetStream();
speex_bits_init(&bits);
@@ -416,9 +418,18 @@
else
{
try {
- Packet *p = new Packet(plen);
- PacketHandler::readPacket(p, streamPtr, plen);
- processPacket(p);
+ if (plen >= MIN_PACKET_SIZE)
+ {
+ Packet *p = new Packet(plen);
+ PacketHandler::readPacket(p, streamPtr, plen);
+ processPacket(p);
+ delete p;
+ }
+ else
+ {
+ sync = STREAM_OUT_OF_SYNC;
+ break;
+ }
if (sync != STREAM_PLAYER_NOT_READY)
{
if (plen < streamLen)
@@ -433,7 +444,6 @@
resetStream();
}
}
- delete p;
} catch (Error e)
{
emitError(e.getText());
@@ -513,13 +523,13 @@
case RECEIVER_STATUS_MUTE:
break;
case RECEIVER_STATUS_NORMAL:
- if (spx)
+ if (spx && (p->getDataLen() > MIN_DATA_SIZE))
{
ihu2spx->process(p->getData(), p->getDataLen());
}
else
{
- if (player->ready())
+ if (player->ready() && (p->getDataLen() > MIN_DATA_SIZE))
{
playData(p->getData(), p->getDataLen());
}
@@ -533,7 +543,7 @@
}
break;
case IHU_INFO_NEW_KEY:
- if (!fromFile)
+ if (!fromFile && (p->getDataLen() > MIN_DATA_SIZE))
{
char *out;
int len = rsa->decrypt(p->getData(), p->getDataLen(), &out);
@@ -545,14 +555,14 @@
}
break;
case IHU_INFO_KEY_REQUEST:
- if (!fromFile)
+ if (!fromFile && (p->getDataLen() > MIN_DATA_SIZE))
{
rsa->setPeerPublicKey(p->getData(), p->getDataLen());
emitSignal(SIGNAL_SENDNEWKEY);
}
break;
case IHU_INFO_RING:
- if (p->getDataLen() > 0)
+ if (p->getDataLen() > MIN_DATA_SIZE)
callerName = p->getData();
if (!fromFile)
{
@@ -564,7 +574,7 @@
case IHU_INFO_ANSWER:
case IHU_INFO_RING_REPLY:
reply = true;
- if (p->getDataLen() > 0)
+ if (p->getDataLen() > MIN_DATA_SIZE)
callerName = p->getData();
break;
case IHU_INFO_REFUSE:
@@ -591,7 +601,8 @@
case RECEIVER_STATUS_MUTE:
break;
default:
- player->ring(ring_buffer, size);
+ if (playing)
+ player->ring(ring_buffer, size);
break;
}
}
only in patch2:
unchanged:
--- ihu-0.5.6.orig/src/Packet.h
+++ ihu-0.5.6/src/Packet.h
@@ -34,6 +34,10 @@
#include "Blowfish.h"
#define MAX_PACKET_SIZE 255
+#define MIN_PACKET_SIZE 6
+
+#define MIN_DATA_SIZE 0
+#define MAX_DATA_SIZE 250
#define HEADER_SIZE 6
#define HEADER_SYNC_STRING "IHU"
pgphIaC6rPWKh.pgp
Description: PGP signature
