Your message dated Thu, 06 Nov 2014 07:29:26 +0000
with message-id <[email protected]>
and subject line Re: Bug#768249: unblock: konversation/1.5-2
has caused the Debian Bug report #768249,
regarding unblock: konversation/1.5-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
768249: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768249
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package konversation
To fix
https://security-tracker.debian.org/tracker/CVE-2014-8483
I backported a fix from upstream
unblock konversation/1.5-2
-- System Information:
Debian Release: jessie/sid
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (110,
'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-3-amd64 (SMP w/4 CPU cores)
diff -Nru konversation-1.5/debian/changelog konversation-1.5/debian/changelog
--- konversation-1.5/debian/changelog 2014-02-22 17:19:37.000000000 -0800
+++ konversation-1.5/debian/changelog 2014-11-05 14:02:01.000000000 -0800
@@ -1,3 +1,11 @@
+konversation (1.5-2) unstable; urgency=medium
+
+ * Backport fix for CVE-2014-8483 in cve-2014-8483.patch
+ See https://security-tracker.debian.org/tracker/CVE-2014-8483
+ (Closes: #768191)
+
+ -- Diane Trout <[email protected]> Wed, 05 Nov 2014 22:47:53 +0100
+
konversation (1.5-1) unstable; urgency=medium
* New upstream release
diff -Nru konversation-1.5/debian/patches/cve-2014-8483.patch konversation-1.5/debian/patches/cve-2014-8483.patch
--- konversation-1.5/debian/patches/cve-2014-8483.patch 1969-12-31 16:00:00.000000000 -0800
+++ konversation-1.5/debian/patches/cve-2014-8483.patch 2014-11-05 12:21:25.000000000 -0800
@@ -0,0 +1,49 @@
+Origin: http://quickgit.kde.org/?p=konversation.git&a=commit&h=1f55cee8b3d0956adc98834f7b5832e48e077ed7
+Bug: https://bugs.kde.org/show_bug.cgi?id=210792
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768191
+Description: Do a bounds check on ECB blocks.
+ Backport fix for CVE-2014-8483
+ https://security-tracker.debian.org/tracker/CVE-2014-8483
+ .
+ Blindly assuming they're the expected 12 chars can lead to a crash
+ on malformed input.
+ .
+ Original patch by Manuel Nickschas for Quassel, who incorporated
+ the original Konversation code into Quassel in 2009.
+
+--- a/src/cipher.cpp
++++ b/src/cipher.cpp
+@@ -353,8 +353,12 @@
+ }
+ else
+ {
++ // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
++ if ((temp.length() % 12) != 0)
++ return cipherText;
++
+ temp = b64ToByte(temp);
+- while((temp.length() % 8) != 0) temp.append('\0');
++ while ((temp.length() % 8) != 0) temp.append('\0');
+ }
+
+ QCA::Direction dir = (direction) ? QCA::Encode : QCA::Decode;
+@@ -362,11 +366,17 @@
+ QByteArray temp2 = cipher.update(QCA::MemoryRegion(temp)).toByteArray();
+ temp2 += cipher.final().toByteArray();
+
+- if(!cipher.ok())
++ if (!cipher.ok())
+ return cipherText;
+
+- if(direction)
++ if (direction)
++ {
++ // Sanity check
++ if ((temp2.length() % 8) != 0)
++ return cipherText;
++
+ temp2 = byteToB64(temp2);
++ }
+
+ return temp2;
+ }
diff -Nru konversation-1.5/debian/patches/series konversation-1.5/debian/patches/series
--- konversation-1.5/debian/patches/series 2014-02-22 10:28:08.000000000 -0800
+++ konversation-1.5/debian/patches/series 2014-11-05 10:45:52.000000000 -0800
@@ -1,2 +1,3 @@
+cve-2014-8483.patch
debian_dbug_autoreplace.diff
debian_channel.diff
--- End Message ---
--- Begin Message ---
On 2014-11-06 5:24, Diane Trout wrote:
Please unblock package konversation
To fix
https://security-tracker.debian.org/tracker/CVE-2014-8483
I backported a fix from upstream
Unblocked, thanks.
Regards,
Adam
--- End Message ---
