Bug#766962: quassel: diff for NMU version 0.10.0-2.1
Control: reopen -1 Control: found -1 0.11.0-1 Version 0.11.0 does *not* contain the commit that fixes this bug. 0.11.0-1 is also wrongly marked as fixed in the security tracker. I guess now 0.10.0-2.1 has to be re-uploaded with a different version to testing-proposed-updates. Cheers, Felix -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766962: quassel: diff for NMU version 0.10.0-2.1
Hi Felix, On Wed, Nov 05, 2014 at 06:45:09PM +0100, Felix Geyer wrote: Control: reopen -1 Control: found -1 0.11.0-1 Version 0.11.0 does *not* contain the commit that fixes this bug. Thanks for checking also this version! 0.11.0-1 is also wrongly marked as fixed in the security tracker. Yes and no about the security-tracker. The CVE/bug was fixed in 0.10.0-2.1 which was superseeded by 0.11.0-1 in unstable before reaching testing. The security-tracker cannot notice that it was fixed in 0.10.0-2.1 but would not be fixed in 0.11.0-1 (as 0.10.0-2.1 0.11.0-1). The security-tracker has the following entry, which now needs an adjustment depending on the choosen aproach: CVE-2014-8483 [out-of-bounds read on a heap-allocated array] RESERVED {DSA-3063-1} - quassel 0.10.0-2.1 (bug #766962) NOTE: https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138 NOTE: http://bugs.quassel-irc.org/issues/1314 - konversation unfixed NOTE: https://bugs.kde.org/show_bug.cgi?id=210792 I guess now 0.10.0-2.1 has to be re-uploaded with a different version to testing-proposed-updates. Either that or a 1:0.10.0-2.1 upload again to unstable, and ask the release team for an unblock of this version. I think the latter would be preferable as it leaves more changes of updates trough unstable during the freeze complying with the freeze policy given. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766962: quassel: diff for NMU version 0.10.0-2.1
Hi, On Mon, Nov 03, 2014 at 02:57:35PM +0100, Salvatore Bonaccorso wrote: Hi, On Mon, Nov 03, 2014 at 09:46:16AM +0100, Thomas Müller wrote: Hi, I have no plans to override your NMUs - I'll prepare an upload of 0.11.0 to unstable these days. Ok thanks! Please note that we are shortly before the freeze, so consider to upload the new upstream version to unstable. ... there was a small tiny word missing in my sentence: the not. We currently are short before freeze, it is quite impossible that release team will accept the new upstream version to enter jessie. It should have been read: [...] so please consider to upload the new upstream version to experimental. Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766962: quassel: diff for NMU version 0.10.0-2.1
Thanks a lot for your support on this - very much welcome! Thomas -- Thomas Müller E-Mail: thomas.muel...@tmit.eu Am Sonntag, den 02.11.2014 um 22:44 schrieb Luciano Bello: On Sunday 02 November 2014 19.35.34 Salvatore Bonaccorso wrote: Note that Luciano Bello is planning to release a DSA for wheezy-security too. DSA released: https://lists.debian.org/debian-security-announce/2014/msg00251.html Cheers, luciano -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766962: quassel: diff for NMU version 0.10.0-2.1
Hi Thomas, Thanks for your reply. Just a question below: On Mon, Nov 03, 2014 at 09:15:25AM +0100, Thomas Müller wrote: Thanks a lot for your support on this - very much welcome! Do you plan to override my NMU in the delayed queue? If not I would like to move it straight to the archive from the delayed queue without the 2 days delay. Please let me know and thanks for your work in maintaining quassel! Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766962: quassel: diff for NMU version 0.10.0-2.1
Hi, I have no plans to override your NMUs - I'll prepare an upload of 0.11.0 to unstable these days. Regards, Thomas Am Montag, den 03.11.2014 um 9:41 schrieb Salvatore Bonaccorso: Hi Thomas, Thanks for your reply. Just a question below: On Mon, Nov 03, 2014 at 09:15:25AM +0100, Thomas Müller wrote: Thanks a lot for your support on this - very much welcome! Do you plan to override my NMU in the delayed queue? If not I would like to move it straight to the archive from the delayed queue without the 2 days delay. Please let me know and thanks for your work in maintaining quassel! Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766962: quassel: diff for NMU version 0.10.0-2.1
Hi, On Mon, Nov 03, 2014 at 09:46:16AM +0100, Thomas Müller wrote: Hi, I have no plans to override your NMUs - I'll prepare an upload of 0.11.0 to unstable these days. Ok thanks! Please note that we are shortly before the freeze, so consider to upload the new upstream version to unstable. [1] https://lists.debian.org/debian-devel-announce/2014/09/msg2.html [2] https://release.debian.org/jessie/freeze_policy.html Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766962: quassel: diff for NMU version 0.10.0-2.1
Control: tags 766962 + pending Hi Thomas, I've prepared an NMU for quassel (versioned as 0.10.0-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Note that Luciano Bello is planning to release a DSA for wheezy-security too. Regards, Salvatore diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog --- quassel-0.10.0/debian/changelog 2014-07-04 17:15:24.0 +0200 +++ quassel-0.10.0/debian/changelog 2014-11-02 19:11:20.0 +0100 @@ -1,3 +1,12 @@ +quassel (0.10.0-2.1) unstable; urgency=high + + * Non-maintainer upload. + * Add CVE-2014-8483.patch patch. +CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption. +(Closes: #766962) + + -- Salvatore Bonaccorso car...@debian.org Sun, 02 Nov 2014 19:10:58 +0100 + quassel (0.10.0-2) unstable; urgency=low * Fixing security issue where quassel core certificate is diff -Nru quassel-0.10.0/debian/patches/CVE-2014-8483.patch quassel-0.10.0/debian/patches/CVE-2014-8483.patch --- quassel-0.10.0/debian/patches/CVE-2014-8483.patch 1970-01-01 01:00:00.0 +0100 +++ quassel-0.10.0/debian/patches/CVE-2014-8483.patch 2014-10-28 17:03:58.0 +0100 @@ -0,0 +1,52 @@ +From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001 +From: Manuel Nickschas sputn...@quassel-irc.org +Date: Tue, 21 Oct 2014 21:20:07 +0200 +Subject: [PATCH] Check for invalid input in encrypted buffers + +The ECB Blowfish decryption function assumed that encrypted input would +always come in blocks of 12 characters, as specified. However, buggy +clients or annoying people may not adhere to that assumption, causing +the core to crash while trying to process the invalid base64 input. + +With this commit we make sure that we're not overstepping the bounds of +the input string while decoding it; instead we bail out early and display +the original input. Fixes #1314. + +Thanks to Tucos for finding that one! +--- + src/core/cipher.cpp | 11 ++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp +index 7cc75d0..7d1fe46 100644 +--- a/src/core/cipher.cpp b/src/core/cipher.cpp +@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction) + } + else + { ++// ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input ++if ((temp.length() % 12) != 0) ++return cipherText; ++ + temp = b64ToByte(temp); + while ((temp.length() % 8) != 0) temp.append('\0'); + } +@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction) + if (!cipher.ok()) + return cipherText; + +-if (direction) ++if (direction) { ++// Sanity check ++if ((temp2.length() % 8) != 0) ++return cipherText; ++ + temp2 = byteToB64(temp2); ++} + + return temp2; + } +-- +1.7.10.4 + diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series --- quassel-0.10.0/debian/patches/series 2012-04-25 00:18:37.0 +0200 +++ quassel-0.10.0/debian/patches/series 2014-10-28 17:16:01.0 +0100 @@ -1,2 +1,2 @@ 01_default_network_channel.patch - +CVE-2014-8483.patch signature.asc Description: Digital signature
Bug#766962: quassel: diff for NMU version 0.10.0-2.1
On Sunday 02 November 2014 19.35.34 Salvatore Bonaccorso wrote: Note that Luciano Bello is planning to release a DSA for wheezy-security too. DSA released: https://lists.debian.org/debian-security-announce/2014/msg00251.html Cheers, luciano signature.asc Description: This is a digitally signed message part.