Bug#766962: quassel: diff for NMU version 0.10.0-2.1

2014-11-05 Thread Felix Geyer 
Control: reopen -1
Control: found -1 0.11.0-1

Version 0.11.0 does *not* contain the commit that fixes this bug.
0.11.0-1 is also wrongly marked as fixed in the security tracker.

I guess now 0.10.0-2.1 has to be re-uploaded with a different version
to testing-proposed-updates.

Cheers,
Felix


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#766962: quassel: diff for NMU version 0.10.0-2.1

2014-11-05 Thread Salvatore Bonaccorso 
Hi Felix,

On Wed, Nov 05, 2014 at 06:45:09PM +0100, Felix Geyer wrote:
 Control: reopen -1
 Control: found -1 0.11.0-1

 Version 0.11.0 does *not* contain the commit that fixes this bug.

Thanks for checking also this version!

 0.11.0-1 is also wrongly marked as fixed in the security tracker.

Yes and no about the security-tracker. The CVE/bug was fixed in
0.10.0-2.1 which was superseeded by 0.11.0-1 in unstable before
reaching testing. The security-tracker cannot notice that it was fixed
in 0.10.0-2.1 but would not be fixed in 0.11.0-1 (as 0.10.0-2.1 
0.11.0-1). The security-tracker has the following entry, which now
needs an adjustment depending on the choosen aproach:

CVE-2014-8483 [out-of-bounds read on a heap-allocated array]
RESERVED
{DSA-3063-1}
- quassel 0.10.0-2.1 (bug #766962)
NOTE: 
https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138
NOTE: http://bugs.quassel-irc.org/issues/1314
- konversation unfixed
NOTE: https://bugs.kde.org/show_bug.cgi?id=210792

 I guess now 0.10.0-2.1 has to be re-uploaded with a different version
 to testing-proposed-updates.

Either that or a 1:0.10.0-2.1 upload again to unstable, and ask the
release team for an unblock of this version. I think the latter would
be preferable as it leaves more changes of updates trough unstable
during the freeze complying with the freeze policy given.

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#766962: quassel: diff for NMU version 0.10.0-2.1

2014-11-04 Thread Salvatore Bonaccorso 
Hi,

On Mon, Nov 03, 2014 at 02:57:35PM +0100, Salvatore Bonaccorso wrote:
 Hi,
 
 On Mon, Nov 03, 2014 at 09:46:16AM +0100, Thomas Müller wrote:
  Hi,
  
  I have no plans to override your NMUs - I'll prepare an upload of
  0.11.0 to unstable these days.
 
 Ok thanks! Please note that we are shortly before the freeze, so
 consider to upload the new upstream version to unstable.

... there was a small tiny word missing in my sentence: the not. We
currently are short before freeze, it is quite impossible that release
team will accept the new upstream version to enter jessie.

It should have been read: [...] so please consider to upload the new
upstream version to experimental.

Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#766962: quassel: diff for NMU version 0.10.0-2.1

2014-11-03 Thread Thomas Müller 

Thanks a lot for your support on this - very much welcome!

Thomas

-- 
Thomas Müller E-Mail: thomas.muel...@tmit.eu


Am Sonntag, den 02.11.2014 um 22:44 schrieb Luciano Bello:
 On Sunday 02 November 2014 19.35.34 Salvatore Bonaccorso wrote:
  Note that Luciano Bello is planning to release a DSA for
  wheezy-security too.
 
 DSA released: 
 https://lists.debian.org/debian-security-announce/2014/msg00251.html
 
 Cheers, luciano


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#766962: quassel: diff for NMU version 0.10.0-2.1

2014-11-03 Thread Salvatore Bonaccorso 
Hi Thomas,

Thanks for your reply. Just a question below:

On Mon, Nov 03, 2014 at 09:15:25AM +0100, Thomas Müller wrote:
 
 Thanks a lot for your support on this - very much welcome!

Do you plan to override my NMU in the delayed queue? If not I would
like to move it straight to the archive from the delayed queue without
the 2 days delay.

Please let me know and thanks for your work in maintaining quassel!

Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#766962: quassel: diff for NMU version 0.10.0-2.1

2014-11-03 Thread Thomas Müller 
Hi,

I have no plans to override your NMUs - I'll prepare an upload of 0.11.0 to 
unstable these days.

Regards,

Thomas


Am Montag, den 03.11.2014 um 9:41 schrieb Salvatore Bonaccorso:
 Hi Thomas,
 
 Thanks for your reply. Just a question below:
 
 On Mon, Nov 03, 2014 at 09:15:25AM +0100, Thomas Müller wrote:
  
  Thanks a lot for your support on this - very much welcome!
 
 Do you plan to override my NMU in the delayed queue? If not I would
 like to move it straight to the archive from the delayed queue without
 the 2 days delay.
 
 Please let me know and thanks for your work in maintaining quassel!
 
 Salvatore
 


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#766962: quassel: diff for NMU version 0.10.0-2.1

2014-11-03 Thread Salvatore Bonaccorso 
Hi,

On Mon, Nov 03, 2014 at 09:46:16AM +0100, Thomas Müller wrote:
 Hi,
 
 I have no plans to override your NMUs - I'll prepare an upload of
 0.11.0 to unstable these days.

Ok thanks! Please note that we are shortly before the freeze, so
consider to upload the new upstream version to unstable.

 [1] https://lists.debian.org/debian-devel-announce/2014/09/msg2.html
 [2] https://release.debian.org/jessie/freeze_policy.html

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#766962: quassel: diff for NMU version 0.10.0-2.1

2014-11-02 Thread Salvatore Bonaccorso 
Control: tags 766962 + pending

Hi Thomas,

I've prepared an NMU for quassel (versioned as 0.10.0-2.1) and uploaded
it to DELAYED/2. Please feel free to tell me if I should delay it
longer. Note that Luciano Bello is planning to release a DSA for
wheezy-security too.

Regards,
Salvatore
diff -Nru quassel-0.10.0/debian/changelog quassel-0.10.0/debian/changelog
--- quassel-0.10.0/debian/changelog	2014-07-04 17:15:24.0 +0200
+++ quassel-0.10.0/debian/changelog	2014-11-02 19:11:20.0 +0100
@@ -1,3 +1,12 @@
+quassel (0.10.0-2.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Add CVE-2014-8483.patch patch.
+CVE-2014-8483: out-of-bounds read in ECB Blowfish decryption.
+(Closes: #766962)
+
+ -- Salvatore Bonaccorso car...@debian.org  Sun, 02 Nov 2014 19:10:58 +0100
+
 quassel (0.10.0-2) unstable; urgency=low
 
   * Fixing security issue where quassel core certificate is 
diff -Nru quassel-0.10.0/debian/patches/CVE-2014-8483.patch quassel-0.10.0/debian/patches/CVE-2014-8483.patch
--- quassel-0.10.0/debian/patches/CVE-2014-8483.patch	1970-01-01 01:00:00.0 +0100
+++ quassel-0.10.0/debian/patches/CVE-2014-8483.patch	2014-10-28 17:03:58.0 +0100
@@ -0,0 +1,52 @@
+From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001
+From: Manuel Nickschas sputn...@quassel-irc.org
+Date: Tue, 21 Oct 2014 21:20:07 +0200
+Subject: [PATCH] Check for invalid input in encrypted buffers
+
+The ECB Blowfish decryption function assumed that encrypted input would
+always come in blocks of 12 characters, as specified. However, buggy
+clients or annoying people may not adhere to that assumption, causing
+the core to crash while trying to process the invalid base64 input.
+
+With this commit we make sure that we're not overstepping the bounds of
+the input string while decoding it; instead we bail out early and display
+the original input. Fixes #1314.
+
+Thanks to Tucos for finding that one!
+---
+ src/core/cipher.cpp |   11 ++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp
+index 7cc75d0..7d1fe46 100644
+--- a/src/core/cipher.cpp
 b/src/core/cipher.cpp
+@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
+ }
+ else
+ {
++// ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
++if ((temp.length() % 12) != 0)
++return cipherText;
++
+ temp = b64ToByte(temp);
+ while ((temp.length() % 8) != 0) temp.append('\0');
+ }
+@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
+ if (!cipher.ok())
+ return cipherText;
+ 
+-if (direction)
++if (direction) {
++// Sanity check
++if ((temp2.length() % 8) != 0)
++return cipherText;
++
+ temp2 = byteToB64(temp2);
++}
+ 
+ return temp2;
+ }
+-- 
+1.7.10.4
+
diff -Nru quassel-0.10.0/debian/patches/series quassel-0.10.0/debian/patches/series
--- quassel-0.10.0/debian/patches/series	2012-04-25 00:18:37.0 +0200
+++ quassel-0.10.0/debian/patches/series	2014-10-28 17:16:01.0 +0100
@@ -1,2 +1,2 @@
 01_default_network_channel.patch
-
+CVE-2014-8483.patch


signature.asc
Description: Digital signature

Bug#766962: quassel: diff for NMU version 0.10.0-2.1

2014-11-02 Thread Luciano Bello 
On Sunday 02 November 2014 19.35.34 Salvatore Bonaccorso wrote:
 Note that Luciano Bello is planning to release a DSA for
 wheezy-security too.

DSA released: 
https://lists.debian.org/debian-security-announce/2014/msg00251.html

Cheers, luciano

signature.asc
Description: This is a digitally signed message part.