On Wed, Mar 21, 2007 at 02:37:42PM +0000, Marcin Owsiany wrote: > 2661: A memory leak in handling image messages, which may cause memory > exhaustion resulting in a DoS (ekg program crash). Exploitable by a > hostile GG user. > > ----------------+-------------------+---------------+----------------------------- > Dist | Contains version | Vulnerable to | Version (to be) fixed in > ----------------+-------------------+---------------+----------------------------- > sarge | 1:1.5+20050411-5 | 2661 only (*) | 1:1.5+20050411-7 > sarge-volatile | 1:1.5+20050411-6 | 2661 only (*) | 1:1.5+20050411-8
After closer examination it turned out that 1:1.5+20050411-[56] are not vulnereble to any of the three aforementioned issues. However, they STILL are vulnerable to CAN-2005-2370 and CAN-2005-2448 which were missed back in 2005 when preparing DSA-767. I guess it's better to fix that late rather than never, so I am currently preparing 1:1.5+20050411-7 (for sarge) and 1:1.5+20050411-8 (for sarge-volatile) to patch them up (see the interdiff for -7 in attachment, the one for -8 will be almost the same, just applied to -6 instead of -5). The version in etch/sid is not vulnerable to these two. Here is the proposed text for the advisory: This advisory includes corrections for two problems in the libgadu3 library and the ekg program, which were missing from DSA-767. Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment error in the Gadu library. By sending specially crafted messages, a remote attacker could crash the application using the library. (CAN-2005-2370) Marcin Slusarz discovered that the Gadu library did not properly handle endianess conversion in some cases. This caused invalid behavior on big endian architectures. (CAN-2005-2448) I guess that these fixes can be issued as an update to DSA-767 and a debian-volatile announcement, while CVE-2007-166[345] can be covered just by a DTSA, since the two sets of vulnerabilities are disjoint. Waiting for an authorization to upload to sarge-security. Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
diff -u ekg-1.5+20050411/debian/changelog ekg-1.5+20050411/debian/changelog
--- ekg-1.5+20050411/debian/changelog 2007-03-25 13:03:36.648014199 +0100
+++ ekg-1.5+20050411/debian/changelog 2007-03-26 18:19:58.626928050 +0100
@@ -1,3 +1,15 @@
+ekg (1:1.5+20050411-7) stable-security; urgency=medium
+
+ * Security upload, fixing two problems missed when preparing DSA-767:
+ - Using revision -7, as -6 was used for a sarge-volatile upload (-7 does
+ not contain any changes from -6)
+ * Fixes a memory alignment error in libgadu, which could lead to a DoS on
+ some architectures (CAN-2005-2370)
+ * Fixes endianness conversion problems, which could cause invalid behavior
+ on big endian machines (CAN-2005-2448)
+
+ -- Marcin Owsiany <[EMAIL PROTECTED]> Mon, 26 Mar 2007 18:12:35 +0100
+
ekg (1:1.5+20050411-5) stable-security; urgency=high
* Security upload
diff -u ekg-1.5+20050411/lib/events.c ekg-1.5+20050411/lib/events.c
--- ekg-1.5+20050411/lib/events.c 2007-03-25 13:03:36.648014199 +0100
+++ ekg-1.5+20050411/lib/events.c 2007-03-26 18:20:22.224402800 +0100
@@ -173,8 +173,7 @@
struct gg_msg_image_reply *i = (void*) p;
struct gg_image_queue *q, *qq;
- if (!p || !sess || !e)
- {
+ if (!p || !sess || !e) {
errno = EFAULT;
return;
}
@@ -313,8 +312,11 @@
goto fail;
}
- for (i = 0; i < count; i++, p += sizeof(uin_t))
- e->event.msg.recipients[i] =
gg_fix32(*((uint32_t*) p));
+ for (i = 0; i < count; i++, p +=
sizeof(uint32_t)) {
+ uint32_t u;
+ memcpy(&u, p, sizeof(uint32_t));
+ e->event.msg.recipients[i] =
gg_fix32(u);
+ }
e->event.msg.recipients_count = count;
@@ -323,7 +325,7 @@
case 0x02: /* richtext */
{
- unsigned short len;
+ uint16_t len;
char *buf;
if (p + 3 > packet_end) {
@@ -331,7 +333,8 @@
goto malformed;
}
- len = gg_fix16(*((unsigned short*) (p + 1)));
+ memcpy(&len, p + 1, sizeof(uint16_t));
+ len = gg_fix16(len);
if (!(buf = malloc(len))) {
gg_debug(GG_DEBUG_MISC, "//
gg_handle_recv_msg() not enough memory for richtext data\n");
@@ -395,6 +398,8 @@
goto malformed;
}
+ rep->size = gg_fix32(rep->size);
+ rep->crc32 = gg_fix32(rep->crc32);
gg_image_queue_parse(e, p, (unsigned
int)(packet_end - p), sess, gg_fix32(r->sender));
return 0;
@@ -483,7 +488,7 @@
goto fail;
}
- if (gg_fix32(n->status) == GG_STATUS_BUSY_DESCR ||
gg_fix32(n->status == GG_STATUS_NOT_AVAIL_DESCR) || gg_fix32(n->status) ==
GG_STATUS_AVAIL_DESCR) {
+ if (gg_fix32(n->status) == GG_STATUS_BUSY_DESCR ||
gg_fix32(n->status) == GG_STATUS_NOT_AVAIL_DESCR || gg_fix32(n->status) ==
GG_STATUS_AVAIL_DESCR) {
e->type = GG_EVENT_NOTIFY_DESCR;
if (!(e->event.notify_descr.notify = (void*)
malloc(sizeof(*n) * 2))) {
@@ -520,7 +525,7 @@
for (i = 0; i < count; i++) {
e->event.notify[i].uin =
gg_fix32(e->event.notify[i].uin);
e->event.notify[i].status =
gg_fix32(e->event.notify[i].status);
- e->event.notify[i].remote_port =
gg_fix16(e->event.notify[i].remote_port);
+ e->event.notify[i].remote_port =
gg_fix16(e->event.notify[i].remote_port);
}
}
@@ -654,8 +659,11 @@
e->event.status60.descr = buf;
- if (len > 4 && p[h->length - 5] == 0)
- e->event.status60.time = *((int*) (p +
h->length - 4));
+ if (len > 4 && p[h->length - 5] == 0) {
+ uint32_t t;
+ memcpy(&t, p + h->length - 4,
sizeof(uint32_t));
+ e->event.status60.time = gg_fix32(t);
+ }
}
break;
@@ -1073,7 +1081,7 @@
if ((tmp = strchr(host, ':'))) {
*tmp = 0;
- port = atoi(tmp+1);
+ port = atoi(tmp + 1);
}
addr.s_addr = inet_addr(host);
@@ -1411,7 +1419,7 @@
if (sess->external_addr && sess->external_port > 1023) {
l.external_ip = sess->external_addr;
- l.external_port = sess->external_port;
+ l.external_port = gg_fix16(sess->external_port);
}
gg_debug(GG_DEBUG_TRAFFIC, "// gg_watch_fd() sending
GG_LOGIN60 packet\n");
only in patch2:
unchanged:
--- ekg-1.5+20050411.orig/src/commands.c 2005-03-17 17:30:29.000000000
+0000
+++ ekg-1.5+20050411/src/commands.c 2007-03-26 18:20:22.228403050 +0100
@@ -3486,6 +3486,7 @@
tmp = gg_crc32(0, image, size);
gg_debug(GG_DEBUG_MISC, "// crc32 = 0x%.8x, size = %d\n", tmp, size);
+ tmp = gg_fix32(tmp);
memcpy(format + 12, &tmp, 4);
tmp = gg_fix32(size);
memcpy(format + 8, &tmp, 4);
only in patch2:
unchanged:
--- ekg-1.5+20050411.orig/src/events.c 2005-04-09 22:08:36.000000000 +0100
+++ ekg-1.5+20050411/src/events.c 2007-03-26 18:20:22.228403050 +0100
@@ -498,7 +498,7 @@
if ((font & GG_FONT_IMAGE)) {
struct gg_msg_richtext_image *m = (void*) &p[i];
- gg_debug(GG_DEBUG_MISC, "// ekg: inline image:
sender=%d, size=%d, crc32=%.8x\n", e->event.msg.sender, m->size, m->crc32);
+ gg_debug(GG_DEBUG_MISC, "// ekg: inline image:
sender=%d, size=%d, crc32=%.8x\n", e->event.msg.sender, gg_fix32(m->size),
gg_fix32(m->crc32));
imageno++;
signature.asc
Description: Digital signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
