diff -u libotr-3.2.0/debian/control libotr-3.2.0/debian/control --- libotr-3.2.0/debian/control +++ libotr-3.2.0/debian/control @@ -1,7 +1,8 @@ Source: libotr Section: libs Priority: optional -Maintainer: Thibaut VARENE +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Thibaut VARENE Build-Depends: debhelper (>= 4.0.0), libgpg-error-dev (>= 1.0), libgcrypt11-dev (>= 1.2.0), autotools-dev Standards-Version: 3.8.3 diff -u libotr-3.2.0/debian/changelog libotr-3.2.0/debian/changelog --- libotr-3.2.0/debian/changelog +++ libotr-3.2.0/debian/changelog @@ -1,3 +1,14 @@ +libotr (3.2.0-2.1ubuntu0.1) oneiric-security; urgency=low + + * SECURITY UPDATE: multiple heap-based buffer overflows (LP: #1034623) + - src/b64.c, src/b64.h, src/proto.c, toolkit/parse.c: + apply upstream git commits b17232f86f8e60d0d22caf9a2400494d3c77da58, + 6d4ca89cf1d3c9a8aff696c3a846ac5a51f762c1 and + 1902baee5d4b056850274ed0fa8c2409f1187435 + - CVE-2012-3461 + + -- Felix Geyer Thu, 09 Aug 2012 15:30:03 +0200 + libotr (3.2.0-2.1) unstable; urgency=low * Non-maintainer upload. only in patch2: unchanged: --- libotr-3.2.0.orig/ChangeLog +++ libotr-3.2.0/ChangeLog @@ -1,3 +1,15 @@ +2012-07-19 + + * src/b64.[ch], src/proto.c: Clean up the previous b64 patch + and apply it to all places where otrl_base64_decode() is called. + +2012-07-17 + + * src/b64.c: Use ceil instead of floor to compute the size + of the data buffer. This prevents a one-byte heap buffer + overflow. Thanks to Justin Ferguson + for the report. + 2008-06-15: * README: Release version 3.2.0. only in patch2: unchanged: --- libotr-3.2.0.orig/toolkit/parse.c +++ libotr-3.2.0/toolkit/parse.c @@ -64,7 +64,8 @@ { const char *header, *footer; unsigned char *raw; - + size_t rawlen; + /* Find the header */ header = strstr(msg, "?OTR:"); if (!header) return NULL; @@ -75,8 +76,10 @@ footer = strchr(header, '.'); if (!footer) footer = header + strlen(header); - raw = malloc((footer-header) / 4 * 3); - if (raw == NULL && (footer-header >= 4)) return NULL; + rawlen = OTRL_B64_MAX_DECODED_SIZE(footer-header); + + raw = malloc(rawlen); + if (raw == NULL && rawlen > 0) return NULL; *lenp = otrl_base64_decode(raw, header, footer-header); return raw; only in patch2: unchanged: --- libotr-3.2.0.orig/src/b64.c +++ libotr-3.2.0/src/b64.c @@ -55,7 +55,7 @@ \******************************************************************* */ /* system headers */ -#include +#include #include /* libotr headers */ @@ -147,8 +147,9 @@ * base64 decode data. Skip non-base64 chars, and terminate at the * first '=', or the end of the buffer. * - * The buffer data must contain at least (base64len / 4) * 3 bytes of - * space. This function will return the number of bytes actually used. + * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes + * of space. This function will return the number of bytes actually + * used. */ size_t otrl_base64_decode(unsigned char *data, const char *base64data, size_t base64len) @@ -234,13 +235,18 @@ return -2; } + /* Skip over the "?OTR:" */ + otrtag += 5; + msglen -= 5; + /* Base64-decode the message */ - rawlen = ((msglen-5) / 4) * 3; /* maximum possible */ + rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */ rawmsg = malloc(rawlen); if (!rawmsg && rawlen > 0) { return -1; } - rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */ + + rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */ *bufp = rawmsg; *lenp = rawlen; only in patch2: unchanged: --- libotr-3.2.0.orig/src/b64.h +++ libotr-3.2.0/src/b64.h @@ -20,6 +20,19 @@ #ifndef __B64_H__ #define __B64_H__ +#include + +/* Base64 encodes blocks of this many bytes: */ +#define OTRL_B64_DECODED_LEN 3 +/* into blocks of this many bytes: */ +#define OTRL_B64_ENCODED_LEN 4 + +/* An encoded block of length encoded_len can turn into a maximum of + * this many decoded bytes: */ +#define OTRL_B64_MAX_DECODED_SIZE(encoded_len) \ + (((encoded_len + OTRL_B64_ENCODED_LEN - 1) / OTRL_B64_ENCODED_LEN) \ + * OTRL_B64_DECODED_LEN) + /* * base64 encode data. Insert no linebreaks or whitespace. * @@ -33,8 +46,9 @@ * base64 decode data. Skip non-base64 chars, and terminate at the * first '=', or the end of the buffer. * - * The buffer data must contain at least (base64len / 4) * 3 bytes of - * space. This function will return the number of bytes actually used. + * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes + * of space. This function will return the number of bytes actually + * used. */ size_t otrl_base64_decode(unsigned char *data, const char *base64data, size_t base64len); only in patch2: unchanged: --- libotr-3.2.0.orig/src/proto.c +++ libotr-3.2.0/src/proto.c @@ -537,13 +537,17 @@ msglen = strlen(otrtag); } + /* Skip over the "?OTR:" */ + otrtag += 5; + msglen -= 5; + /* Base64-decode the message */ - rawlen = ((msglen-5) / 4) * 3; /* maximum possible */ + rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */ rawmsg = malloc(rawlen); if (!rawmsg && rawlen > 0) { return gcry_error(GPG_ERR_ENOMEM); } - rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */ + rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */ bufp = rawmsg; lenp = rawlen; @@ -606,14 +610,18 @@ msglen = strlen(otrtag); } + /* Skip over the "?OTR:" */ + otrtag += 5; + msglen -= 5; + /* Base64-decode the message */ - rawlen = ((msglen-5) / 4) * 3; /* maximum possible */ + rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */ rawmsg = malloc(rawlen); if (!rawmsg && rawlen > 0) { err = gcry_error(GPG_ERR_ENOMEM); goto err; } - rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */ + rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */ bufp = rawmsg; lenp = rawlen;