diff -u pioneers-0.10.2/debian/changelog pioneers-0.10.2/debian/changelog --- pioneers-0.10.2/debian/changelog +++ pioneers-0.10.2/debian/changelog @@ -1,3 +1,15 @@ +pioneers (0.10.2-3ubuntu1.7.04) feisty-security; urgency=low + + * SECURITY UPDATE: Denial of service by triggering delete operation on + server while Session is in use. (LP: #163056) + * debian/patches/CVE-2007-{5933,6010}.dpatch: Check that the session is + unused before freeing it. Patch from upstream. + * References + CVE-2007-5933 + CVE-2007-6010 + + -- William Grant Tue, 27 Nov 2007 20:21:13 +1100 + pioneers (0.10.2-3ubuntu1) feisty; urgency=low * Merge from debian unstable, remaining changes: diff -u pioneers-0.10.2/debian/patches/00list pioneers-0.10.2/debian/patches/00list --- pioneers-0.10.2/debian/patches/00list +++ pioneers-0.10.2/debian/patches/00list @@ -1,0 +2,2 @@ +CVE-2007-5933.dpatch +CVE-2007-6010.dpatch only in patch2: unchanged: --- pioneers-0.10.2.orig/debian/patches/CVE-2007-5933.dpatch +++ pioneers-0.10.2/debian/patches/CVE-2007-5933.dpatch @@ -0,0 +1,98 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2007-5933.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Upstream fix for CVE-2007-6933. + +@DPATCH@ +diff -urNad pioneers-0.10.2~/common/network.c pioneers-0.10.2/common/network.c +--- pioneers-0.10.2~/common/network.c 2006-09-17 05:27:32.000000000 +1000 ++++ pioneers-0.10.2/common/network.c 2007-11-27 19:42:13.000000000 +1100 +@@ -152,7 +152,7 @@ + ses->notify_func(event, ses->user_data, line); + } + +-void net_close(Session * ses) ++gboolean net_close(Session * ses) + { + if (ses->timer_id != 0) { + g_source_remove(ses->timer_id); +@@ -173,6 +173,7 @@ + g_free(data); + } + } ++ return !ses->entered; + } + + void net_close_when_flushed(Session * ses) +@@ -181,8 +182,8 @@ + if (ses->write_queue != NULL) + return; + +- net_close(ses); +- notify(ses, NET_CLOSE, NULL); ++ if (net_close(ses)) ++ notify(ses, NET_CLOSE, NULL); + } + + void net_wait_for_close(Session * ses) +@@ -192,8 +193,8 @@ + + static void close_and_callback(Session * ses) + { +- net_close(ses); +- notify(ses, NET_CLOSE, NULL); ++ if (net_close(ses)) ++ notify(ses, NET_CLOSE, NULL); + } + + static gboolean ping_function(gpointer s) +@@ -442,6 +443,9 @@ + ses->read_len = 0; + + ses->entered = FALSE; ++ if (ses->fd < 0) { ++ close_and_callback(ses); ++ } + } + + Session *net_new(NetNotifyFunc notify_func, void *user_data) +@@ -620,7 +624,10 @@ + /* Free and NULL-ity the session *ses */ + void net_free(Session ** ses) + { +- net_close(*ses); ++ /* If the sessions is still in use, do not free it */ ++ if (!net_close(*ses)) { ++ return; ++ } + + if ((*ses)->host != NULL) + g_free((*ses)->host); +diff -urNad pioneers-0.10.2~/common/network.h pioneers-0.10.2/common/network.h +--- pioneers-0.10.2~/common/network.h 2006-09-17 05:27:32.000000000 +1000 ++++ pioneers-0.10.2/common/network.h 2007-11-27 19:41:39.000000000 +1100 +@@ -103,7 +103,11 @@ + */ + gint net_accept(gint accept_fd, gchar ** error_message); + +-void net_close(Session * ses); ++/** Close a session ++ * @param ses The session to close ++ * @return TRUE if the session can be removed ++ */ ++gboolean net_close(Session * ses); + void net_close_when_flushed(Session * ses); + void net_wait_for_close(Session * ses); + void net_printf(Session * ses, const gchar * fmt, ...); +diff -urNad pioneers-0.10.2~/common/state.c pioneers-0.10.2/common/state.c +--- pioneers-0.10.2~/common/state.c 2006-09-17 05:27:32.000000000 +1000 ++++ pioneers-0.10.2/common/state.c 2007-11-27 19:41:39.000000000 +1100 +@@ -661,6 +661,7 @@ + { + if (sm->ses != NULL) { + net_free(&(sm->ses)); ++ g_return_if_fail(sm->ses == NULL); + } + if (sm->use_count > 0) + sm->is_dead = TRUE; only in patch2: unchanged: --- pioneers-0.10.2.orig/debian/patches/CVE-2007-6010.dpatch +++ pioneers-0.10.2/debian/patches/CVE-2007-6010.dpatch @@ -0,0 +1,57 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2007-6010.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Slightly cleaned up upstream patch for CVE-2007-6010. + +@DPATCH@ +diff -urNad pioneers-0.10.2~/common/state.c pioneers-0.10.2/common/state.c +--- pioneers-0.10.2~/common/state.c 2006-09-17 05:27:32.000000000 +1000 ++++ pioneers-0.10.2/common/state.c 2007-11-27 19:47:35.000000000 +1100 +@@ -68,10 +68,12 @@ + + static void route_event(StateMachine * sm, gint event) + { +- StateFunc curr_state; ++ StateFunc curr_state = NULL; + gpointer user_data; + +- curr_state = sm_current(sm); ++ if (sm->stack_ptr >= 0) ++ curr_state = sm_current(sm); ++ + user_data = sm->user_data; + if (user_data == NULL) + user_data = sm; +@@ -89,16 +91,18 @@ + + switch (event) { + case SM_ENTER: +- curr_state(user_data, event); ++ if (curr_state) ++ curr_state(user_data, event); + break; + case SM_INIT: +- curr_state(user_data, event); ++ if (curr_state) ++ curr_state(user_data, event); + if (!sm->is_dead && sm->global !=NULL) + sm->global (user_data, event); + break; + case SM_RECV: + sm_cancel_prefix(sm); +- if (curr_state(user_data, event)) ++ if (curr_state && curr_state(user_data, event)) + break; + sm_cancel_prefix(sm); + if (!sm->is_dead +@@ -112,7 +116,8 @@ + case SM_NET_CLOSE: + net_free(&(sm->ses)); + default: +- curr_state(user_data, event); ++ if (curr_state) ++ curr_state(user_data, event); + if (!sm->is_dead && sm->global !=NULL) + sm->global (user_data, event); + break;