Your message dated Sun, 22 Apr 2007 16:47:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#418662: fixed in mixmaster 3.0b2-5
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: mixmaster
Version: 3.0b2-4
Severity: important
In function mix2_decrypt() in rem2.c, the value of a local variable changes
without direct assignment, leading to a segfault further down when its
associated buffer is accessed. The affected variable differed sometimes after
I added debug code, while the value it was changed to and data at that
location stayed the same.
In most cases I saw the value of dec change between line 176
dec = buf_new();
dec = 0x80B83C8
(value of dec->data lost in transcription but it was different from below)
dec->length = 0
dec->size = 128
and line 201
buf_get(m, dec, 328);
with only a few buffer operations in between.
dec = 0x80B8300
dec->data = 0x80B8278
dec->length = 134971984 (0x80B8250)
dec->size = 29793
The interesting values are length, which looks like a pointer and size, which
is about the size of a mixmaster message. The paranoid might think this was a
crafted message to overwrite important pointers but I have found no further
evidence.
This buffer structure at 0x80B8300 then gets overwritten by a memcpy of
328 bytes from the incoming message to dec->data at 0x80B8278, leading to a
segfault when buf_append() tries to write a zero byte to dec->data+length.
I recompiled with gcc-3.4 and mixmaster didn't crash yet.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages mixmaster depends on:
ii adduser 3.102 Add and remove users and groups
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libmailtools-perl 1.74-1 Manipulate email in perl programs
ii libncurses5 5.5-5 Shared libraries for terminal hand
ii libpcre3 6.7-1 Perl 5 Compatible Regular Expressi
ii libssl0.9.8 0.9.8c-4 SSL shared libraries
ii libwww-perl 5.805-1 WWW client/server library for Perl
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages mixmaster recommends:
ii exim4-daemon-custom [mail- 4.50-8sarge2a custom exim MTA (v4) daemon with l
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: mixmaster
Source-Version: 3.0b2-5
We believe that the bug you reported is fixed in the latest version of
mixmaster, which is due to be installed in the Debian FTP archive:
mixmaster_3.0b2-5.diff.gz
to pool/main/m/mixmaster/mixmaster_3.0b2-5.diff.gz
mixmaster_3.0b2-5.dsc
to pool/main/m/mixmaster/mixmaster_3.0b2-5.dsc
mixmaster_3.0b2-5_i386.deb
to pool/main/m/mixmaster/mixmaster_3.0b2-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Palfrader <[EMAIL PROTECTED]> (supplier of updated mixmaster package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 22 Apr 2007 17:43:13 +0200
Source: mixmaster
Binary: mixmaster
Architecture: source i386
Version: 3.0b2-5
Distribution: unstable
Urgency: high
Maintainer: Peter Palfrader <[EMAIL PROTECTED]>
Changed-By: Peter Palfrader <[EMAIL PROTECTED]>
Description:
mixmaster - Anonymous remailer client and server
Closes: 418662
Changes:
mixmaster (3.0b2-5) unstable; urgency=high
.
* Backport a fix from upstream:
In two functions in keymgt.c we had allocated a buffer of 33 bytes
when if fact we were using one more - 34 - bytes. This buffer
overflow is exposed when building with gcc 4.x, it never was exposed
with previous compilers because they apparently layed out the stack
differently.
The result of this buffer overflow is that a single 0-byte will be
written at the end of the buffer. At that position on the stack
there is (at least in the previous build) a saved local variable
from a calling function. This local variable is a pointer to a
BUFFER struct and this pointer has its least significant byte
set to zero.
This prevents mixmaster from properly decrypting incoming type2
messages. It's not likely that this can be exploited to execute
arbitrary code, tho evidence or argument to the contrary are of course
welcome.
Upstream patch:
http://svn.noreply.org/cgi-bin/viewcvs.cgi/trunk/Mix/Src/keymgt.c?rev=929&r1=766&r2=929
Closes: #418662
Thanks to Hauke Lampe and Colin Tuckley.
Files:
6558808af48df07efac1b02bfe1698d5 647 mail optional mixmaster_3.0b2-5.dsc
b2d18e56d41357edd917534496598dcd 36921 mail optional mixmaster_3.0b2-5.diff.gz
122c21342a39ea051b1ebe7ba3e010d5 241778 mail optional
mixmaster_3.0b2-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGK489z/ccs6+kS90RAgLaAJ48KQyInHyKqLU9XvJIK17AKK5yMwCghhHK
uscCIGWVhVZTA/VAE9yCi3A=
=Tc94
-----END PGP SIGNATURE-----
--- End Message ---
