On Wed, Mar 21, 2007 at 02:37:42PM +0000, Marcin Owsiany wrote: > The following low/medium severity security issues have recently been > identified in ekg. (The numbers are cvsps patchsets which fixed the > problem in upstream CVS.) > > 2661: A memory leak in handling image messages, which may cause memory > exhaustion resulting in a DoS (ekg program crash). Exploitable by a > hostile GG user. > > 2694: off-by-one in token OCR function, which may cause a null pointer > dereference resulting in a DoS (ekg program crash). Exploitable by MiTM > (hostile HTTP proxy or TCP stream injection) or a hostile GG server. > > 2699: potential memory exhaust in token OCR function, which may cause > memory exhaustion resulting in a DoS (ekg program crash). Exploitability > same as in 2694. > > ----------------+-------------------+---------------+----------------------------- > Dist | Contains version | Vulnerable to | Version (to be) fixed in > ----------------+-------------------+---------------+----------------------------- > UPSTREAM | 1.7-RC2 | ALL | 1.7-RC3 (already > released) > sarge | 1:1.5+20050411-5 | 2661 only (*) | 1:1.5+20050411-7 > sid,etch | 1:1.7~rc2-1 | ALL | 1:1.7~rc2+1-1
Em, the "version to be fixed in" for sid/etch is wrong. There will be no upstream tarball change, so I need just to change the debian revision. I would like to use 1:1.7~rc2-2 and upload to unstable with urgency=high. Then, if the release team would let this propagate to frozen, we would have a single upload taking care of both sid and etch (there would be no other changes - see proposed interdiff attached). Please let me know if this is acceptable. If not, please let me know what target distribution I should use to put the fixes into etch. Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
diff -u ekg-1.7~rc2/debian/changelog ekg-1.7~rc2/debian/changelog
--- ekg-1.7~rc2/debian/changelog 2006-08-27 13:21:14.268465000 +0100
+++ ekg-1.7~rc2/debian/changelog 2007-03-25 12:24:40.326003199 +0100
@@ -1,3 +1,21 @@
+ekg (1:1.7~rc2-2) unstable; urgency=high
+
+ * Patched three medium severity security issues in src/events.c (no other
+ changes):
+ - CVE-2007-1663 A memory leak in handling image messages, which may cause
+ memory exhaustion resulting in a DoS (ekg program crash). Exploitable by
+ a hostile GG user.
+ - CVE-2007-1664 off-by-one in token OCR function, which may cause a null
+ pointer dereference resulting in a DoS (ekg program crash). Exploitable
+ by MiTM (hostile HTTP proxy or TCP stream injection) or a hostile GG
+ server.
+ - CVE-2007-1665 potential memory exhaust in token OCR function, which may
+ cause memory exhaustion resulting in a DoS (ekg program crash).
+ Exploitable by MiTM (hostile HTTP proxy or TCP stream injection) or a
+ hostile GG server.
+
+ -- Marcin Owsiany <[EMAIL PROTECTED]> Sun, 25 Mar 2007 12:22:07 +0100
+
ekg (1:1.7~rc2-1) unstable; urgency=low
* New upstream release candidate
only in patch2:
unchanged:
--- ekg-1.7~rc2.orig/src/events.c 2006-08-24 19:57:55.000000000 +0100
+++ ekg-1.7~rc2/src/events.c 2007-03-25 12:22:01.744092449 +0100
@@ -522,8 +522,10 @@
}
/* ignorujemy wiadomości bez treści zawierające jedynie
obrazek(ki) */
- if (config_ignore_empty_msg && imageno &&
strlen(e->event.msg.message) == 0)
+ if (config_ignore_empty_msg && imageno &&
strlen(e->event.msg.message) == 0) {
+ list_destroy(images, 1);
return;
+ }
}
#ifdef HAVE_OPENSSL
@@ -567,6 +569,7 @@
switch (python_handle_result) {
case 0:
+ list_destroy(images, 1);
return;
case 2:
hide = 1;
@@ -586,6 +589,7 @@
config_last_sysmsg_changed = 1;
}
+ list_destroy(images, 1);
return;
}
@@ -594,14 +598,17 @@
e->event.msg.sender, e->event.msg.recipients,
e->event.msg.recipients_count, 0);
- if (c && c->ignore)
+ if (c && c->ignore) {
+ list_destroy(images, 1);
return;
+ }
}
if ((!u && config_ignore_unknown_sender) ||
ignored_check(e->event.msg.sender) & IGNORE_MSG) {
if (config_log_ignored)
put_log(e->event.msg.sender, "%sign,%ld,%s,%s,%s,%s\n",
(chat) ? "chatrecv" : "msgrecv", e->event.msg.sender, ((u && u->display) ?
u->display : ""), log_timestamp(time(NULL)), log_timestamp(e->event.msg.time),
e->event.msg.message);
+ list_destroy(images, 1);
return;
}
@@ -1513,6 +1520,11 @@
goto err2;
}
+ if (file->SWidth <= 0 || file->SWidth > 1024 || file->SHeight <= 0 ||
file->SHeight > 1024) {
+ snprintf(errbuf, sizeof(errbuf), "Invalid image size: %d,%d",
file->SWidth, file->SHeight);
+ goto err3;
+ }
+
if (DGifSlurp(file) != GIF_OK) {
snprintf (errbuf, sizeof(errbuf), "DGifSlurp(): %d",
GifLastError());
goto err3;
@@ -1735,7 +1747,7 @@
int cur_char = 0; /* Kolejny znaczek z chars[]. */
memset (mappings, 0, sizeof(mappings));
- buf = bptr = (char *) xmalloc(token->sx * (token->sy + 1));
+ buf = bptr = (char *) xmalloc(token->sx * (token->sy + 1) + 1);
#ifdef TOKEN_GIF_PAL
for (i = 0; i < token->sx * token->sy; i++) {
signature.asc
Description: Digital signature
