Update to 3.2.1.
(This is a security release, but pkgsrc already had patches from upstream.) This version corrects two heap overflows reported by our users: - A small write overflow, reported by Justin Ferguson - A large read overflow, reported by Ben Hawkes
This commit is contained in:
gdt
parent
0746893e91
commit
72c9067193
6 changed files with 7 additions and 165 deletions
|
|
@ -1,8 +1,7 @@
|
|||
# $NetBSD: Makefile,v 1.11 2012/08/09 10:06:46 drochner Exp $
|
||||
# $NetBSD: Makefile,v 1.12 2012/08/14 22:08:09 gdt Exp $
|
||||
|
||||
VERSION= 3.2.0
|
||||
VERSION= 3.2.1
|
||||
DISTNAME= libotr-${VERSION}
|
||||
PKGREVISION= 2
|
||||
CATEGORIES= chat security
|
||||
MASTER_SITES= http://www.cypherpunks.ca/otr/
|
||||
|
||||
|
|
@ -10,6 +9,7 @@ MAINTAINER= nathanw@NetBSD.org
|
|||
# also gdt@NetBSD.org
|
||||
HOMEPAGE= http://www.cypherpunks.ca/otr/
|
||||
COMMENT= Library for Off-The-Record encrypted messaging
|
||||
LICENSE= gnu-gpl-v2
|
||||
|
||||
PKG_DESTDIR_SUPPORT= user-destdir
|
||||
|
||||
|
|
|
|||
|
|
@ -1,9 +1,5 @@
|
|||
$NetBSD: distinfo,v 1.7 2012/08/09 10:06:47 drochner Exp $
|
||||
$NetBSD: distinfo,v 1.8 2012/08/14 22:08:09 gdt Exp $
|
||||
|
||||
SHA1 (libotr-3.2.0.tar.gz) = e5e10b8ddaf59b0ada6046d156d0431cd2790db9
|
||||
RMD160 (libotr-3.2.0.tar.gz) = 937f512415eb3b82d5730b1aafbe5d55f4f153da
|
||||
Size (libotr-3.2.0.tar.gz) = 430299 bytes
|
||||
SHA1 (patch-CVE-2012-3461-aa) = f1faa1e43da256d44194817aeb59b3e92ddaffb2
|
||||
SHA1 (patch-CVE-2012-3461-ab) = 2827193d1cd440700f09cd7312ec9954a81aea11
|
||||
SHA1 (patch-CVE-2012-3461-ac) = abbecb337f3a7109b4a41debb2109528c64e22a0
|
||||
SHA1 (patch-CVE-2012-3461-ad) = 13edba7d8f16fc122ce2fd4fb2579e7e70056d5a
|
||||
SHA1 (libotr-3.2.1.tar.gz) = 898bf00d019f49ca34cd0116dd2e22685c67c394
|
||||
RMD160 (libotr-3.2.1.tar.gz) = 07deab0a7f63680e44c3a631666b9b4a21bd66cf
|
||||
Size (libotr-3.2.1.tar.gz) = 414684 bytes
|
||||
|
|
|
|||
|
|
@ -1,46 +0,0 @@
|
|||
$NetBSD: patch-CVE-2012-3461-aa,v 1.1 2012/08/09 10:06:47 drochner Exp $
|
||||
|
||||
--- src/b64.c.orig 2008-05-27 12:35:28.000000000 +0000
|
||||
+++ src/b64.c
|
||||
@@ -55,7 +55,7 @@ VERSION HISTORY:
|
||||
\******************************************************************* */
|
||||
|
||||
/* system headers */
|
||||
-#include <stdlib.h>
|
||||
+#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
/* libotr headers */
|
||||
@@ -147,8 +147,9 @@ static size_t decode(unsigned char *out,
|
||||
* base64 decode data. Skip non-base64 chars, and terminate at the
|
||||
* first '=', or the end of the buffer.
|
||||
*
|
||||
- * The buffer data must contain at least (base64len / 4) * 3 bytes of
|
||||
- * space. This function will return the number of bytes actually used.
|
||||
+ * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes
|
||||
+ * of space. This function will return the number of bytes actually
|
||||
+ * used.
|
||||
*/
|
||||
size_t otrl_base64_decode(unsigned char *data, const char *base64data,
|
||||
size_t base64len)
|
||||
@@ -234,13 +235,18 @@ int otrl_base64_otr_decode(const char *m
|
||||
return -2;
|
||||
}
|
||||
|
||||
+ /* Skip over the "?OTR:" */
|
||||
+ otrtag += 5;
|
||||
+ msglen -= 5;
|
||||
+
|
||||
/* Base64-decode the message */
|
||||
- rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
|
||||
+ rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */
|
||||
rawmsg = malloc(rawlen);
|
||||
if (!rawmsg && rawlen > 0) {
|
||||
return -1;
|
||||
}
|
||||
- rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
|
||||
+
|
||||
+ rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */
|
||||
|
||||
*bufp = rawmsg;
|
||||
*lenp = rawlen;
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
$NetBSD: patch-CVE-2012-3461-ab,v 1.1 2012/08/09 10:06:47 drochner Exp $
|
||||
|
||||
--- src/b64.h.orig 2008-05-27 12:35:28.000000000 +0000
|
||||
+++ src/b64.h
|
||||
@@ -20,6 +20,19 @@
|
||||
#ifndef __B64_H__
|
||||
#define __B64_H__
|
||||
|
||||
+#include <stdlib.h>
|
||||
+
|
||||
+/* Base64 encodes blocks of this many bytes: */
|
||||
+#define OTRL_B64_DECODED_LEN 3
|
||||
+/* into blocks of this many bytes: */
|
||||
+#define OTRL_B64_ENCODED_LEN 4
|
||||
+
|
||||
+/* An encoded block of length encoded_len can turn into a maximum of
|
||||
+ * this many decoded bytes: */
|
||||
+#define OTRL_B64_MAX_DECODED_SIZE(encoded_len) \
|
||||
+ (((encoded_len + OTRL_B64_ENCODED_LEN - 1) / OTRL_B64_ENCODED_LEN) \
|
||||
+ * OTRL_B64_DECODED_LEN)
|
||||
+
|
||||
/*
|
||||
* base64 encode data. Insert no linebreaks or whitespace.
|
||||
*
|
||||
@@ -33,8 +46,9 @@ size_t otrl_base64_encode(char *base64da
|
||||
* base64 decode data. Skip non-base64 chars, and terminate at the
|
||||
* first '=', or the end of the buffer.
|
||||
*
|
||||
- * The buffer data must contain at least (base64len / 4) * 3 bytes of
|
||||
- * space. This function will return the number of bytes actually used.
|
||||
+ * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes
|
||||
+ * of space. This function will return the number of bytes actually
|
||||
+ * used.
|
||||
*/
|
||||
size_t otrl_base64_decode(unsigned char *data, const char *base64data,
|
||||
size_t base64len);
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
$NetBSD: patch-CVE-2012-3461-ac,v 1.1 2012/08/09 10:06:47 drochner Exp $
|
||||
|
||||
--- src/proto.c.orig 2008-05-27 12:35:28.000000000 +0000
|
||||
+++ src/proto.c
|
||||
@@ -537,13 +537,17 @@ gcry_error_t otrl_proto_data_read_flags(
|
||||
msglen = strlen(otrtag);
|
||||
}
|
||||
|
||||
+ /* Skip over the "?OTR:" */
|
||||
+ otrtag += 5;
|
||||
+ msglen -= 5;
|
||||
+
|
||||
/* Base64-decode the message */
|
||||
- rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
|
||||
+ rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */
|
||||
rawmsg = malloc(rawlen);
|
||||
if (!rawmsg && rawlen > 0) {
|
||||
return gcry_error(GPG_ERR_ENOMEM);
|
||||
}
|
||||
- rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
|
||||
+ rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */
|
||||
|
||||
bufp = rawmsg;
|
||||
lenp = rawlen;
|
||||
@@ -606,14 +610,18 @@ gcry_error_t otrl_proto_accept_data(char
|
||||
msglen = strlen(otrtag);
|
||||
}
|
||||
|
||||
+ /* Skip over the "?OTR:" */
|
||||
+ otrtag += 5;
|
||||
+ msglen -= 5;
|
||||
+
|
||||
/* Base64-decode the message */
|
||||
- rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
|
||||
+ rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */
|
||||
rawmsg = malloc(rawlen);
|
||||
if (!rawmsg && rawlen > 0) {
|
||||
err = gcry_error(GPG_ERR_ENOMEM);
|
||||
goto err;
|
||||
}
|
||||
- rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
|
||||
+ rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */
|
||||
|
||||
bufp = rawmsg;
|
||||
lenp = rawlen;
|
||||
|
|
@ -1,27 +0,0 @@
|
|||
$NetBSD: patch-CVE-2012-3461-ad,v 1.1 2012/08/09 10:06:47 drochner Exp $
|
||||
|
||||
--- toolkit/parse.c.orig 2008-05-27 12:35:28.000000000 +0000
|
||||
+++ toolkit/parse.c
|
||||
@@ -64,7 +64,8 @@ static unsigned char *decode(const char
|
||||
{
|
||||
const char *header, *footer;
|
||||
unsigned char *raw;
|
||||
-
|
||||
+ size_t rawlen;
|
||||
+
|
||||
/* Find the header */
|
||||
header = strstr(msg, "?OTR:");
|
||||
if (!header) return NULL;
|
||||
@@ -75,8 +76,10 @@ static unsigned char *decode(const char
|
||||
footer = strchr(header, '.');
|
||||
if (!footer) footer = header + strlen(header);
|
||||
|
||||
- raw = malloc((footer-header) / 4 * 3);
|
||||
- if (raw == NULL && (footer-header >= 4)) return NULL;
|
||||
+ rawlen = OTRL_B64_MAX_DECODED_SIZE(footer-header);
|
||||
+
|
||||
+ raw = malloc(rawlen);
|
||||
+ if (raw == NULL && rawlen > 0) return NULL;
|
||||
*lenp = otrl_base64_decode(raw, header, footer-header);
|
||||
|
||||
return raw;
|
||||
Loading…
Reference in a new issue