← Back to branch summary

~ubuntu-branches/ubuntu/lucid/konversation/lucid-updates

« back to all changes in this revision

Viewing changes to debian/patches/kubuntu_02_cve-2014-8483.diff

  • Committer: Package Import Robot
  • Author(s): Jonathan Riddell
  • Date: 2014-11-04 17:40:19 UTC
  • mfrom: (2.4.4 experimental)
  • Revision ID: package-import@ubuntu.com-20141104174019-djxmmslchwd6uowc
Tags: 1.2.3-1ubuntu2.1
https://launchpad.net/bugs/1389296
* SECURITY UPDATE: out-of-bounds read on a heap-allocated array LP: #1389296
  - Add kubuntu_02_cve-2014-8483.diff to verify read bounds
  - CVE-2014-8483
  - https://www.kde.org/info/security/advisory-20140923-1.txt

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/kubuntu_02_cve-2014-8483.diff
 
1
Description: konversation: out-of-bounds read on a heap-allocated array
 
2
 Konversation's Blowfish ECB encryption support assumes incoming blocks
 
3
 to be the expected 12 bytes. The lack of a sanity-check for the actual
 
4
 size can cause a denial of service (crash) and an information leak of
 
5
 up to 11 bytes due to an out-of-bounds read on a heap-allocated array.
 
6
Author: Eike Hein <hein@kde.org>
 
7
Origin: upstream, https://www.kde.org/info/security/advisory-20140923-1.txt 
 
8
Reviewed-by: Jonathan Riddell
 
9
Last-Update: 2014-11-04
 
10
---
 
11
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
 
12
Index: konversation-1.2.3/src/cipher.cpp
 
13
===================================================================
 
14
--- konversation-1.2.3.orig/src/cipher.cpp
 
15
+++ konversation-1.2.3/src/cipher.cpp
 
16
@@ -347,8 +347,12 @@ namespace Konversation
 
17
         }
 
18
         else
 
19
         {
 
20
+        // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
 
21
+        if ((temp.length() % 12) != 0)
 
22
+            return cipherText;
 
23
+
 
24
             temp = b64ToByte(temp);
 
25
-            while((temp.length() % 8) != 0) temp.append('\0');
 
26
+            while ((temp.length() % 8) != 0) temp.append('\0');
 
27
         }
 
28
 
 
29
         QCA::Direction dir = (direction) ? QCA::Encode : QCA::Decode;
 
30
@@ -356,11 +360,17 @@ namespace Konversation
 
31
         QByteArray temp2 = cipher.update(QCA::MemoryRegion(temp)).toByteArray();
 
32
         temp2 += cipher.final().toByteArray();
 
33
 
 
34
-        if(!cipher.ok())
 
35
+        if (!cipher.ok())
 
36
             return cipherText;
 
37
 
 
38
-        if(direction)
 
39
+        if (direction)
 
40
+        {
 
41
+            // Sanity check
 
42
+            if ((temp2.length() % 8) != 0)
 
43
+                return cipherText;
 
44
+
 
45
             temp2 = byteToB64(temp2);
 
46
+        }
 
47
 
 
48
         return temp2;
 
49
     }