1
Description: konversation: out-of-bounds read on a heap-allocated array
2
Konversation's Blowfish ECB encryption support assumes incoming blocks
3
to be the expected 12 bytes. The lack of a sanity-check for the actual
4
size can cause a denial of service (crash) and an information leak of
5
up to 11 bytes due to an out-of-bounds read on a heap-allocated array.
6
Author: Eike Hein <hein@kde.org>
7
Origin: upstream, https://www.kde.org/info/security/advisory-20140923-1.txt
8
Reviewed-by: Jonathan Riddell
9
Last-Update: 2014-11-04
11
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
12
Index: konversation-1.2.3/src/cipher.cpp
13
===================================================================
14
--- konversation-1.2.3.orig/src/cipher.cpp
15
+++ konversation-1.2.3/src/cipher.cpp
16
@@ -347,8 +347,12 @@ namespace Konversation
20
+ // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
21
+ if ((temp.length() % 12) != 0)
24
temp = b64ToByte(temp);
25
- while((temp.length() % 8) != 0) temp.append('\0');
26
+ while ((temp.length() % 8) != 0) temp.append('\0');
29
QCA::Direction dir = (direction) ? QCA::Encode : QCA::Decode;
30
@@ -356,11 +360,17 @@ namespace Konversation
31
QByteArray temp2 = cipher.update(QCA::MemoryRegion(temp)).toByteArray();
32
temp2 += cipher.final().toByteArray();
42
+ if ((temp2.length() % 8) != 0)
45
temp2 = byteToB64(temp2);