~ubuntu-branches/ubuntu/lucid/konversation/lucid-updates

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
Description: konversation: out-of-bounds read on a heap-allocated array
 Konversation's Blowfish ECB encryption support assumes incoming blocks
 to be the expected 12 bytes. The lack of a sanity-check for the actual
 size can cause a denial of service (crash) and an information leak of
 up to 11 bytes due to an out-of-bounds read on a heap-allocated array.
Author: Eike Hein <hein@kde.org>
Origin: upstream, https://www.kde.org/info/security/advisory-20140923-1.txt 
Reviewed-by: Jonathan Riddell
Last-Update: 2014-11-04
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: konversation-1.2.3/src/cipher.cpp
===================================================================
--- konversation-1.2.3.orig/src/cipher.cpp
+++ konversation-1.2.3/src/cipher.cpp
@@ -347,8 +347,12 @@ namespace Konversation
         }
         else
         {
+        // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
+        if ((temp.length() % 12) != 0)
+            return cipherText;
+
             temp = b64ToByte(temp);
-            while((temp.length() % 8) != 0) temp.append('\0');
+            while ((temp.length() % 8) != 0) temp.append('\0');
         }
 
         QCA::Direction dir = (direction) ? QCA::Encode : QCA::Decode;
@@ -356,11 +360,17 @@ namespace Konversation
         QByteArray temp2 = cipher.update(QCA::MemoryRegion(temp)).toByteArray();
         temp2 += cipher.final().toByteArray();
 
-        if(!cipher.ok())
+        if (!cipher.ok())
             return cipherText;
 
-        if(direction)
+        if (direction)
+        {
+            // Sanity check
+            if ((temp2.length() % 8) != 0)
+                return cipherText;
+
             temp2 = byteToB64(temp2);
+        }
 
         return temp2;
     }