[libotr/f17] * Wed Aug 08 2012 Paul Wouters <pwouters at redhat.com> - 3.2.0-9 - Patch for Multiple heap-based buffe
Paul Wouters
pwouters at fedoraproject.org
Wed Aug 8 16:30:56 UTC 2012
commit 32e2ecf77f0d72929dbdba9039fd5648be0b59c0
Author: Paul Wouters <pwouters at redhat.com>
Date: Wed Aug 8 12:28:27 2012 -0400
* Wed Aug 08 2012 Paul Wouters <pwouters at redhat.com> - 3.2.0-9
- Patch for Multiple heap-based buffer overflows in the Base64 decoder
(rhbz#846377, upstream will not release 3.2.1 for this)
libotr-3.2.0-846377.patch | 154 +++++++++++++++++++++++++++++++++++++++++++++
libotr.spec | 23 ++++++-
2 files changed, 173 insertions(+), 4 deletions(-)
---
diff --git a/libotr-3.2.0-846377.patch b/libotr-3.2.0-846377.patch
new file mode 100644
index 0000000..6512fa2
--- /dev/null
+++ b/libotr-3.2.0-846377.patch
@@ -0,0 +1,154 @@
+diff --git a/src/b64.c b/src/b64.c
+index b8736da..9e35251 100644
+--- a/src/b64.c
++++ b/src/b64.c
+@@ -55,7 +55,7 @@ VERSION HISTORY:
+ \******************************************************************* */
+
+ /* system headers */
+-#include <stdlib.h>
++#include <stdio.h>
+ #include <string.h>
+
+ /* libotr headers */
+@@ -147,8 +147,9 @@ static size_t decode(unsigned char *out, const char *in, size_t b64len)
+ * base64 decode data. Skip non-base64 chars, and terminate at the
+ * first '=', or the end of the buffer.
+ *
+- * The buffer data must contain at least (base64len / 4) * 3 bytes of
+- * space. This function will return the number of bytes actually used.
++ * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes
++ * of space. This function will return the number of bytes actually
++ * used.
+ */
+ size_t otrl_base64_decode(unsigned char *data, const char *base64data,
+ size_t base64len)
+@@ -234,13 +235,18 @@ int otrl_base64_otr_decode(const char *msg, unsigned char **bufp,
+ return -2;
+ }
+
++ /* Skip over the "?OTR:" */
++ otrtag += 5;
++ msglen -= 5;
++
+ /* Base64-decode the message */
+- rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
++ rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */
+ rawmsg = malloc(rawlen);
+ if (!rawmsg && rawlen > 0) {
+ return -1;
+ }
+- rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
++
++ rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */
+
+ *bufp = rawmsg;
+ *lenp = rawlen;
+diff --git a/src/b64.h b/src/b64.h
+index 34ef03f..dd0e115 100644
+--- a/src/b64.h
++++ b/src/b64.h
+@@ -20,6 +20,19 @@
+ #ifndef __B64_H__
+ #define __B64_H__
+
++#include <stdlib.h>
++
++/* Base64 encodes blocks of this many bytes: */
++#define OTRL_B64_DECODED_LEN 3
++/* into blocks of this many bytes: */
++#define OTRL_B64_ENCODED_LEN 4
++
++/* An encoded block of length encoded_len can turn into a maximum of
++ * this many decoded bytes: */
++#define OTRL_B64_MAX_DECODED_SIZE(encoded_len) \
++ (((encoded_len + OTRL_B64_ENCODED_LEN - 1) / OTRL_B64_ENCODED_LEN) \
++ * OTRL_B64_DECODED_LEN)
++
+ /*
+ * base64 encode data. Insert no linebreaks or whitespace.
+ *
+@@ -33,8 +46,9 @@ size_t otrl_base64_encode(char *base64data, const unsigned char *data,
+ * base64 decode data. Skip non-base64 chars, and terminate at the
+ * first '=', or the end of the buffer.
+ *
+- * The buffer data must contain at least (base64len / 4) * 3 bytes of
+- * space. This function will return the number of bytes actually used.
++ * The buffer data must contain at least ((base64len+3) / 4) * 3 bytes
++ * of space. This function will return the number of bytes actually
++ * used.
+ */
+ size_t otrl_base64_decode(unsigned char *data, const char *base64data,
+ size_t base64len);
+diff --git a/src/proto.c b/src/proto.c
+index 3f8c987..0374dfe 100644
+--- a/src/proto.c
++++ b/src/proto.c
+@@ -537,13 +537,17 @@ gcry_error_t otrl_proto_data_read_flags(const char *datamsg,
+ msglen = strlen(otrtag);
+ }
+
++ /* Skip over the "?OTR:" */
++ otrtag += 5;
++ msglen -= 5;
++
+ /* Base64-decode the message */
+- rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
++ rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */
+ rawmsg = malloc(rawlen);
+ if (!rawmsg && rawlen > 0) {
+ return gcry_error(GPG_ERR_ENOMEM);
+ }
+- rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
++ rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */
+
+ bufp = rawmsg;
+ lenp = rawlen;
+@@ -606,14 +610,18 @@ gcry_error_t otrl_proto_accept_data(char **plaintextp, OtrlTLV **tlvsp,
+ msglen = strlen(otrtag);
+ }
+
++ /* Skip over the "?OTR:" */
++ otrtag += 5;
++ msglen -= 5;
++
+ /* Base64-decode the message */
+- rawlen = ((msglen-5) / 4) * 3; /* maximum possible */
++ rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen); /* maximum possible */
+ rawmsg = malloc(rawlen);
+ if (!rawmsg && rawlen > 0) {
+ err = gcry_error(GPG_ERR_ENOMEM);
+ goto err;
+ }
+- rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5); /* actual size */
++ rawlen = otrl_base64_decode(rawmsg, otrtag, msglen); /* actual size */
+
+ bufp = rawmsg;
+ lenp = rawlen;
+diff --git a/toolkit/parse.c b/toolkit/parse.c
+index 5f357fc..16718ca 100644
+--- a/toolkit/parse.c
++++ b/toolkit/parse.c
+@@ -64,7 +64,8 @@ static unsigned char *decode(const char *msg, size_t *lenp)
+ {
+ const char *header, *footer;
+ unsigned char *raw;
+-
++ size_t rawlen;
++
+ /* Find the header */
+ header = strstr(msg, "?OTR:");
+ if (!header) return NULL;
+@@ -75,8 +76,10 @@ static unsigned char *decode(const char *msg, size_t *lenp)
+ footer = strchr(header, '.');
+ if (!footer) footer = header + strlen(header);
+
+- raw = malloc((footer-header) / 4 * 3);
+- if (raw == NULL && (footer-header >= 4)) return NULL;
++ rawlen = OTRL_B64_MAX_DECODED_SIZE(footer-header);
++
++ raw = malloc(rawlen);
++ if (raw == NULL && rawlen > 0) return NULL;
+ *lenp = otrl_base64_decode(raw, header, footer-header);
+
+ return raw;
diff --git a/libotr.spec b/libotr.spec
index c0b7082..c1fa6d4 100644
--- a/libotr.spec
+++ b/libotr.spec
@@ -1,17 +1,22 @@
+%global snapshot 0
Summary: Off-The-Record Messaging library and toolkit
Name: libotr
Version: 3.2.0
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2 and LGPLv2
Group: System Environment/Libraries
Source0: http://otr.cypherpunks.ca/%{name}-%{version}.tar.gz
+Patch1: libotr-3.2.0-846377.patch
Url: http://otr.cypherpunks.ca/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Provides: libotr-toolkit = %{version}
Obsoletes: libotr-toolkit < %{version}
Requires: libgcrypt >= 1.2.0
Requires: pkgconfig
-BuildRequires: libgcrypt-devel >= 1.2.0, libgpg-error-devel
+BuildRequires: libgcrypt-devel >= 1.2.0, libgpg-error-devel
+%if %{snapshot}
+Buildrequires: libtool automake autoconf
+%endif
%description
Off-the-Record Messaging Library and Toolkit
@@ -29,9 +34,15 @@ The devel package contains the libotr library and include files.
%prep
%setup -q
+%patch1 -p1
-%build
+%if %{snapshot}
+aclocal
+intltoolize --force --copy
+autoreconf -s -i
+%endif
+%build
%configure --with-pic --disable-rpath --disable-static
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
@@ -52,7 +63,7 @@ rm -rf $RPM_BUILD_ROOT
%postun -p /sbin/ldconfig
-%files
+%files
%defattr(-,root,root)
%doc AUTHORS README COPYING COPYING.LIB NEWS Protocol*
%{_libdir}/libotr.so.*
@@ -70,6 +81,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Wed Aug 08 2012 Paul Wouters <pwouters at redhat.com> - 3.2.0-8
+- Patch for Multiple heap-based buffer overflows in the Base64 decoder
+ (rhbz#846377, upstream will not release 3.2.1 for this)
+
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 3.2.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
More information about the scm-commits
mailing list