/[packages]/updates/3/quassel/current/SOURCES/quassel-0.11.0-CVE-2014-8483.patch
ViewVC logotype

Contents of /updates/3/quassel/current/SOURCES/quassel-0.11.0-CVE-2014-8483.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 793809 - (show annotations) (download)
Mon Oct 27 09:05:14 2014 UTC (6 years, 11 months ago) by luigiwalser
File size: 1682 byte(s)
add upstream patch to fix CVE-2014-8483
1 From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001
2 From: Manuel Nickschas <sputnick@quassel-irc.org>
3 Date: Tue, 21 Oct 2014 21:20:07 +0200
4 Subject: [PATCH] Check for invalid input in encrypted buffers
5
6 The ECB Blowfish decryption function assumed that encrypted input would
7 always come in blocks of 12 characters, as specified. However, buggy
8 clients or annoying people may not adhere to that assumption, causing
9 the core to crash while trying to process the invalid base64 input.
10
11 With this commit we make sure that we're not overstepping the bounds of
12 the input string while decoding it; instead we bail out early and display
13 the original input. Fixes #1314.
14
15 Thanks to Tucos for finding that one!
16 ---
17 src/core/cipher.cpp | 11 ++++++++++-
18 1 file changed, 10 insertions(+), 1 deletion(-)
19
20 diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp
21 index 7cc75d0..7d1fe46 100644
22 --- a/src/core/cipher.cpp
23 +++ b/src/core/cipher.cpp
24 @@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
25 }
26 else
27 {
28 + // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
29 + if ((temp.length() % 12) != 0)
30 + return cipherText;
31 +
32 temp = b64ToByte(temp);
33 while ((temp.length() % 8) != 0) temp.append('\0');
34 }
35 @@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
36 if (!cipher.ok())
37 return cipherText;
38
39 - if (direction)
40 + if (direction) {
41 + // Sanity check
42 + if ((temp2.length() % 8) != 0)
43 + return cipherText;
44 +
45 temp2 = byteToB64(temp2);
46 + }
47
48 return temp2;
49 }

  ViewVC Help
Powered by ViewVC 1.1.28