Debian Bug report logs - #337127
gaim-encryption: gaim segfaults receiving a special message from ICQ Buddy

version graph

Package: gaim-encryption; Maintainer for gaim-encryption is (unknown);

Reported by: Joerg Kurlbaum <jkur@informatik.uni-bremen.de>

Date: Wed, 2 Nov 2005 20:15:41 UTC

Severity: grave

Tags: security

Found in version gaim-encryption/2.38-1

Fixed in version gaim-encryption/3.0~beta5-3

Done: Leo Costela <costela@debian.org>

Bug is archived. No further changes may be made.

Forwarded to obobo@users.sourceforge.net

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>:
Bug#337127; Package gaim-encryption. Full text and rfc822 format available.

Acknowledgement sent to Joerg Kurlbaum <jkur@informatik.uni-bremen.de>:
New Bug report received and forwarded. Copy sent to Leo Costela <costela@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joerg Kurlbaum <jkur@informatik.uni-bremen.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gaim-encryption: gaim segfaults receiving a special message from ICQ Buddy
Date: Wed, 02 Nov 2005 20:13:26 +0100
Package: gaim-encryption
Version: 2.38-1
Severity: normal

When an ICQ Buddy sends a special message the application crashes.
I've found the problem when i just clicked on the encryption button in
the IM-Window. The other person didn't know what to do with the message
since it is used for GAIM to GAIM encryption and just sent it 
back (copy and paste). Then my GAIM application crashed.
This is reproducable even with other people's clients.
The Message you need to send is:

*** Encrypted with the Gaim-Encryption plugin <A HREF=": Key: Prot NSS
1.0: Len 249
1ShR9YBpgmjZ2pCZFXQNiRCyI2dNSmC,MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCvANJpA/+j+k+RzfDwUDC6w5EHHWYEj10qd3EfHQnSK1h1L4ZjBZqnrTdaCRZFr5WvDgqjqMaUZg7NNFlfkWrJpDoW3fbSZ7eegQUbUdGwGLuqxExy+Sd2B4ngln3bPtNATcziX2ikzadCldkL4R/EFyYpc/nRWRs++ooOJ0iZQIDAQAB"></A>

It does not work, when you send it from inside GAIM, but when you send
it from licq it works.
I think this is a serious bug. Maybe even a security hole.

Regards,
  Jörg 

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13.4-jkur
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to de_DE)

Versions of packages gaim-encryption depends on:
ii  gaim                          1:1.5.0-1  multi-protocol instant messaging c
ii  libc6                         2.3.5-3    GNU C Library: Shared libraries an
ii  libnspr4                      2:1.7.12-1 Netscape Portable Runtime Library
ii  libnss3                       2:1.7.7-2  Network Security Service Libraries

gaim-encryption recommends no packages.

-- no debconf information



Tags added: security Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>:
Bug#337127; Package gaim-encryption. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>. Full text and rfc822 format available.

Message #12 received at 337127@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: control@bugs.debian.org
Cc: 337127@bugs.debian.org, 375281@bugs.debian.org, 370144@bugs.debian.org, 355797@bugs.debian.org, 368207@bugs.debian.org
Subject: Raise severities of some security bugs
Date: Sat, 12 Aug 2006 16:21:26 +0200
severity 337127 grave
severity 375281 grave
severity 370144 grave
severity 355797 grave
severity 368207 grave
thanks

I'm raising the severity of these security bugs, which have been
neglected for too long. Etch should not ship with them. If the
bug should not apply to Etch, please indicate so.

Cheers,
        Moritz



Severity set to `grave' from `normal' Request was from Moritz Muehlenhoff <jmm@inutil.org> to control@bugs.debian.org. Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to obobo@users.sourceforge.net. Request was from "Leo Antunes" <costela@gmail.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>:
Bug#337127; Package gaim-encryption. Full text and rfc822 format available.

Acknowledgement sent to Max Kellermann <max@duempel.org>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>. Full text and rfc822 format available.

Message #21 received at 337127@bugs.debian.org (full text, mbox):

From: Max Kellermann <max@duempel.org>
To: 337127@bugs.debian.org
Subject: gaim-encryption patch: check sscanf() return value
Date: Sat, 16 Sep 2006 20:11:52 +0200
[Message part 1 (text/plain, inline)]
The bug is caused by a wrong sscanf() return value check.  The
sscanf() is called with two escapes, but the caller only checks
whether one of those is valid.  This patch expands the check to both
values.

[gaim-encryption-337127-check_sscanf_return_value.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>:
Bug#337127; Package gaim-encryption. Full text and rfc822 format available.

Acknowledgement sent to Max Kellermann <max@duempel.org>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>. Full text and rfc822 format available.

Message #26 received at 337127@bugs.debian.org (full text, mbox):

From: Max Kellermann <max@duempel.org>
To: 337127@bugs.debian.org
Subject: Re: gaim-encryption patch: check sscanf() return value
Date: Sat, 16 Sep 2006 20:41:57 +0200
[Message part 1 (text/plain, inline)]
On 2006/09/16 20:11, Max Kellermann <max@duempel.org> wrote:
> The bug is caused by a wrong sscanf() return value check.  The
> sscanf() is called with two escapes, but the caller only checks
> whether one of those is valid.  This patch expands the check to both
> values.

I was wrong, since '%n' does not increment sscanf's return value.
Unfortunately, there is no way for the sscanf caller to see the
difference between "everything was parsed fine" and "no colon
detected, the variable 'realstart' wasn't assigned".

I changed the patch and removed the colon from the sscanf format
string.  The colon check is performed manually.

[gaim-encryption-337127-check_colon_manually.patch (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>:
Bug#337127; Package gaim-encryption. Full text and rfc822 format available.

Acknowledgement sent to Bill Tompkins <gaim-encryption@icarion.com>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>. Full text and rfc822 format available.

Message #31 received at 337127@bugs.debian.org (full text, mbox):

From: Bill Tompkins <gaim-encryption@icarion.com>
To: 337127@bugs.debian.org
Subject: Re: gaim-encryption patch: check sscanf() return value
Date: Sat, 16 Sep 2006 23:20:16 -0400
Actually, I believe the bug is simply that 'realstart' is not assigned
at the beginning of the function.  If it is set to zero, the check
correctly detects that it wasn't assigned, and things are (moderately)
happy:

--- gaim-encryption-2.38/keys.c 2005-06-11 13:40:33.000000000 -0400
+++ gaim-encryption-2.39/keys.c 2006-09-16 23:10:07.000000000 -0400
@@ -184,7 +184,7 @@
    crypt_proto* proto=0;
    unsigned char* key_len_msg=0;
    unsigned int length;
-   int realstart;
+   int realstart=0;
    gchar** after_key;
    gchar* resend_msg_id = 0;

Fixing this, and firing that test message again, the code will hit a bug
that was already fixed in the 3.0 branch, which will cause the plugin to
hang.  So... I'm releasing a 2.39 tonight with a complete fix, and a few
other fixes backported from 3.0, and a few memory leak fixes just
reported today (Hi Max!).

Thanks all for the diligence reporting this and tracking it down,

-Bill





Information forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>:
Bug#337127; Package gaim-encryption. Full text and rfc822 format available.

Acknowledgement sent to Max Kellermann <max@duempel.org>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>. Full text and rfc822 format available.

Message #36 received at 337127@bugs.debian.org (full text, mbox):

From: Max Kellermann <max@duempel.org>
To: Bill Tompkins <gaim-encryption@icarion.com>
Cc: 337127@bugs.debian.org
Subject: Re: gaim-encryption patch: check sscanf() return value
Date: Sun, 17 Sep 2006 08:45:59 +0200
On 2006/09/17 05:20, Bill Tompkins <gaim-encryption@icarion.com> wrote:
> Actually, I believe the bug is simply that 'realstart' is not
> assigned at the beginning of the function.  If it is set to zero,
> the check correctly detects that it wasn't assigned, and things are
> (moderately) happy:

I also considered this smaller patch, but dismissed it because the
error message would be something like "can't decrypt" instead of the
more correct "no colon found" - but you're the upstream author, you're
the one to decide..

Max




Reply sent to Leo Costela <costela@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joerg Kurlbaum <jkur@informatik.uni-bremen.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #41 received at 337127-close@bugs.debian.org (full text, mbox):

From: Leo Costela <costela@debian.org>
To: 337127-close@bugs.debian.org
Subject: Bug#337127: fixed in gaim-encryption 3.0~beta5-3
Date: Thu, 28 Sep 2006 22:32:04 -0700
Source: gaim-encryption
Source-Version: 3.0~beta5-3

We believe that the bug you reported is fixed in the latest version of
gaim-encryption, which is due to be installed in the Debian FTP archive:

gaim-encryption_3.0~beta5-3.diff.gz
  to pool/main/g/gaim-encryption/gaim-encryption_3.0~beta5-3.diff.gz
gaim-encryption_3.0~beta5-3.dsc
  to pool/main/g/gaim-encryption/gaim-encryption_3.0~beta5-3.dsc
gaim-encryption_3.0~beta5-3_i386.deb
  to pool/main/g/gaim-encryption/gaim-encryption_3.0~beta5-3_i386.deb
gaim-encryption_3.0~beta5.orig.tar.gz
  to pool/main/g/gaim-encryption/gaim-encryption_3.0~beta5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 337127@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Leo Costela <costela@debian.org> (supplier of updated gaim-encryption package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 28 Aug 2006 01:58:01 -0300
Source: gaim-encryption
Binary: gaim-encryption
Architecture: source i386
Version: 3.0~beta5-3
Distribution: unstable
Urgency: low
Maintainer: Leo Costela <costela@debian.org>
Changed-By: Leo Costela <costela@debian.org>
Description: 
 gaim-encryption - gaim plugin that provides transparent encryption
Closes: 313707 337127 340246 348229 362683
Changes: 
 gaim-encryption (3.0~beta5-3) unstable; urgency=low
 .
   * Migrate to Unstable (Gaim beta is already in)
     (closes: #340246, #362683, #313707, #348229)
   * Ack NMU (thanks Alexander Wirt!) (closes: #337127)
   * Change the version to use the new '~' character (should ease things up when
     3.0-final is released...)
Files: 
 aaec9244e652eede6e9cbc64d4b4fc10 678 net optional gaim-encryption_3.0~beta5-3.dsc
 6c999293dd0018630d406aa638e4e95f 567451 net optional gaim-encryption_3.0~beta5.orig.tar.gz
 af436bbcfc3ff8bb8afb25fc626956a4 3257 net optional gaim-encryption_3.0~beta5-3.diff.gz
 26507fc6d9cbb5f496b534d64b21dfc0 103200 net optional gaim-encryption_3.0~beta5-3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFHKygImLTb3rflGYRAn04AKDW+VQne706EaFtneZWCGIPBAuYugCeK+qY
+kge64kVANrXq3XziVjt4ps=
=xLV8
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 00:19:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 16:57:38 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.