Report forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>: Bug#337127; Package gaim-encryption.
(full text, mbox, link).
Acknowledgement sent to Joerg Kurlbaum <jkur@informatik.uni-bremen.de>:
New Bug report received and forwarded. Copy sent to Leo Costela <costela@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gaim-encryption: gaim segfaults receiving a special message from ICQ Buddy
Date: Wed, 02 Nov 2005 20:13:26 +0100
Package: gaim-encryption
Version: 2.38-1
Severity: normal
When an ICQ Buddy sends a special message the application crashes.
I've found the problem when i just clicked on the encryption button in
the IM-Window. The other person didn't know what to do with the message
since it is used for GAIM to GAIM encryption and just sent it
back (copy and paste). Then my GAIM application crashed.
This is reproducable even with other people's clients.
The Message you need to send is:
*** Encrypted with the Gaim-Encryption plugin <A HREF=": Key: Prot NSS
1.0: Len 249
1ShR9YBpgmjZ2pCZFXQNiRCyI2dNSmC,MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCvANJpA/+j+k+RzfDwUDC6w5EHHWYEj10qd3EfHQnSK1h1L4ZjBZqnrTdaCRZFr5WvDgqjqMaUZg7NNFlfkWrJpDoW3fbSZ7eegQUbUdGwGLuqxExy+Sd2B4ngln3bPtNATcziX2ikzadCldkL4R/EFyYpc/nRWRs++ooOJ0iZQIDAQAB"></A>
It does not work, when you send it from inside GAIM, but when you send
it from licq it works.
I think this is a serious bug. Maybe even a security hole.
Regards,
Jörg
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13.4-jkur
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1) (ignored: LC_ALL set to de_DE)
Versions of packages gaim-encryption depends on:
ii gaim 1:1.5.0-1 multi-protocol instant messaging c
ii libc6 2.3.5-3 GNU C Library: Shared libraries an
ii libnspr4 2:1.7.12-1 Netscape Portable Runtime Library
ii libnss3 2:1.7.7-2 Network Security Service Libraries
gaim-encryption recommends no packages.
-- no debconf information
Tags added: security
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>: Bug#337127; Package gaim-encryption.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>.
(full text, mbox, link).
severity 337127 grave
severity 375281 grave
severity 370144 grave
severity 355797 grave
severity 368207 grave
thanks
I'm raising the severity of these security bugs, which have been
neglected for too long. Etch should not ship with them. If the
bug should not apply to Etch, please indicate so.
Cheers,
Moritz
Severity set to `grave' from `normal'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(full text, mbox, link).
Noted your statement that Bug has been forwarded to obobo@users.sourceforge.net.
Request was from "Leo Antunes" <costela@gmail.com>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>: Bug#337127; Package gaim-encryption.
(full text, mbox, link).
Acknowledgement sent to Max Kellermann <max@duempel.org>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>.
(full text, mbox, link).
The bug is caused by a wrong sscanf() return value check. The
sscanf() is called with two escapes, but the caller only checks
whether one of those is valid. This patch expands the check to both
values.
Information forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>: Bug#337127; Package gaim-encryption.
(full text, mbox, link).
Acknowledgement sent to Max Kellermann <max@duempel.org>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>.
(full text, mbox, link).
On 2006/09/16 20:11, Max Kellermann <max@duempel.org> wrote:
> The bug is caused by a wrong sscanf() return value check. The
> sscanf() is called with two escapes, but the caller only checks
> whether one of those is valid. This patch expands the check to both
> values.
I was wrong, since '%n' does not increment sscanf's return value.
Unfortunately, there is no way for the sscanf caller to see the
difference between "everything was parsed fine" and "no colon
detected, the variable 'realstart' wasn't assigned".
I changed the patch and removed the colon from the sscanf format
string. The colon check is performed manually.
Information forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>: Bug#337127; Package gaim-encryption.
(full text, mbox, link).
Acknowledgement sent to Bill Tompkins <gaim-encryption@icarion.com>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>.
(full text, mbox, link).
Subject: Re: gaim-encryption patch: check sscanf() return value
Date: Sat, 16 Sep 2006 23:20:16 -0400
Actually, I believe the bug is simply that 'realstart' is not assigned
at the beginning of the function. If it is set to zero, the check
correctly detects that it wasn't assigned, and things are (moderately)
happy:
--- gaim-encryption-2.38/keys.c 2005-06-11 13:40:33.000000000 -0400
+++ gaim-encryption-2.39/keys.c 2006-09-16 23:10:07.000000000 -0400
@@ -184,7 +184,7 @@
crypt_proto* proto=0;
unsigned char* key_len_msg=0;
unsigned int length;
- int realstart;
+ int realstart=0;
gchar** after_key;
gchar* resend_msg_id = 0;
Fixing this, and firing that test message again, the code will hit a bug
that was already fixed in the 3.0 branch, which will cause the plugin to
hang. So... I'm releasing a 2.39 tonight with a complete fix, and a few
other fixes backported from 3.0, and a few memory leak fixes just
reported today (Hi Max!).
Thanks all for the diligence reporting this and tracking it down,
-Bill
Information forwarded to debian-bugs-dist@lists.debian.org, Leo Costela <costela@debian.org>: Bug#337127; Package gaim-encryption.
(full text, mbox, link).
Acknowledgement sent to Max Kellermann <max@duempel.org>:
Extra info received and forwarded to list. Copy sent to Leo Costela <costela@debian.org>.
(full text, mbox, link).
Subject: Re: gaim-encryption patch: check sscanf() return value
Date: Sun, 17 Sep 2006 08:45:59 +0200
On 2006/09/17 05:20, Bill Tompkins <gaim-encryption@icarion.com> wrote:
> Actually, I believe the bug is simply that 'realstart' is not
> assigned at the beginning of the function. If it is set to zero,
> the check correctly detects that it wasn't assigned, and things are
> (moderately) happy:
I also considered this smaller patch, but dismissed it because the
error message would be something like "can't decrypt" instead of the
more correct "no colon found" - but you're the upstream author, you're
the one to decide..
Max
Reply sent to Leo Costela <costela@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Joerg Kurlbaum <jkur@informatik.uni-bremen.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#337127: fixed in gaim-encryption 3.0~beta5-3
Date: Thu, 28 Sep 2006 22:32:04 -0700
Source: gaim-encryption
Source-Version: 3.0~beta5-3
We believe that the bug you reported is fixed in the latest version of
gaim-encryption, which is due to be installed in the Debian FTP archive:
gaim-encryption_3.0~beta5-3.diff.gz
to pool/main/g/gaim-encryption/gaim-encryption_3.0~beta5-3.diff.gz
gaim-encryption_3.0~beta5-3.dsc
to pool/main/g/gaim-encryption/gaim-encryption_3.0~beta5-3.dsc
gaim-encryption_3.0~beta5-3_i386.deb
to pool/main/g/gaim-encryption/gaim-encryption_3.0~beta5-3_i386.deb
gaim-encryption_3.0~beta5.orig.tar.gz
to pool/main/g/gaim-encryption/gaim-encryption_3.0~beta5.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 337127@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Leo Costela <costela@debian.org> (supplier of updated gaim-encryption package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 28 Aug 2006 01:58:01 -0300
Source: gaim-encryption
Binary: gaim-encryption
Architecture: source i386
Version: 3.0~beta5-3
Distribution: unstable
Urgency: low
Maintainer: Leo Costela <costela@debian.org>
Changed-By: Leo Costela <costela@debian.org>
Description:
gaim-encryption - gaim plugin that provides transparent encryption
Closes: 313707337127340246348229362683
Changes:
gaim-encryption (3.0~beta5-3) unstable; urgency=low
.
* Migrate to Unstable (Gaim beta is already in)
(closes: #340246, #362683, #313707, #348229)
* Ack NMU (thanks Alexander Wirt!) (closes: #337127)
* Change the version to use the new '~' character (should ease things up when
3.0-final is released...)
Files:
aaec9244e652eede6e9cbc64d4b4fc10 678 net optional gaim-encryption_3.0~beta5-3.dsc
6c999293dd0018630d406aa638e4e95f 567451 net optional gaim-encryption_3.0~beta5.orig.tar.gz
af436bbcfc3ff8bb8afb25fc626956a4 3257 net optional gaim-encryption_3.0~beta5-3.diff.gz
26507fc6d9cbb5f496b534d64b21dfc0 103200 net optional gaim-encryption_3.0~beta5-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFHKygImLTb3rflGYRAn04AKDW+VQne706EaFtneZWCGIPBAuYugCeK+qY
+kge64kVANrXq3XziVjt4ps=
=xLV8
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 00:19:38 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.