The linked commit applies cleanly - patch is attached for convenience. Also I have filed four important bugfixes with patches a while ago, that I'd consider much higher priority that this security issue:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983667 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983668 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983669 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=983670 In the meantime another, even more important bugfix happened upstream, bug and patch are here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990330 I'd appreciate if they could also be part of the stable release. And as I mentioned before, I'd be happy to keep backporting important bugfixes. Best, Simon
diff --git a/lib/relay/protocol/protocol.go b/lib/relay/protocol/protocol.go
index 97dee8d41..0bc079ab6 100644
--- a/lib/relay/protocol/protocol.go
+++ b/lib/relay/protocol/protocol.go
@@ -4,6 +4,7 @@ package protocol
import (
"errors"
+ "fmt"
"io"
)
@@ -86,6 +87,9 @@ func ReadMessage(r io.Reader) (interface{}, error) {
if header.magic != magic {
return nil, errors.New("magic mismatch")
}
+ if header.messageLength < 0 || header.messageLength > 1024 {
+ return nil, fmt.Errorf("bad length (%d)", header.messageLength)
+ }
buf = make([]byte, int(header.messageLength))
if _, err := io.ReadFull(r, buf); err != nil {
OpenPGP_signature
Description: OpenPGP digital signature
