Hey, I would like to update mixmaster in etch's first point release to fix a grave bug that unfortunately was only discovered after the release.
The same source has already been uploaded to unstable as 3.0b2-5. Please let me know if I may upload the package. diff -u mixmaster-3.0b2/debian/changelog mixmaster-3.0b2/debian/changelog --- mixmaster-3.0b2/debian/changelog +++ mixmaster-3.0b2/debian/changelog @@ -1,3 +1,28 @@ +mixmaster (3.0b2-4.etch1) stable; urgency=high + + * Backport a fix from upstream: + In two functions in keymgt.c we had allocated a buffer of 33 bytes + when if fact we were using one more - 34 - bytes. This buffer + overflow is exposed when building with gcc 4.x, it never was exposed + with previous compilers because they apparently layed out the stack + differently. + The result of this buffer overflow is that a single 0-byte will be + written at the end of the buffer. At that position on the stack + there is (at least in the previous build) a saved local variable + from a calling function. This local variable is a pointer to a + BUFFER struct and this pointer has its least significant byte + set to zero. + This prevents mixmaster from properly decrypting incoming type2 + messages. It's not likely that this can be exploited to execute + arbitrary code, tho evidence or argument to the contrary are of course + welcome. + Upstream patch: + http://svn.noreply.org/cgi-bin/viewcvs.cgi/trunk/Mix/Src/keymgt.c?rev=929&r1=766&r2=929 + Closes: #418662 + Thanks to Hauke Lampe and Colin Tuckley. + + -- Peter Palfrader <[EMAIL PROTECTED]> Mon, 23 Apr 2007 17:14:50 +0200 + mixmaster (3.0b2-4) unstable; urgency=low [ Christian Perrier ] only in patch2: unchanged: --- mixmaster-3.0b2.orig/Src/keymgt.c +++ mixmaster-3.0b2/Src/keymgt.c @@ -14,6 +14,8 @@ #include <time.h> #include <assert.h> +#define KEY_ID_LEN 32 + int getv2seckey(byte keyid[], BUFFER *key); static int getv2pubkey(byte keyid[], BUFFER *key); @@ -39,7 +41,7 @@ { FILE *keyring; BUFFER *iv, *pass, *temp; - char idstr[33]; + char idstr[KEY_ID_LEN+2]; char line[LINELEN]; int err = -1; char *res; @@ -78,7 +80,7 @@ } while ( res != NULL && strchr(line, ':') != NULL ); if (res == NULL) break; - if (keyid && !streq(line, idstr)) + if (keyid && (strncmp(line, idstr, KEY_ID_LEN) != 0)) continue; if (created != 0 && (created > time(NULL))) { errlog(ERRORMSG, "Key is not valid yet (creation date in the future): %s", idstr); @@ -126,7 +128,7 @@ { FILE *keyring; BUFFER *b, *temp, *iv; - char idstr[33]; + char idstr[KEY_ID_LEN+2]; char line[LINELEN]; int err = 0; @@ -149,7 +151,7 @@ line[strlen(line)-1] = '\0'; if ((strlen(line) > 0) && (line[strlen(line)-1] == '\r')) line[strlen(line)-1] = '\0'; - if (!streq(line, idstr)) + if (strncmp(line, idstr, KEY_ID_LEN) != 0) continue; fgets(line, sizeof(line), keyring); /* ignore length */ for (;;) { $ debdiff mixmaster_3.0b2-4_i386.changes mixmaster_3.0b2-4.etch1_i386.changes File lists identical (after any substitutions) Control files: lines which differ (wdiff format) ------------------------------------------------ Version: [-3.0b2-4-] {+3.0b2-4.etch1+} Installed-Size: [-596-] {+600+} -- | .''`. ** Debian GNU/Linux ** Peter Palfrader | : :' : The universal http://www.palfrader.org/ | `. `' Operating System | `- http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
