[Pkg-gnupg-commit] r407 - in /gnupg/branches/squeeze/debian: changelog patches/00list patches/CVE-2014-4617.dpatch
thijs at users.alioth.debian.org
thijs at users.alioth.debian.org
Mon Jun 30 13:58:37 UTC 2014
Author: thijs
Date: Mon Jun 30 13:58:37 2014
New Revision: 407
URL: http://svn.debian.org/wsvn/pkg-gnupg/?sc=1&rev=407
Log:
fix CVE-2014-4617 for squeeze-lts
Added:
gnupg/branches/squeeze/debian/patches/CVE-2014-4617.dpatch
Modified:
gnupg/branches/squeeze/debian/changelog
gnupg/branches/squeeze/debian/patches/00list
Modified: gnupg/branches/squeeze/debian/changelog
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/branches/squeeze/debian/changelog?rev=407&op=diff
==============================================================================
--- gnupg/branches/squeeze/debian/changelog (original)
+++ gnupg/branches/squeeze/debian/changelog Mon Jun 30 13:58:37 2014
@@ -1,3 +1,12 @@
+gnupg (1.4.10-4+squeeze5) squeeze-lts; urgency=high
+
+ * CVE-2014-4617: Avoid DoS due to garbled compressed data packets.
+ Apply upstream commit to stop a possible DoS using garbled compressed
+ data packets which can be used to put gpg into an infinite loop.
+ (Closes: #752497)
+
+ -- Thijs Kinkhorst <thijs at debian.org> Mon, 30 Jun 2014 15:41:56 +0200
+
gnupg (1.4.10-4+squeeze4) squeeze-security; urgency=high
* Fixed the RSA Key Extraction via Low-Bandwidth Acoustic
Modified: gnupg/branches/squeeze/debian/patches/00list
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/branches/squeeze/debian/patches/00list?rev=407&op=diff
==============================================================================
--- gnupg/branches/squeeze/debian/patches/00list (original)
+++ gnupg/branches/squeeze/debian/patches/00list Mon Jun 30 13:58:37 2014
@@ -12,3 +12,4 @@
CVE-2013-4402
CVE-2013-4351
CVE-2013-4576
+CVE-2014-4617
Added: gnupg/branches/squeeze/debian/patches/CVE-2014-4617.dpatch
URL: http://svn.debian.org/wsvn/pkg-gnupg/gnupg/branches/squeeze/debian/patches/CVE-2014-4617.dpatch?rev=407&op=file
==============================================================================
--- gnupg/branches/squeeze/debian/patches/CVE-2014-4617.dpatch (added)
+++ gnupg/branches/squeeze/debian/patches/CVE-2014-4617.dpatch Mon Jun 30 13:58:37 2014
@@ -0,0 +1,63 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2014-4617 by Werner Koch
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Avoid infinite loop in uncompressing garbled packets.
+
+diff --git a/g10/compress.c b/g10/compress.c
+index 2c16174..07c9e5e 100644
+--- a/g10/compress.c
++++ b/g10/compress.c
+@@ -131,7 +131,7 @@ init_uncompress( compress_filter_context_t *zfx, z_stream *zs )
+ * PGP uses a windowsize of 13 bits. Using a negative value for
+ * it forces zlib not to expect a zlib header. This is a
+ * undocumented feature Peter Gutmann told me about.
+- *
++ *
+ * We must use 15 bits for the inflator because CryptoEx uses 15
+ * bits thus the output would get scrambled w/o error indication
+ * if we would use 13 bits. For the uncompressing this does not
+@@ -155,7 +155,8 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
+ IOBUF a, size_t *ret_len )
+ {
+ int zrc;
+- int rc=0;
++ int rc = 0;
++ int leave = 0;
+ size_t n;
+ int nread, count;
+ int refill = !zs->avail_in;
+@@ -178,13 +179,14 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
+ if( nread == -1 )
+ nread = 0;
+ n += nread;
+- /* If we use the undocumented feature to suppress
+- * the zlib header, we have to give inflate an
+- * extra dummy byte to read */
+- if( nread < count && zfx->algo == 1 ) {
+- *(zfx->inbuf + n) = 0xFF; /* is it really needed ? */
+- zfx->algo1hack = 1;
++ /* Algo 1 has no zlib header which requires us to to give
++ * inflate an extra dummy byte to read. To be on the safe
++ * side we allow for up to 4 ff bytes. */
++ if( nread < count && zfx->algo == 1 && zfx->algo1hack < 4) {
++ *(zfx->inbuf + n) = 0xFF;
++ zfx->algo1hack++;
+ n++;
++ leave = 1;
+ }
+ zs->avail_in = n;
+ }
+@@ -208,7 +210,8 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
+ else
+ log_fatal("zlib inflate problem: rc=%d\n", zrc );
+ }
+- } while( zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR );
++ } while (zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR
++ && !leave);
+ *ret_len = zfx->outbufsize - zs->avail_out;
+ if( DBG_FILTER )
+ log_debug("do_uncompress: returning %u bytes\n", (unsigned)*ret_len );
+--
+2.0.0
+
More information about the Pkg-gnupg-commit
mailing list