[SCM] Konversation packaging for Debian branch, master, updated. debian/1.5-1-1-gd5c40a3

Diane Trout diane-guest at moszumanska.debian.org
Wed Nov 5 20:25:30 UTC 2014 

Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-extras/konversation.git;a=commitdiff;h=d5c40a3

The following commit has been merged in the master branch:
commit d5c40a325f5236cfd7ab52b757a49afd29c3b122
Author: Diane Trout <diane at ghic.org>
Date:   Wed Nov 5 12:23:18 2014 -0800

    Backport fix for CVE-2014-8483 in cve-2014-8483.patch See https://security-tracker.debian.org/tracker/CVE-2014-8483 (Closes: #768191)
---
 debian/changelog                   |  8 +++++++
 debian/patches/cve-2014-8483.patch | 49 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 58 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 5d770c6..57b6068 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+konversation (1.5-2) UNRELEASED; urgency=medium
+
+  * Backport fix for CVE-2014-8483 in cve-2014-8483.patch
+    See https://security-tracker.debian.org/tracker/CVE-2014-8483
+    (Closes: #768191)
+
+ -- Diane Trout <diane at ghic.org>  Wed, 05 Nov 2014 11:03:31 -0800
+
 konversation (1.5-1) unstable; urgency=medium
 
   * New upstream release
diff --git a/debian/patches/cve-2014-8483.patch b/debian/patches/cve-2014-8483.patch
new file mode 100644
index 0000000..5cc9f00
--- /dev/null
+++ b/debian/patches/cve-2014-8483.patch
@@ -0,0 +1,49 @@
+Origin: http://quickgit.kde.org/?p=konversation.git&a=commit&h=1f55cee8b3d0956adc98834f7b5832e48e077ed7
+Bug: https://bugs.kde.org/show_bug.cgi?id=210792
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768191
+Description: Do a bounds check on ECB blocks.
+    Backport fix for CVE-2014-8483
+    https://security-tracker.debian.org/tracker/CVE-2014-8483
+    .
+    Blindly assuming they're the expected 12 chars can lead to a crash
+    on malformed input.
+    .
+    Original patch by Manuel Nickschas for Quassel, who incorporated
+    the original Konversation code into Quassel in 2009.
+
+--- a/src/cipher.cpp
++++ b/src/cipher.cpp
+@@ -353,8 +353,12 @@
+         }
+         else
+         {
++        // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
++        if ((temp.length() % 12) != 0)
++            return cipherText;
++
+             temp = b64ToByte(temp);
+-            while((temp.length() % 8) != 0) temp.append('

-- 
Konversation packaging for Debian

More information about the pkg-kde-commits mailing list