[SCM] Konversation packaging for Debian branch, master, updated. debian/1.5-1-1-gd5c40a3
Diane Trout
diane-guest at moszumanska.debian.org
Wed Nov 5 20:25:30 UTC 2014
Gitweb-URL: http://git.debian.org/?p=pkg-kde/kde-extras/konversation.git;a=commitdiff;h=d5c40a3
The following commit has been merged in the master branch:
commit d5c40a325f5236cfd7ab52b757a49afd29c3b122
Author: Diane Trout <diane at ghic.org>
Date: Wed Nov 5 12:23:18 2014 -0800
Backport fix for CVE-2014-8483 in cve-2014-8483.patch See https://security-tracker.debian.org/tracker/CVE-2014-8483 (Closes: #768191)
---
debian/changelog | 8 +++++++
debian/patches/cve-2014-8483.patch | 49 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 58 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 5d770c6..57b6068 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+konversation (1.5-2) UNRELEASED; urgency=medium
+
+ * Backport fix for CVE-2014-8483 in cve-2014-8483.patch
+ See https://security-tracker.debian.org/tracker/CVE-2014-8483
+ (Closes: #768191)
+
+ -- Diane Trout <diane at ghic.org> Wed, 05 Nov 2014 11:03:31 -0800
+
konversation (1.5-1) unstable; urgency=medium
* New upstream release
diff --git a/debian/patches/cve-2014-8483.patch b/debian/patches/cve-2014-8483.patch
new file mode 100644
index 0000000..5cc9f00
--- /dev/null
+++ b/debian/patches/cve-2014-8483.patch
@@ -0,0 +1,49 @@
+Origin: http://quickgit.kde.org/?p=konversation.git&a=commit&h=1f55cee8b3d0956adc98834f7b5832e48e077ed7
+Bug: https://bugs.kde.org/show_bug.cgi?id=210792
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768191
+Description: Do a bounds check on ECB blocks.
+ Backport fix for CVE-2014-8483
+ https://security-tracker.debian.org/tracker/CVE-2014-8483
+ .
+ Blindly assuming they're the expected 12 chars can lead to a crash
+ on malformed input.
+ .
+ Original patch by Manuel Nickschas for Quassel, who incorporated
+ the original Konversation code into Quassel in 2009.
+
+--- a/src/cipher.cpp
++++ b/src/cipher.cpp
+@@ -353,8 +353,12 @@
+ }
+ else
+ {
++ // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
++ if ((temp.length() % 12) != 0)
++ return cipherText;
++
+ temp = b64ToByte(temp);
+- while((temp.length() % 8) != 0) temp.append('
--
Konversation packaging for Debian
More information about the pkg-kde-commits
mailing list