diff options
-rw-r--r-- | plugins/MirOTR/libotr/read/ChangeLog | 60 | ||||
-rw-r--r-- | plugins/MirOTR/libotr/read/NEWS | 11 | ||||
-rw-r--r-- | plugins/MirOTR/libotr/read/Protocol-v3.html | 11 | ||||
-rw-r--r-- | plugins/MirOTR/libotr/read/README | 4 | ||||
-rw-r--r-- | plugins/MirOTR/libotr/src/instag.c | 7 | ||||
-rw-r--r-- | plugins/MirOTR/libotr/src/message.c | 3 |
6 files changed, 87 insertions, 9 deletions
diff --git a/plugins/MirOTR/libotr/read/ChangeLog b/plugins/MirOTR/libotr/read/ChangeLog index c0da98b1d3..35752b00bc 100644 --- a/plugins/MirOTR/libotr/read/ChangeLog +++ b/plugins/MirOTR/libotr/read/ChangeLog @@ -1,3 +1,63 @@ +2016-03-07 + + * tests/regression/client/Makefile.am: + * tests/unit/Makefile.am: Add LIBGCRYPT_CFLAGS to the test suite + + * Makefile.am: + * configure.ac: Only build the test suite on Linux, since it + currently uses Linux-specific features such as epoll + +2016-03-06 + + * Makefile.am: Add bootstrap to the tarball + +2016-03-04 + + * README: + * configure.ac: + * src/version.h: Bump version number to 4.1.1 + +2016-03-03 + + * src/proto.c (otrl_proto_accept_data): + * src/proto.c (otrl_proto_fragment_accumulate): + * src/proto.c (otrl_proto_fragment_create): Prevent integer + overflow on 64-bit architectures when receiving 4GB messages. + In several places in proto.c, the sizes of portions of incoming + messages were stored in variables of type int or unsigned int + instead of size_t. If a message arrives with very large + sizes (for example unsigned int datalen = UINT_MAX), then + constructions like malloc(datalen+1) will turn into malloc(0), + which on some architectures returns a non-NULL pointer, but + UINT_MAX bytes will get written to that pointer. Ensure all + calls to malloc or realloc cannot integer overflow like this. + Thanks to Markus Vervier of X41 D-Sec GmbH + <markus.vervier@x41-dsec.de> for the report. + + * Protocol-v3.html: Clarify that instance tags and fragment + numbers in the OTR fragment format are allowed to have leading + 0s. Also fix that how to handle v2 versus v3 messages for the + Reveal Signature and Signature messages was missing. Thanks to + Ola Bini <obini@thoughtworks.com> for the report. + +2015-12-25 + + * src/instag.c (otrl_instag_read_FILEp): Fix memory leak in + otrl_instag_read_FILEp if the tag file is malformed. Thanks to + Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> for the + report. + +2015-08-18 + + * src/message.c (otrl_message_receiving): + * src/proto.c (otrl_proto_create_data): Set to NULL the sendsmp + pointer when handling SMP to avoid a potential free() of an + uninitialized pointer. Also ensure the message pointer is set + to NULL in otrl_proto_create_data for extra precaution and to + prevent future code paths from having the same error. Thanks to + Nicolas Guigo <nicolas.guigo@nccgroup.trust> and Ben Hawkes + <hawkes@inertiawar.com> for the report. + 2015-02-08 * Protocol-v3.html: Typo fixes, thanks to Hannes Mehnert diff --git a/plugins/MirOTR/libotr/read/NEWS b/plugins/MirOTR/libotr/read/NEWS index c88ebf10fa..1be74666e3 100644 --- a/plugins/MirOTR/libotr/read/NEWS +++ b/plugins/MirOTR/libotr/read/NEWS @@ -1,3 +1,14 @@ +9 Mar 2016: +- Release 4.1.1 +- Fix an integer overflow bug that can cause a heap buffer overflow (and + from there remote code execution) on 64-bit platforms +- Fix possible free() of an uninitialized pointer +- Be stricter about parsing v3 fragments +- Add a testsuite ("make check" to run it), but only on Linux for now, + since it uses Linux-specific features such as epoll +- Fix a memory leak when reading a malformed instance tag file +- Protocol documentation clarifications + 21 Oct 2014: - Release 4.1.0 - Modernized autoconf build system diff --git a/plugins/MirOTR/libotr/read/Protocol-v3.html b/plugins/MirOTR/libotr/read/Protocol-v3.html index 99c376b98b..49b2edbabc 100644 --- a/plugins/MirOTR/libotr/read/Protocol-v3.html +++ b/plugins/MirOTR/libotr/read/Protocol-v3.html @@ -1280,7 +1280,8 @@ fragmentation on outgoing messages is optional.</p> <li>Note that k and n are unsigned short ints (2 bytes), and each has a maximum value of 65535. Also, each piece[k] must be - non-empty.</li> + non-empty. The instance tags (if applicable) and the k and n + values may have leading zeroes.</li> </ul> <p>Note that fragments are not themselves messages that can be fragmented: you can't fragment a fragment.</p></dd> @@ -1610,7 +1611,9 @@ AUTHSTATE_V1_SETUP:</dt> <dd>Ignore the message.</dd> </dl> <h4>Receiving a Reveal Signature Message</h4> -<p>If ALLOW_V2 is not set, ignore this message. Otherwise:</p> +<p>If the message is version 2 and ALLOW_V2 is not set, ignore this message. +Similarly if the message is version 3 and ALLOW_V3 is not set, ignore the +message. Otherwise:</p> <dl> <dt>If authstate is AUTHSTATE_AWAITING_REVEALSIG:</dt> <dd>Use the received value of r to decrypt the value of g<sup>x</sup> @@ -1630,7 +1633,9 @@ AUTHSTATE_AWAITING_SIG, or AUTHSTATE_V1_SETUP:</dt> <dd>Ignore the message.</dd> </dl> <h4>Receiving a Signature Message</h4> -<p>If ALLOW_V2 is not set, ignore this message. Otherwise:</p> +<p>If the message is version 2 and ALLOW_V2 is not set, ignore this message. +Similarly if the message is version 3 and ALLOW_V3 is not set, ignore the +message. Otherwise:</p> <dl> <dt>If authstate is AUTHSTATE_AWAITING_SIG:</dt> <dd>Decrypt the encrypted signature, and verify the signature and the MACs. diff --git a/plugins/MirOTR/libotr/read/README b/plugins/MirOTR/libotr/read/README index 1dd7268291..aa34e08e4f 100644 --- a/plugins/MirOTR/libotr/read/README +++ b/plugins/MirOTR/libotr/read/README @@ -1,5 +1,5 @@ Off-the-Record Messaging Library and Toolkit - v4.1.0, 21 Oct 2014 + v4.1.1, 9 Mar 2016 This is a library and toolkit which implements Off-the-Record (OTR) Messaging. @@ -309,7 +309,7 @@ The Off-the-Record Messaging library (in the src directory) is covered by the following (LGPL) license: Off-the-Record Messaging library - Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits, + Copyright (C) 2004-2016 Ian Goldberg, David Goulet, Rob Smits, Chris Alexander, Willy Lew, Lisa Du, Nikita Borisov <otr@cypherpunks.ca> diff --git a/plugins/MirOTR/libotr/src/instag.c b/plugins/MirOTR/libotr/src/instag.c index cccd94fb6c..5538158f7c 100644 --- a/plugins/MirOTR/libotr/src/instag.c +++ b/plugins/MirOTR/libotr/src/instag.c @@ -90,12 +90,13 @@ gcry_error_t otrl_instag_read(OtrlUserState us, const char *filename) * OtrlUserState. The FILE* must be open for reading. */ gcry_error_t otrl_instag_read_FILEp(OtrlUserState us, FILE *instf) { - if (!instf) return gcry_error(GPG_ERR_NO_ERROR); - - OtrlInsTag *p; + + OtrlInsTag *p; char storeline[1000]; size_t maxsize = sizeof(storeline); + if (!instf) return gcry_error(GPG_ERR_NO_ERROR); + while(fgets(storeline, maxsize, instf)) { char *prevpos; char *pos; diff --git a/plugins/MirOTR/libotr/src/message.c b/plugins/MirOTR/libotr/src/message.c index c44ce7b8fc..6cc8165c27 100644 --- a/plugins/MirOTR/libotr/src/message.c +++ b/plugins/MirOTR/libotr/src/message.c @@ -467,9 +467,10 @@ static gcry_error_t send_or_error_auth(const OtrlMessageAppOps *ops, if (!err) { const char *msg = context->auth.lastauthmsg; if (msg && *msg) { + time_t now; fragment_and_send(ops, opdata, context, msg, OTRL_FRAGMENT_SEND_ALL, NULL); - time_t now = time(NULL); + now = time(NULL); /* Update the "last sent" fields, unless this is a version 3 * message typing to update the master context (as happens * when sending a v3 COMMIT message, for example). */ |