summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--plugins/MirOTR/libotr/read/ChangeLog60
-rw-r--r--plugins/MirOTR/libotr/read/NEWS11
-rw-r--r--plugins/MirOTR/libotr/read/Protocol-v3.html11
-rw-r--r--plugins/MirOTR/libotr/read/README4
-rw-r--r--plugins/MirOTR/libotr/src/instag.c7
-rw-r--r--plugins/MirOTR/libotr/src/message.c3
6 files changed, 87 insertions, 9 deletions
diff --git a/plugins/MirOTR/libotr/read/ChangeLog b/plugins/MirOTR/libotr/read/ChangeLog
index c0da98b1d3..35752b00bc 100644
--- a/plugins/MirOTR/libotr/read/ChangeLog
+++ b/plugins/MirOTR/libotr/read/ChangeLog
@@ -1,3 +1,63 @@
+2016-03-07
+
+ * tests/regression/client/Makefile.am:
+ * tests/unit/Makefile.am: Add LIBGCRYPT_CFLAGS to the test suite
+
+ * Makefile.am:
+ * configure.ac: Only build the test suite on Linux, since it
+ currently uses Linux-specific features such as epoll
+
+2016-03-06
+
+ * Makefile.am: Add bootstrap to the tarball
+
+2016-03-04
+
+ * README:
+ * configure.ac:
+ * src/version.h: Bump version number to 4.1.1
+
+2016-03-03
+
+ * src/proto.c (otrl_proto_accept_data):
+ * src/proto.c (otrl_proto_fragment_accumulate):
+ * src/proto.c (otrl_proto_fragment_create): Prevent integer
+ overflow on 64-bit architectures when receiving 4GB messages.
+ In several places in proto.c, the sizes of portions of incoming
+ messages were stored in variables of type int or unsigned int
+ instead of size_t. If a message arrives with very large
+ sizes (for example unsigned int datalen = UINT_MAX), then
+ constructions like malloc(datalen+1) will turn into malloc(0),
+ which on some architectures returns a non-NULL pointer, but
+ UINT_MAX bytes will get written to that pointer. Ensure all
+ calls to malloc or realloc cannot integer overflow like this.
+ Thanks to Markus Vervier of X41 D-Sec GmbH
+ <markus.vervier@x41-dsec.de> for the report.
+
+ * Protocol-v3.html: Clarify that instance tags and fragment
+ numbers in the OTR fragment format are allowed to have leading
+ 0s. Also fix that how to handle v2 versus v3 messages for the
+ Reveal Signature and Signature messages was missing. Thanks to
+ Ola Bini <obini@thoughtworks.com> for the report.
+
+2015-12-25
+
+ * src/instag.c (otrl_instag_read_FILEp): Fix memory leak in
+ otrl_instag_read_FILEp if the tag file is malformed. Thanks to
+ Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> for the
+ report.
+
+2015-08-18
+
+ * src/message.c (otrl_message_receiving):
+ * src/proto.c (otrl_proto_create_data): Set to NULL the sendsmp
+ pointer when handling SMP to avoid a potential free() of an
+ uninitialized pointer. Also ensure the message pointer is set
+ to NULL in otrl_proto_create_data for extra precaution and to
+ prevent future code paths from having the same error. Thanks to
+ Nicolas Guigo <nicolas.guigo@nccgroup.trust> and Ben Hawkes
+ <hawkes@inertiawar.com> for the report.
+
2015-02-08
* Protocol-v3.html: Typo fixes, thanks to Hannes Mehnert
diff --git a/plugins/MirOTR/libotr/read/NEWS b/plugins/MirOTR/libotr/read/NEWS
index c88ebf10fa..1be74666e3 100644
--- a/plugins/MirOTR/libotr/read/NEWS
+++ b/plugins/MirOTR/libotr/read/NEWS
@@ -1,3 +1,14 @@
+9 Mar 2016:
+- Release 4.1.1
+- Fix an integer overflow bug that can cause a heap buffer overflow (and
+ from there remote code execution) on 64-bit platforms
+- Fix possible free() of an uninitialized pointer
+- Be stricter about parsing v3 fragments
+- Add a testsuite ("make check" to run it), but only on Linux for now,
+ since it uses Linux-specific features such as epoll
+- Fix a memory leak when reading a malformed instance tag file
+- Protocol documentation clarifications
+
21 Oct 2014:
- Release 4.1.0
- Modernized autoconf build system
diff --git a/plugins/MirOTR/libotr/read/Protocol-v3.html b/plugins/MirOTR/libotr/read/Protocol-v3.html
index 99c376b98b..49b2edbabc 100644
--- a/plugins/MirOTR/libotr/read/Protocol-v3.html
+++ b/plugins/MirOTR/libotr/read/Protocol-v3.html
@@ -1280,7 +1280,8 @@ fragmentation on outgoing messages is optional.</p>
<li>Note that k and n are unsigned short ints (2 bytes), and each has
a maximum value of 65535. Also, each piece[k] must be
- non-empty.</li>
+ non-empty. The instance tags (if applicable) and the k and n
+ values may have leading zeroes.</li>
</ul>
<p>Note that fragments are not themselves messages that can be
fragmented: you can't fragment a fragment.</p></dd>
@@ -1610,7 +1611,9 @@ AUTHSTATE_V1_SETUP:</dt>
<dd>Ignore the message.</dd>
</dl>
<h4>Receiving a Reveal Signature Message</h4>
-<p>If ALLOW_V2 is not set, ignore this message. Otherwise:</p>
+<p>If the message is version 2 and ALLOW_V2 is not set, ignore this message.
+Similarly if the message is version 3 and ALLOW_V3 is not set, ignore the
+message. Otherwise:</p>
<dl>
<dt>If authstate is AUTHSTATE_AWAITING_REVEALSIG:</dt>
<dd>Use the received value of r to decrypt the value of g<sup>x</sup>
@@ -1630,7 +1633,9 @@ AUTHSTATE_AWAITING_SIG, or AUTHSTATE_V1_SETUP:</dt>
<dd>Ignore the message.</dd>
</dl>
<h4>Receiving a Signature Message</h4>
-<p>If ALLOW_V2 is not set, ignore this message. Otherwise:</p>
+<p>If the message is version 2 and ALLOW_V2 is not set, ignore this message.
+Similarly if the message is version 3 and ALLOW_V3 is not set, ignore the
+message. Otherwise:</p>
<dl>
<dt>If authstate is AUTHSTATE_AWAITING_SIG:</dt>
<dd>Decrypt the encrypted signature, and verify the signature and the MACs.
diff --git a/plugins/MirOTR/libotr/read/README b/plugins/MirOTR/libotr/read/README
index 1dd7268291..aa34e08e4f 100644
--- a/plugins/MirOTR/libotr/read/README
+++ b/plugins/MirOTR/libotr/read/README
@@ -1,5 +1,5 @@
Off-the-Record Messaging Library and Toolkit
- v4.1.0, 21 Oct 2014
+ v4.1.1, 9 Mar 2016
This is a library and toolkit which implements Off-the-Record (OTR) Messaging.
@@ -309,7 +309,7 @@ The Off-the-Record Messaging library (in the src directory) is
covered by the following (LGPL) license:
Off-the-Record Messaging library
- Copyright (C) 2004-2014 Ian Goldberg, David Goulet, Rob Smits,
+ Copyright (C) 2004-2016 Ian Goldberg, David Goulet, Rob Smits,
Chris Alexander, Willy Lew, Lisa Du,
Nikita Borisov
<otr@cypherpunks.ca>
diff --git a/plugins/MirOTR/libotr/src/instag.c b/plugins/MirOTR/libotr/src/instag.c
index cccd94fb6c..5538158f7c 100644
--- a/plugins/MirOTR/libotr/src/instag.c
+++ b/plugins/MirOTR/libotr/src/instag.c
@@ -90,12 +90,13 @@ gcry_error_t otrl_instag_read(OtrlUserState us, const char *filename)
* OtrlUserState. The FILE* must be open for reading. */
gcry_error_t otrl_instag_read_FILEp(OtrlUserState us, FILE *instf)
{
- if (!instf) return gcry_error(GPG_ERR_NO_ERROR);
-
- OtrlInsTag *p;
+
+ OtrlInsTag *p;
char storeline[1000];
size_t maxsize = sizeof(storeline);
+ if (!instf) return gcry_error(GPG_ERR_NO_ERROR);
+
while(fgets(storeline, maxsize, instf)) {
char *prevpos;
char *pos;
diff --git a/plugins/MirOTR/libotr/src/message.c b/plugins/MirOTR/libotr/src/message.c
index c44ce7b8fc..6cc8165c27 100644
--- a/plugins/MirOTR/libotr/src/message.c
+++ b/plugins/MirOTR/libotr/src/message.c
@@ -467,9 +467,10 @@ static gcry_error_t send_or_error_auth(const OtrlMessageAppOps *ops,
if (!err) {
const char *msg = context->auth.lastauthmsg;
if (msg && *msg) {
+ time_t now;
fragment_and_send(ops, opdata, context, msg,
OTRL_FRAGMENT_SEND_ALL, NULL);
- time_t now = time(NULL);
+ now = time(NULL);
/* Update the "last sent" fields, unless this is a version 3
* message typing to update the master context (as happens
* when sending a v3 COMMIT message, for example). */