security fixes for 2.5.6

Josh Bressers bressers at
Tue May 12 15:42:58 EDT 2009

Sorry for the delay on this mail, it slipped through the cracks.  Comments
inline below.

----- "Ka-Hing Cheung" <khc at> wrote:

> Just a heads up that we will be releasing 2.5.6 in a few days and it
> will contain the following security fixes (in addition to other bug
> fixes):
> 8331e31a fixes a buffer overflow when initiating file transfer with a client
> and it sends back malformed response

This patch is bigger than a breadbox, I'll take your word for it.

> ad057b75 buffer overflow when decrypting qq packets

If I'm understanding this issue properly, you should probably call it a DoS
(or a bug). From looking at the patch, it would seem that what's happening is
two bytes end up getting written into crypted_ptr, but the catch is that the
two bytes are read from crypted_ptr, which would have been two more bytes than
that array should hold. The bytes are then run through qq_decipher. As this is
allocated (heap) memory in question, attackers can't control the data, as it's
going to be either padding bits (which would be completely harmless as you're
writing into the padding) or heap info (which you just read from), which
should only crash.

> 2c9a1153 buffer overflow when encrypting qq packets

How is this overflowing, from reading the source, all I see happening here is
the extra "crypted_ptr += 8" could cause an OOB memory read, which would be a
DoS only. I would be surprised if this even crashes anything (as you're likely
reading heap structure bits).

> 7829ec76 fixes a memory corruption that can sometimes happen if an internal
> buffer is full when more bytes are available from the network

Can this be triggered by an attacker?  This sounds like it's just a bug that
happens from time to time, not something that can be triggered.

Also, in this context, what does memory corruption mean?

> I was told that Josh Bressers from Redhat has been nice enough to obtain CVE
> numbers for us in the past. Josh, could you do the same again?  Thanks!

I'll wait an assign them all at once.

> Additionally, the previous fix to CVE-2008-2927 was incomplete, so we fixed
> it again:
> 9dd1c4c3 Fixes a buffer overflow in the ZDI-08-054 report

We'll need a new CVE id for this if the previous fix was incomplete, but it's
thought it was fixed properly.



More information about the Packagers mailing list