head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2;
locks; strict;
comment	@# @;


1.2
date	2012.08.14.22.08.09;	author gdt;	state dead;
branches;
next	1.1;

1.1
date	2012.08.09.10.06.47;	author drochner;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update to 3.2.1.

(This is a security release, but pkgsrc already had patches from
upstream.)

This version corrects two heap overflows reported by our users:

- A small write overflow, reported by Justin Ferguson
- A large read overflow, reported by Ben Hawkes
@
text
@$NetBSD: patch-CVE-2012-3461-ac,v 1.1 2012/08/09 10:06:47 drochner Exp $

--- src/proto.c.orig	2008-05-27 12:35:28.000000000 +0000
+++ src/proto.c
@@@@ -537,13 +537,17 @@@@ gcry_error_t otrl_proto_data_read_flags(
 	msglen = strlen(otrtag);
     }
 
+    /* Skip over the "?OTR:" */
+    otrtag += 5;
+    msglen -= 5;
+
     /* Base64-decode the message */
-    rawlen = ((msglen-5) / 4) * 3;   /* maximum possible */
+    rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen);   /* maximum possible */
     rawmsg = malloc(rawlen);
     if (!rawmsg && rawlen > 0) {
 	return gcry_error(GPG_ERR_ENOMEM);
     }
-    rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5);  /* actual size */
+    rawlen = otrl_base64_decode(rawmsg, otrtag, msglen);  /* actual size */
 
     bufp = rawmsg;
     lenp = rawlen;
@@@@ -606,14 +610,18 @@@@ gcry_error_t otrl_proto_accept_data(char
 	msglen = strlen(otrtag);
     }
 
+    /* Skip over the "?OTR:" */
+    otrtag += 5;
+    msglen -= 5;
+
     /* Base64-decode the message */
-    rawlen = ((msglen-5) / 4) * 3;   /* maximum possible */
+    rawlen = OTRL_B64_MAX_DECODED_SIZE(msglen);   /* maximum possible */
     rawmsg = malloc(rawlen);
     if (!rawmsg && rawlen > 0) {
 	err = gcry_error(GPG_ERR_ENOMEM);
 	goto err;
     }
-    rawlen = otrl_base64_decode(rawmsg, otrtag+5, msglen-5);  /* actual size */
+    rawlen = otrl_base64_decode(rawmsg, otrtag, msglen);  /* actual size */
 
     bufp = rawmsg;
     lenp = rawlen;
@


1.1
log
@att patches from upstream to fix buffer overflow in the base64
decoder which can lead to crashes or potentially code injection
(CVE-2012-3461)
bump PKGREV
@
text
@d1 1
a1 1
$NetBSD$
@