Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201411-5 ======================================== Severity: Low Date : 2014-11-09 CVE-ID : CVE-2014-8483 Package : konversation Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/title/CVE-2014 Summary ====== The package konversation before version 1.5.1-1 is vulnerable to denial of service. Resolution ========= Upgrade to 1.5.1-1. # pacman -Syu "konversation>=1.5.1-1" The problem has been fixed upstream [0] in version 1.5.1. Workaround ========= None. Description ========== Konversation's Blowfish ECB encryption support assumes incoming blocks to be the expected 12 bytes. The lack of a sanity-check for the actual size can cause a denial of service and an information leak to the local user. Impact ===== When using Blowfish ECB encryption with another party (an IRC channel or user), sending malformed blocks to konversation can result in a crash or an information leak up to 11 bytes to the local user, due to an out-of-bounds read on a heap-allocated array. References ========= [0] https://github.com/quassel/quassel/commit/8b5ecd https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8483 https://bugs.archlinux.org/task/42698 https://kde.org/info/security/advisory-20141104-1.txt