Hello community, here is the log from the commit of package libmspack for openSUSE:Factory checked in at 2015-01-21 21:54:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libmspack (Old) and /work/SRC/openSUSE:Factory/.libmspack.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libmspack" Changes: -------- --- /work/SRC/openSUSE:Factory/libmspack/libmspack.changes 2014-04-05 16:47:09.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libmspack.new/libmspack.changes 2015-01-21 21:54:17.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Jan 20 18:12:19 CET 2015 - [email protected] + +- Fix possible infinite loop caused DoS (bnc912214, CVE-2014-9556, + libmspack-qtmd_decompress-loop.patch). + +------------------------------------------------------------------- New: ---- libmspack-qtmd_decompress-loop.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libmspack.spec ++++++ --- /var/tmp/diff_new_pack.727h8Z/_old 2015-01-21 21:54:18.000000000 +0100 +++ /var/tmp/diff_new_pack.727h8Z/_new 2015-01-21 21:54:18.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libmspack # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,8 @@ #Source: http://www.cabextract.org.uk/libmspack/%{name}-%{_version}.tar.gz Source: %{name}-%{_version}.tar.gz Source2: baselibs.conf +# PATCH-FIX-SECURITY libmspack-qtmd_decompress-loop.patch bnc912214 CVE-2014-9556 [email protected] -- Fix possible infinite loop caused DoS. +Patch: libmspack-qtmd_decompress-loop.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkg-config @@ -60,6 +62,7 @@ %prep %setup -q -n %{name}-%{_version} +%patch -p3 %build %configure\ ++++++ libmspack-qtmd_decompress-loop.patch ++++++ >From a0449d2079c4ba5822e6567ad7094c10108f16cd Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <[email protected]> Date: Tue, 23 Dec 2014 21:20:43 +0100 Subject: libmspack: qtmd: fix frame_end overflow Debian bts #773041, #772891 contains a report of a .cab file which causes an endless loop. Eric Sharkey diagnosed the problem as frame_end is 32bit and overflows and the result the loop makes no progress. The problem seems that after the overflow, window_posn is larger than frame_end and therefore we never enter the loop to make progress. But we still have out_bytes >0 so we don't leave the outer loop either. Andreas Cadhalpun suggested to instead makeing frame_end 64bit, we could avoid the overflow by reordering the code the following way: original, with just out_bytes (without (qtm->o_end - qtm->o_ptr)) | frame_end = window_posn + out_bytes; | if ((window_posn + frame_todo) < frame_end) { | frame_end = window_posn + frame_todo; | } replace frame_end in "if" with its content (and move the first frame_end into the else path) | if ((window_posn + frame_todo) < (window_posn + out_bytes)) | frame_end = window_posn + frame_todo; | else | frame_end = window_posn + out_bytes; remove window_posn from "if" since it is the same both times. | if (frame_todo < out_bytes) | frame_end = window_posn + frame_todo; | else | frame_end = window_posn + out_bytes; Andreas added: |This works, because frame_todo is at most QTM_FRAME_SIZE = 32768. Suggested-as-patch: Andreas Cadhalpun <[email protected]> [sebastian@breakpoint: added patch description] Signed-off-by: Sebastian Andrzej Siewior <[email protected]> --- libclamav/libmspack-0.4alpha/mspack/qtmd.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/libclamav/libmspack-0.4alpha/mspack/qtmd.c b/libclamav/libmspack-0.4alpha/mspack/qtmd.c index 12b27f5..e584aef 100644 --- a/libclamav/libmspack-0.4alpha/mspack/qtmd.c +++ b/libclamav/libmspack-0.4alpha/mspack/qtmd.c @@ -296,9 +296,10 @@ int qtmd_decompress(struct qtmd_stream *qtm, off_t out_bytes) { /* decode more, up to the number of bytes needed, the frame boundary, * or the window boundary, whichever comes first */ - frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr)); - if ((window_posn + frame_todo) < frame_end) { + if (frame_todo < (out_bytes - (qtm->o_end - qtm->o_ptr))) { frame_end = window_posn + frame_todo; + } else { + frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr)); } if (frame_end > qtm->window_size) { frame_end = qtm->window_size; -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
