Hi, 2016-10-27 23:28 GMT+02:00 Balint Reczey <bal...@balintreczey.hu>: > On Tue, 25 Oct 2016 22:10:34 +0200 Salvatore Bonaccorso > <car...@debian.org> wrote: >> Hi, >> >> the following vulnerability was published for libwmf. Opening the bug >> to track the issue in the Debian BTS. >> >> CVE-2016-9011[0]: >> memory allocation failure in wmf_malloc (api.c) >> >> If you fix the vulnerability please also make sure to include the >> CVE (Common Vulnerabilities & Exposures) id in your changelog entry. >> >> For further information see: >> >> [0] https://security-tracker.debian.org/tracker/CVE-2016-9011 > > Fedora has already released a fix, which I have updated for Debian. > Please see it in the attached patch. > > Origin per Fedora package's [1] changelog: > > * Wed Oct 26 2016 Caolán McNamara <caol...@redhat.com> - 0.2.8.4-49 > - Resolves: rhbz#1388451 (CVE-2016-9011) check max claimed record len > against max seekable position
I have uploaded a fixed version to DELAYED/10. Please see the attached patch for the debdiff. Cheers, Balint > [1] http://koji.fedoraproject.org/koji/buildinfo?buildID=812787
diff -Nru libwmf-0.2.8.4/debian/changelog libwmf-0.2.8.4/debian/changelog --- libwmf-0.2.8.4/debian/changelog 2016-01-22 11:28:55.000000000 +0100 +++ libwmf-0.2.8.4/debian/changelog 2016-11-02 12:00:29.000000000 +0100 @@ -1,3 +1,10 @@ +libwmf (0.2.8.4-10.6) unstable; urgency=medium + + * Non-maintainer upload. + * Fix allocating huge block of memory (CVE-2016-9011) (Closes: #842090) + + -- Balint Reczey <bal...@balintreczey.hu> Mon, 31 Oct 2016 20:29:09 +0100 + libwmf (0.2.8.4-10.5) unstable; urgency=medium * Non-maintainer upload. diff -Nru libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch --- libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch 1970-01-01 01:00:00.000000000 +0100 +++ libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch 2016-10-31 20:26:50.000000000 +0100 @@ -0,0 +1,34 @@ +--- ./src/player.c.orig 2016-10-27 23:17:53.076604344 +0200 ++++ ./src/player.c 2016-10-27 23:20:15.271078052 +0200 +@@ -140,7 +140,30 @@ + return (API->err); + } + +- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char)); ++ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char); ++ if (nMaxRecordSize) ++ { ++ //before allocating memory do a sanity check on size by seeking ++ //to claimed end to see if its possible. We're constrained here ++ //by the api and existing implementations to not simply seeking ++ //to SEEK_END. So use what we have to skip to the last byte and ++ //try and read it. ++ const long nPos = WMF_TELL (API); ++ WMF_SEEK (API, nPos + nMaxRecordSize - 1); ++ if (ERR (API)) ++ { WMF_DEBUG (API,"bailing..."); ++ return (API->err); ++ } ++ int byte = WMF_READ (API); ++ if (byte == (-1)) ++ { WMF_ERROR (API,"Unexpected EOF!"); ++ API->err = wmf_E_EOF; ++ return (API->err); ++ } ++ WMF_SEEK (API, nPos); ++ } ++ ++ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize); + + if (ERR (API)) + { WMF_DEBUG (API,"bailing..."); diff -Nru libwmf-0.2.8.4/debian/patches/series libwmf-0.2.8.4/debian/patches/series --- libwmf-0.2.8.4/debian/patches/series 2015-07-31 09:58:05.000000000 +0200 +++ libwmf-0.2.8.4/debian/patches/series 2016-10-31 20:28:44.000000000 +0100 @@ -4,3 +4,4 @@ 04_gd-gd_clip.c-use-after-free-cve-2009-1364.patch 05_gdk-pixbuf-loader-dir.patch CVE-2015-0848_CVE-2015-4588_CVE-2015-4695_CVE-2015-4696.patch +CVE-2016-9011.patch