Hi,
2016-10-27 23:28 GMT+02:00 Balint Reczey <bal...@balintreczey.hu>:
> On Tue, 25 Oct 2016 22:10:34 +0200 Salvatore Bonaccorso
> <car...@debian.org> wrote:
>> Hi,
>>
>> the following vulnerability was published for libwmf. Opening the bug
>> to track the issue in the Debian BTS.
>>
>> CVE-2016-9011[0]:
>> memory allocation failure in wmf_malloc (api.c)
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>>
>> For further information see:
>>
>> [0] https://security-tracker.debian.org/tracker/CVE-2016-9011
>
> Fedora has already released a fix, which I have updated for Debian.
> Please see it in the attached patch.
>
> Origin per Fedora package's [1] changelog:
>
> * Wed Oct 26 2016 Caolán McNamara <caol...@redhat.com> - 0.2.8.4-49
> - Resolves: rhbz#1388451 (CVE-2016-9011) check max claimed record len
> against max seekable position
I have uploaded a fixed version to DELAYED/10. Please see the attached
patch for the debdiff.
Cheers,
Balint
> [1] http://koji.fedoraproject.org/koji/buildinfo?buildID=812787
diff -Nru libwmf-0.2.8.4/debian/changelog libwmf-0.2.8.4/debian/changelog
--- libwmf-0.2.8.4/debian/changelog 2016-01-22 11:28:55.000000000 +0100
+++ libwmf-0.2.8.4/debian/changelog 2016-11-02 12:00:29.000000000 +0100
@@ -1,3 +1,10 @@
+libwmf (0.2.8.4-10.6) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix allocating huge block of memory (CVE-2016-9011) (Closes: #842090)
+
+ -- Balint Reczey <bal...@balintreczey.hu> Mon, 31 Oct 2016 20:29:09 +0100
+
libwmf (0.2.8.4-10.5) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch
--- libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch 1970-01-01 01:00:00.000000000 +0100
+++ libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch 2016-10-31 20:26:50.000000000 +0100
@@ -0,0 +1,34 @@
+--- ./src/player.c.orig 2016-10-27 23:17:53.076604344 +0200
++++ ./src/player.c 2016-10-27 23:20:15.271078052 +0200
+@@ -140,7 +140,30 @@
+ return (API->err);
+ }
+
+- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
++ if (nMaxRecordSize)
++ {
++ //before allocating memory do a sanity check on size by seeking
++ //to claimed end to see if its possible. We're constrained here
++ //by the api and existing implementations to not simply seeking
++ //to SEEK_END. So use what we have to skip to the last byte and
++ //try and read it.
++ const long nPos = WMF_TELL (API);
++ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++ if (ERR (API))
++ { WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++ int byte = WMF_READ (API);
++ if (byte == (-1))
++ { WMF_ERROR (API,"Unexpected EOF!");
++ API->err = wmf_E_EOF;
++ return (API->err);
++ }
++ WMF_SEEK (API, nPos);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
diff -Nru libwmf-0.2.8.4/debian/patches/series libwmf-0.2.8.4/debian/patches/series
--- libwmf-0.2.8.4/debian/patches/series 2015-07-31 09:58:05.000000000 +0200
+++ libwmf-0.2.8.4/debian/patches/series 2016-10-31 20:28:44.000000000 +0100
@@ -4,3 +4,4 @@
04_gd-gd_clip.c-use-after-free-cve-2009-1364.patch
05_gdk-pixbuf-loader-dir.patch
CVE-2015-0848_CVE-2015-4588_CVE-2015-4695_CVE-2015-4696.patch
+CVE-2016-9011.patch
