Control: tags 860945 + pending Dear maintainer,
I've prepared an NMU for libplist (versioned as 1.12+git+1+e37ca00-0.3) and uploaded it to DELAYED/10. Please feel free to tell me if I should delay it longer, or if -- unless you want to do an own update obviously -- I can rescheule it earlier. Regards, Salvatore
diff -Nru libplist-1.12+git+1+e37ca00/debian/changelog libplist-1.12+git+1+e37ca00/debian/changelog --- libplist-1.12+git+1+e37ca00/debian/changelog 2017-03-27 19:41:54.000000000 +0200 +++ libplist-1.12+git+1+e37ca00/debian/changelog 2017-04-22 15:20:37.000000000 +0200 @@ -1,3 +1,11 @@ +libplist (1.12+git+1+e37ca00-0.3) unstable; urgency=high + + * Non-maintainer upload. + * bplist: Fix integer overflow check (offset table size) (CVE-2017-7982) + (Closes: #860945) + + -- Salvatore Bonaccorso <[email protected]> Sat, 22 Apr 2017 15:20:37 +0200 + libplist (1.12+git+1+e37ca00-0.2) unstable; urgency=high * Non-maintainer upload. diff -Nru libplist-1.12+git+1+e37ca00/debian/patches/03_bplist-Fix-integer-overflow-check-offset-table-size.patch libplist-1.12+git+1+e37ca00/debian/patches/03_bplist-Fix-integer-overflow-check-offset-table-size.patch --- libplist-1.12+git+1+e37ca00/debian/patches/03_bplist-Fix-integer-overflow-check-offset-table-size.patch 1970-01-01 01:00:00.000000000 +0100 +++ libplist-1.12+git+1+e37ca00/debian/patches/03_bplist-Fix-integer-overflow-check-offset-table-size.patch 2017-04-22 15:20:37.000000000 +0200 @@ -0,0 +1,60 @@ +From fdebf8b319b9280cd0e9b4382f2c7cbf26ef9325 Mon Sep 17 00:00:00 2001 +From: Nikias Bassen <[email protected]> +Date: Wed, 19 Apr 2017 19:32:34 +0200 +Subject: [PATCH] bplist: Fix integer overflow check (offset table size) + +--- + src/bplist.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/src/bplist.c b/src/bplist.c +index eede7a7..8e0dcd1 100644 +--- a/src/bplist.c ++++ b/src/bplist.c +@@ -178,6 +178,19 @@ union plist_uint_ptr + #define float_bswap32(x) (x) + #endif + ++#ifndef __has_builtin ++#define __has_builtin(x) 0 ++#endif ++ ++#if __has_builtin(__builtin_umulll_overflow) || __GNUC__ >= 5 ++#define uint64_mul_overflow(a, b, r) __builtin_umulll_overflow(a, b, r) ++#else ++static int uint64_mul_overflow(uint64_t a, uint64_t b, uint64_t *res) ++{ ++ *res = a * b; ++ return (a > UINT64_MAX / b); ++} ++#endif + + #define NODE_IS_ROOT(x) (((node_t*)x)->isRoot) + +@@ -773,6 +786,7 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t * + uint64_t num_objects = 0; + uint64_t root_object = 0; + const char *offset_table = NULL; ++ uint64_t offset_table_size = 0; + const char *start_data = NULL; + const char *end_data = NULL; + +@@ -829,12 +843,12 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t * + return; + } + +- if (num_objects * offset_size < num_objects) { +- PLIST_BIN_ERR("integer overflow when calculating offset table size (too many objects)\n"); ++ if (uint64_mul_overflow(num_objects, offset_size, &offset_table_size)) { ++ PLIST_BIN_ERR("integer overflow when calculating offset table size\n"); + return; + } + +- if ((uint64_t)offset_table + num_objects * offset_size > (uint64_t)end_data) { ++ if ((offset_table + offset_table_size < offset_table) || (offset_table + offset_table_size > end_data)) { + PLIST_BIN_ERR("offset table points outside of valid range\n"); + return; + } +-- +2.11.0 + diff -Nru libplist-1.12+git+1+e37ca00/debian/patches/series libplist-1.12+git+1+e37ca00/debian/patches/series --- libplist-1.12+git+1+e37ca00/debian/patches/series 2017-03-27 19:41:54.000000000 +0200 +++ libplist-1.12+git+1+e37ca00/debian/patches/series 2017-04-22 15:20:37.000000000 +0200 @@ -1,2 +1,3 @@ 01-libs.private.patch 02_bplist-Make-sure-sanity-checks-work-on-32bit-platfor.patch +03_bplist-Fix-integer-overflow-check-offset-table-size.patch
