Le 10/02/2018 à 11:13, Julien Cristau a écrit : > Control: tag -1 moreinfo > > On Thu, Dec 28, 2017 at 17:11:02 +0100, Bertrand Marc wrote: > >> diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch >> libextractor-1.3/debian/patches/CVE-2017-15600.patch >> --- libextractor-1.3/debian/patches/CVE-2017-15600.patch 1970-01-01 >> 01:00:00.000000000 +0100 >> +++ libextractor-1.3/debian/patches/CVE-2017-15600.patch 2017-12-28 >> 11:39:33.000000000 +0100 >> @@ -0,0 +1,29 @@ >> +From: Bertrand Marc <bm...@debian.org>, Markus Koschany <a...@debian.org> >> +Subject: CVE-2017-15600 >> + >> +Bug-Upstream: >> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html >> +Origin: >> https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7 >> +--- a/src/plugins/nsf_extractor.c >> ++++ b/src/plugins/nsf_extractor.c >> +@@ -152,13 +152,17 @@ >> + char nsfversion[32]; >> + const struct header *head; >> + void *data; >> ++ ssize_t ds; >> + >> +- if (sizeof (struct header) > >> +- ec->read (ec->cls, >> +- &data, >> +- sizeof (struct header))) >> ++ ds = ec->read (ec->cls, >> ++ &data, >> ++ sizeof (struct header)); >> ++ if ( (-1 == ds) || >> ++ (sizeof (struct header) > ds) ) >> + return; >> + head = data; >> ++ if (NULL == head) >> ++ return 0; >> + > Curious how that works. 3 lines above is plain "return", and here > "return 0". What's the type of that function and how did the compiler > not flag this? > > Cheers, > Julien
Indeed, sorry. The type of the function was changed from void (in wheezy) to int (in jessie). I updated the patch attached accordingly. Cheers, Bertrand
diff -Nru libextractor-1.3/debian/changelog libextractor-1.3/debian/changelog --- libextractor-1.3/debian/changelog 2016-04-26 22:58:56.000000000 +0200 +++ libextractor-1.3/debian/changelog 2017-12-28 11:39:33.000000000 +0100 @@ -1,3 +1,14 @@ +libextractor (1:1.3-4+deb9u1) stretch; urgency=medium + + * Fix CVE-2017-15266, CVE-2017-15267, CVE-2017-15600, CVE-2017-15601, + CVE-2017-15602, CVE-2017-15922 and CVE-2017-17440. Leon Zhao discovered + several security vulnerabilities, NULL Pointer Dereferences, heap-based + buffer overflows, integer signedness errors and out-of-bounds read that + may lead to a denial-of-service (application crash) or have other + unspecified impact. + + -- Bertrand Marc <bm...@debian.org> Thu, 28 Dec 2017 11:39:33 +0100 + libextractor (1:1.3-4) unstable; urgency=medium * Update debian/patches/ffmpeg2.9.patch with a new commit taken from upstream diff -Nru libextractor-1.3/debian/patches/CVE-2017-15266.patch libextractor-1.3/debian/patches/CVE-2017-15266.patch --- libextractor-1.3/debian/patches/CVE-2017-15266.patch 1970-01-01 01:00:00.000000000 +0100 +++ libextractor-1.3/debian/patches/CVE-2017-15266.patch 2017-12-28 11:39:33.000000000 +0100 @@ -0,0 +1,17 @@ +From: Bertrand Marc <bm...@debian.org> +Subject: CVE-2017-15266 + +Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00002.html +Bug-Debian: https://bugs.debian.org/878314 +Origin: https://gnunet.org/git/libextractor.git/commit/?id=b577d5452c5c4ee9d552da62a24b95f461551fe2 +--- a/src/plugins/wav_extractor.c ++++ b/src/plugins/wav_extractor.c +@@ -109,6 +109,8 @@ + return; /* invalid sample size found in wav file */ + if (0 == channels) + return; /* invalid channels value -- avoid division by 0! */ ++ if (0 == sample_rate) ++ return; /* invalid sample_rate */ + samples = data_len / (channels * (sample_size >> 3)); + + snprintf (scratch, diff -Nru libextractor-1.3/debian/patches/CVE-2017-15267.patch libextractor-1.3/debian/patches/CVE-2017-15267.patch --- libextractor-1.3/debian/patches/CVE-2017-15267.patch 1970-01-01 01:00:00.000000000 +0100 +++ libextractor-1.3/debian/patches/CVE-2017-15267.patch 2017-12-28 11:39:33.000000000 +0100 @@ -0,0 +1,22 @@ +From: Markus Koschany <a...@debian.org> +Date: Mon, 4 Dec 2017 00:00:15 +0100 +Subject: CVE-2017-15267 + +Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00003.html +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878314 +Origin: https://gnunet.org/git/libextractor.git/commit/?id=6095d7132b57fc7368fc7a40bab2a71b735724d2 +--- + src/plugins/flac_extractor.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/src/plugins/flac_extractor.c ++++ b/src/plugins/flac_extractor.c +@@ -339,6 +339,8 @@ + { + entry = &vc->comments[count]; + eq = (const char*) entry->entry; ++ if (NULL == eq) ++ break; + len = entry->length; + ilen = 0; + while ( ('=' != *eq) && ('\0' != *eq) && diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch libextractor-1.3/debian/patches/CVE-2017-15600.patch --- libextractor-1.3/debian/patches/CVE-2017-15600.patch 1970-01-01 01:00:00.000000000 +0100 +++ libextractor-1.3/debian/patches/CVE-2017-15600.patch 2017-12-28 11:39:33.000000000 +0100 @@ -0,0 +1,29 @@ +From: Bertrand Marc <bm...@debian.org>, Markus Koschany <a...@debian.org> +Subject: CVE-2017-15600 + +Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html +Origin: https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7 +--- a/src/plugins/nsf_extractor.c ++++ b/src/plugins/nsf_extractor.c +@@ -152,13 +152,17 @@ + char nsfversion[32]; + const struct header *head; + void *data; ++ ssize_t ds; + +- if (sizeof (struct header) > +- ec->read (ec->cls, +- &data, +- sizeof (struct header))) ++ ds = ec->read (ec->cls, ++ &data, ++ sizeof (struct header)); ++ if ( (-1 == ds) || ++ (sizeof (struct header) > ds) ) + return; + head = data; ++ if (NULL == head) ++ return; + + /* Check "magic" id bytes */ + if (memcmp (head->magicid, "NESM\x1a", 5)) diff -Nru libextractor-1.3/debian/patches/CVE-2017-15601.patch libextractor-1.3/debian/patches/CVE-2017-15601.patch --- libextractor-1.3/debian/patches/CVE-2017-15601.patch 1970-01-01 01:00:00.000000000 +0100 +++ libextractor-1.3/debian/patches/CVE-2017-15601.patch 2017-12-28 11:39:33.000000000 +0100 @@ -0,0 +1,25 @@ +From: Bertrand Marc <bm...@debian.org> +Subject: CVE-2017-15601 + +Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00006.html +Origin: https://gnunet.org/git/libextractor.git/commit/?id=f813535dad4ad860b989952a46266a1469801091 +--- a/src/plugins/png_extractor.c ++++ b/src/plugins/png_extractor.c +@@ -47,6 +47,8 @@ + { + char *tmp; + ++ if (n + 1 < n) ++ return NULL; + if (NULL == (tmp = malloc (n + 1))) + return NULL; + tmp[n] = '\0'; +@@ -221,6 +223,8 @@ + compressed = data[pos++]; + if (compressed && (0 != data[pos++])) + return 0; /* bad compression method */ ++ if (pos > length) ++ return 0; + language = (char *) &data[pos]; + ret = 0; + if ( (stnlen (language, length - pos) > 0) && diff -Nru libextractor-1.3/debian/patches/CVE-2017-15602.patch libextractor-1.3/debian/patches/CVE-2017-15602.patch --- libextractor-1.3/debian/patches/CVE-2017-15602.patch 1970-01-01 01:00:00.000000000 +0100 +++ libextractor-1.3/debian/patches/CVE-2017-15602.patch 2017-12-28 11:39:33.000000000 +0100 @@ -0,0 +1,18 @@ +From: Bertrand Marc <bm...@debian.org> +Subject: CVE-2017-15602 + +Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html +Origin: https://gnunet.org/git/libextractor.git/commit/?id=ffab889c1710c7646af9ed360c796a2a0a619efc +--- a/src/plugins/nsfe_extractor.c ++++ b/src/plugins/nsfe_extractor.c +@@ -374,7 +374,9 @@ + 8)) + break; + chunksize = nsfeuint (data); +- off += 8 + chunksize; ++ if (off + chunksize + 8LLU <= off) ++ break; /* protect against looping */ ++ off += 8LLU + chunksize; + if (0 == memcmp (data + 4, "INFO", 4)) + ret = info_extract (ec, chunksize); + else if (0 == memcmp (data + 4, "auth", 4)) diff -Nru libextractor-1.3/debian/patches/CVE-2017-15922.patch libextractor-1.3/debian/patches/CVE-2017-15922.patch --- libextractor-1.3/debian/patches/CVE-2017-15922.patch 1970-01-01 01:00:00.000000000 +0100 +++ libextractor-1.3/debian/patches/CVE-2017-15922.patch 2017-12-26 19:25:34.000000000 +0100 @@ -0,0 +1,45 @@ +From: Bertrand Marc <bm...@debian.org> +Subject: CVE-2017-15922 + +Bug-Debian: https://bugs.debian.org/880016 +Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html +Origin: https://gnunet.org/git/libextractor.git/commit/?id=d4d488b0e5ab13dda241d688d87a07816368f117 +--- + src/plugins/dvi_extractor.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/plugins/dvi_extractor.c b/src/plugins/dvi_extractor.c +index e4cfa3a..2c9eaa2 100644 +--- a/src/plugins/dvi_extractor.c ++++ b/src/plugins/dvi_extractor.c +@@ -207,7 +210,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec) + goto CLEANUP; + opos = pos; + pos = getIntAt (&data[opos + 1]); +- if (pos + 25 > size) ++ if ( (pos + 25 > size) || ++ (pos + 25 < pos) ) + goto CLEANUP; + /* assert pos at 'post' command */ + if (data[pos] != 248) +@@ -219,7 +223,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec) + { + if (UINT32_MAX == pos) + break; +- if (pos + 45 > size) ++ if ( (pos + 45 > size) || ++ (pos + 45 < pos) ) + goto CLEANUP; + if (data[pos] != 139) /* expect 'bop' */ + goto CLEANUP; +@@ -268,7 +273,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec) + } + /* try to find PDF/ps special */ + pos = opos; +- while (pos < size - 100) ++ while ( (size >= 100) && ++ (pos < size - 100) ) + { + switch (data[pos]) + { + diff -Nru libextractor-1.3/debian/patches/CVE-2017-17440.patch libextractor-1.3/debian/patches/CVE-2017-17440.patch --- libextractor-1.3/debian/patches/CVE-2017-17440.patch 1970-01-01 01:00:00.000000000 +0100 +++ libextractor-1.3/debian/patches/CVE-2017-17440.patch 2017-12-28 11:39:33.000000000 +0100 @@ -0,0 +1,98 @@ +From: Bertrand Marc <bm...@debian.org> +Subject: CVE-2017-17440 + +Bug-Debian: https://bugs.debian.org/883528 +Origin: https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e +--- a/src/plugins/gif_extractor.c ++++ b/src/plugins/gif_extractor.c +@@ -118,6 +118,8 @@ + if (GIF_OK != + DGifGetExtension (gif_file, &et, &ext)) + continue; ++ if (NULL == ext) ++ continue; + if (COMMENT_EXT_FUNC_CODE == et) + { + ec->proc (ec->cls, +--- a/src/plugins/it_extractor.c ++++ b/src/plugins/it_extractor.c +@@ -70,7 +70,7 @@ + char itversion[8]; + const struct Header *head; + +- if (HEADER_SIZE > ++ if ((ssize_t) HEADER_SIZE > + ec->read (ec->cls, + &data, + HEADER_SIZE)) +--- a/src/plugins/nsfe_extractor.c ++++ b/src/plugins/nsfe_extractor.c +@@ -176,7 +176,7 @@ + + if (size < 8) + return 0; +- if (size > ++ if ((ssize_t) size > + ec->read (ec->cls, + &data, + size)) +@@ -244,7 +244,7 @@ + void *data; + const char *cdata; + +- if (size > ++ if ((ssize_t) size > + ec->read (ec->cls, + &data, + size)) +@@ -286,7 +286,7 @@ + + if (left < 1) + return 0; +- if (size > ++ if ((ssize_t) size > + ec->read (ec->cls, + &data, + size)) +@@ -343,7 +343,7 @@ + uint32_t chunksize; + int ret; + +- if (sizeof (struct header) > ++ if ((ssize_t) sizeof (struct header) > + ec->read (ec->cls, + &data, + sizeof (struct header))) +--- a/src/plugins/s3m_extractor.c ++++ b/src/plugins/s3m_extractor.c +@@ -80,7 +80,7 @@ + struct S3MHeader header; + char song_name_NT[29]; + +- if (sizeof (header) > ++ if ((ssize_t) sizeof (header) > + ec->read (ec->cls, + &data, + sizeof (header))) +--- a/src/plugins/sid_extractor.c ++++ b/src/plugins/sid_extractor.c +@@ -176,7 +176,7 @@ + const struct header *head; + void *data; + +- if (sizeof (struct header) > ++ if ((ssize_t) sizeof (struct header) > + ec->read (ec->cls, + &data, + sizeof (struct header))) +--- a/src/plugins/xm_extractor.c ++++ b/src/plugins/xm_extractor.c +@@ -70,7 +70,7 @@ + char xmversion[8]; + size_t n; + +- if (sizeof (struct Header) > ++ if ((ssize_t) sizeof (struct Header) > + ec->read (ec->cls, + &data, + sizeof (struct Header))) diff -Nru libextractor-1.3/debian/patches/series libextractor-1.3/debian/patches/series --- libextractor-1.3/debian/patches/series 2016-04-26 21:34:10.000000000 +0200 +++ libextractor-1.3/debian/patches/series 2017-12-28 11:39:33.000000000 +0100 @@ -1,2 +1,9 @@ libgiflib5.1.patch ffmpeg2.9.patch +CVE-2017-15266.patch +CVE-2017-15267.patch +CVE-2017-15600.patch +CVE-2017-15601.patch +CVE-2017-15602.patch +CVE-2017-15922.patch +CVE-2017-17440.patch
