Control: tags 910757 + patch Control: tags 910757 + pending
Dear maintainer, I've prepared an NMU for gnulib (versioned as 20140202+stable-3.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Tested CC='gcc -fsanitize=address -g -O0' gnulib-tool --test vasnprintf vasnprintf-posix before and after patching. Regards, Salvatore
diff -Nru gnulib-20140202+stable/debian/changelog gnulib-20140202+stable/debian/changelog --- gnulib-20140202+stable/debian/changelog 2018-06-23 09:23:11.000000000 +0200 +++ gnulib-20140202+stable/debian/changelog 2019-02-09 11:11:06.000000000 +0100 @@ -1,3 +1,10 @@ +gnulib (20140202+stable-3.1) unstable; urgency=medium + + * Non-maintainer upload. + * vasnprintf: Fix heap memory overrun bug (CVE-2018-17942) (Closes: #910757) + + -- Salvatore Bonaccorso <[email protected]> Sat, 09 Feb 2019 11:11:06 +0100 + gnulib (20140202+stable-3) unstable; urgency=medium * Update copyright info: diff -Nru gnulib-20140202+stable/debian/patches/03-vasnprintf-Fix-heap-memory-overrun-bug.patch gnulib-20140202+stable/debian/patches/03-vasnprintf-Fix-heap-memory-overrun-bug.patch --- gnulib-20140202+stable/debian/patches/03-vasnprintf-Fix-heap-memory-overrun-bug.patch 1970-01-01 01:00:00.000000000 +0100 +++ gnulib-20140202+stable/debian/patches/03-vasnprintf-Fix-heap-memory-overrun-bug.patch 2019-02-09 11:11:06.000000000 +0100 @@ -0,0 +1,70 @@ +From: Bruno Haible <[email protected]> +Date: Sun, 23 Sep 2018 14:13:52 +0200 +Subject: vasnprintf: Fix heap memory overrun bug. +Origin: https://github.com/coreutils/gnulib/commit/278b4175c9d7dd47c1a3071554aac02add3b3c35 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-17942 +Bug-Debian: https://bugs.debian.org/910757 +Bug: https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html + +Reported by Ben Pfaff <[email protected]> in +<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>. + +* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of +memory. +* tests/test-vasnprintf.c (test_function): Add another test. +--- + ChangeLog | 9 +++++++++ + lib/vasnprintf.c | 4 +++- + tests/test-vasnprintf.c | 21 ++++++++++++++++++++- + 3 files changed, 32 insertions(+), 2 deletions(-) + +diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c +index 56ffbe308a6a..30d021b2847d 100644 +--- a/lib/vasnprintf.c ++++ b/lib/vasnprintf.c +@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes) + size_t a_len = a.nlimbs; + /* 0.03345 is slightly larger than log(2)/(9*log(10)). */ + size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1); +- char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes)); ++ /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the ++ digits of a, followed by 1 byte for the terminating NUL. */ ++ char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1)); + if (c_ptr != NULL) + { + char *d_ptr = c_ptr; +diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c +index 19731bc93378..93d81d7041c5 100644 +--- a/tests/test-vasnprintf.c ++++ b/tests/test-vasnprintf.c +@@ -53,7 +53,26 @@ test_function (char * (*my_asnprintf) (char *, size_t *, const char *, ...)) + ASSERT (result != NULL); + ASSERT (strcmp (result, "12345") == 0); + ASSERT (length == 5); +- if (size < 6) ++ if (size < 5 + 1) ++ ASSERT (result != buf); ++ ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0); ++ if (result != buf) ++ free (result); ++ } ++ ++ /* Note: This test assumes IEEE 754 representation of 'double' floats. */ ++ for (size = 0; size <= 8; size++) ++ { ++ size_t length; ++ char *result; ++ ++ memcpy (buf, "DEADBEEF", 8); ++ length = size; ++ result = my_asnprintf (buf, &length, "%2.0f", 1.6314159265358979e+125); ++ ASSERT (result != NULL); ++ ASSERT (strcmp (result, "163141592653589790215729350939528493057529598899734151772468186268423257777068536614838678161083520756952076273094236944990208") == 0); ++ ASSERT (length == 126); ++ if (size < 126 + 1) + ASSERT (result != buf); + ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0); + if (result != buf) +-- +2.20.1 + diff -Nru gnulib-20140202+stable/debian/patches/series gnulib-20140202+stable/debian/patches/series --- gnulib-20140202+stable/debian/patches/series 2018-06-22 10:26:47.000000000 +0200 +++ gnulib-20140202+stable/debian/patches/series 2019-02-09 11:11:06.000000000 +0100 @@ -1,2 +1,3 @@ 01-gnulib-directory.patch 02-shebang.patch +03-vasnprintf-Fix-heap-memory-overrun-bug.patch
