Hi, I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
Proposed debdiffs in attachment. Cheers, Giuseppe.
diff -u libmodplug-0.7/src/libmodplug/stdafx.h
libmodplug-0.7/src/libmodplug/stdafx.h
--- libmodplug-0.7/src/libmodplug/stdafx.h
+++ libmodplug-0.7/src/libmodplug/stdafx.h
@@ -22,44 +22,42 @@
inline void ProcessPlugins(int n) {}
#else
-
+#if defined(HAVE_CONFIG_H) && !defined(CONFIG_H_INCLUDED)
+# include "config.h"
+# define CONFIG_H_INCLUDED 1
+#endif
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
-typedef signed char CHAR;
-typedef unsigned char UCHAR;
-typedef unsigned char* PUCHAR;
-typedef unsigned short USHORT;
-#if defined(__x86_64__)
-typedef unsigned int ULONG;
-typedef unsigned int UINT;
-typedef unsigned int DWORD;
-typedef int LONG;
-typedef long LONGLONG;
-typedef int * LPLONG;
-typedef unsigned int * LPDWORD;
-#else
-typedef unsigned long ULONG;
-typedef unsigned long UINT;
-typedef unsigned long DWORD;
-typedef long LONG;
-typedef long long LONGLONG;
-typedef long * LPLONG;
-typedef unsigned long * LPDWORD;
-#endif
-typedef unsigned short WORD;
-typedef unsigned char BYTE;
-typedef unsigned char * LPBYTE;
+typedef int8_t CHAR;
+typedef uint8_t UCHAR;
+typedef uint8_t* PUCHAR;
+typedef uint16_t USHORT;
+typedef uint32_t ULONG;
+typedef uint32_t UINT;
+typedef uint32_t DWORD;
+typedef int32_t LONG;
+typedef int64_t LONGLONG;
+typedef int32_t* LPLONG;
+typedef uint32_t* LPDWORD;
+typedef uint16_t WORD;
+typedef uint8_t BYTE;
+typedef uint8_t* LPBYTE;
typedef bool BOOL;
-typedef char * LPSTR;
-typedef void * LPVOID;
-typedef unsigned short * LPWORD;
-typedef const char * LPCSTR;
-typedef void * PVOID;
+typedef char* LPSTR;
+typedef void* LPVOID;
+typedef uint16_t* LPWORD;
+typedef const char* LPCSTR;
+typedef void* PVOID;
typedef void VOID;
-
inline LONG MulDiv (long a, long b, long c)
{
// if (!c) return 0;
diff -u libmodplug-0.7/debian/changelog libmodplug-0.7/debian/changelog
--- libmodplug-0.7/debian/changelog
+++ libmodplug-0.7/debian/changelog
@@ -1,3 +1,11 @@
+libmodplug (1:0.7-5.3) oldstable-security; urgency=high
+
+ * Non-maintainer upload.
+ * Fixed "CSoundFile::ReadMed()" Integer Overflow in src/load_med.cp
+ (Closes: #526657) (CVE-2009-1438)
+
+ -- Giuseppe Iuculano <[email protected]> Sat, 02 May 2009 18:16:49 +0200
+
libmodplug (1:0.7-5.2) unstable; urgency=medium
* Non-maintainer upload.
only in patch2:
unchanged:
--- libmodplug-0.7.orig/src/load_med.cpp
+++ libmodplug-0.7/src/load_med.cpp
@@ -692,21 +692,24 @@
}
}
// Song Comments
- UINT annotxt = bswapBE32(pmex->annotxt);
- UINT annolen = bswapBE32(pmex->annolen);
- if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength))
+ uint32_t annotxt = bswapBE32(pmex->annotxt);
+ uint32_t annolen = bswapBE32(pmex->annolen);
+ if ((annotxt) && (annolen) && (annotxt + annolen > annotxt) //
overflow checks.
+ && (annotxt+annolen <= dwMemLength))
{
m_lpszSongComments = new char[annolen+1];
memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
m_lpszSongComments[annolen] = 0;
}
// Song Name
- UINT songname = bswapBE32(pmex->songname);
- UINT songnamelen = bswapBE32(pmex->songnamelen);
- if ((songname) && (songnamelen) && (songname+songnamelen <=
dwMemLength))
+ uint32_t songname = bswapBE32(pmex->songname);
+ uint32_t songnamelen = bswapBE32(pmex->songnamelen);
+ if ((songname) && (songnamelen) && (songname+songnamelen >
songname)
+ && (songname+songnamelen <= dwMemLength))
{
if (songnamelen > 31) songnamelen = 31;
memcpy(m_szNames[0], lpStream+songname, songnamelen);
+ m_szNames[0][31] = '\0';
}
// Sample Names
DWORD smpinfoex = bswapBE32(pmex->iinfo);
@@ -716,14 +719,18 @@
UINT ientries = bswapBE16(pmex->i_ext_entries);
UINT ientrysz = bswapBE16(pmex->i_ext_entrsz);
- if ((iinfoptr) && (ientrysz < 256) && (iinfoptr +
ientries*ientrysz < dwMemLength))
+ if ((iinfoptr) && (ientrysz < 256) &&
+ (ientries*ientrysz < dwMemLength) &&
+ (iinfoptr < dwMemLength - (ientries*ientrysz)))
{
LPCSTR psznames = (LPCSTR)(lpStream + iinfoptr);
UINT maxnamelen = ientrysz;
+ // copy a max of 32 bytes.
if (maxnamelen > 32) maxnamelen = 32;
for (UINT i=0; i<ientries; i++) if (i <
m_nSamples)
{
lstrcpyn(m_szNames[i+1], psznames +
i*ientrysz, maxnamelen);
+ m_szNames[i+1][31] = '\0';
}
}
}
@@ -754,6 +761,7 @@
if ((trknameofs) && (trknameofs +
trknamelen < dwMemLength))
{
lstrcpyn(ChnSettings[i].szName,
(LPCSTR)(lpStream+trknameofs), MAX_CHANNELNAME);
+
ChnSettings[i].szName[MAX_CHANNELNAME-1] = '\0';
}
}
}
diff -u libmodplug-0.8.4/debian/changelog libmodplug-0.8.4/debian/changelog --- libmodplug-0.8.4/debian/changelog +++ libmodplug-0.8.4/debian/changelog @@ -1,3 +1,13 @@ +libmodplug (1:0.8.4-1+lenny1) stable-security; urgency=high + + * Non-maintainer upload. + * Fixed "PATinst()" Buffer Overflow Vulnerability in src/load_pat.c + (Closes: #526084) + * Fixed "CSoundFile::ReadMed()" Integer Overflow in src/load_med.cp + (Closes: #526657) (CVE-2009-1438) + + -- Giuseppe Iuculano <[email protected]> Sat, 02 May 2009 17:28:07 +0200 + libmodplug (1:0.8.4-1) unstable; urgency=low * New upstream version (closes: #458792) only in patch2: unchanged: --- libmodplug-0.8.4.orig/src/load_pat.cpp +++ libmodplug-0.8.4/src/load_pat.cpp @@ -1144,7 +1144,7 @@ hw.envelope_offset[3] = 0; hw.envelope_offset[4] = 0; hw.envelope_offset[5] = 0; - strncpy(hw.reserved, midipat[gm-1], 36); + strncpy(hw.reserved, midipat[gm-1], sizeof(hw.reserved)); pat_setpat_inst(&hw, d, smp); } if( hw.reserved[0] ) only in patch2: unchanged: --- libmodplug-0.8.4.orig/src/load_med.cpp +++ libmodplug-0.8.4/src/load_med.cpp @@ -692,21 +692,24 @@ } } // Song Comments - UINT annotxt = bswapBE32(pmex->annotxt); - UINT annolen = bswapBE32(pmex->annolen); - if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength)) + uint32_t annotxt = bswapBE32(pmex->annotxt); + uint32_t annolen = bswapBE32(pmex->annolen); + if ((annotxt) && (annolen) && (annotxt + annolen > annotxt) // overflow checks. + && (annotxt+annolen <= dwMemLength)) { m_lpszSongComments = new char[annolen+1]; memcpy(m_lpszSongComments, lpStream+annotxt, annolen); m_lpszSongComments[annolen] = 0; } // Song Name - UINT songname = bswapBE32(pmex->songname); - UINT songnamelen = bswapBE32(pmex->songnamelen); - if ((songname) && (songnamelen) && (songname+songnamelen <= dwMemLength)) + uint32_t songname = bswapBE32(pmex->songname); + uint32_t songnamelen = bswapBE32(pmex->songnamelen); + if ((songname) && (songnamelen) && (songname+songnamelen > songname) + && (songname+songnamelen <= dwMemLength)) { if (songnamelen > 31) songnamelen = 31; memcpy(m_szNames[0], lpStream+songname, songnamelen); + m_szNames[0][31] = '\0'; } // Sample Names DWORD smpinfoex = bswapBE32(pmex->iinfo); @@ -716,14 +719,18 @@ UINT ientries = bswapBE16(pmex->i_ext_entries); UINT ientrysz = bswapBE16(pmex->i_ext_entrsz); - if ((iinfoptr) && (ientrysz < 256) && (iinfoptr + ientries*ientrysz < dwMemLength)) + if ((iinfoptr) && (ientrysz < 256) && + (ientries*ientrysz < dwMemLength) && + (iinfoptr < dwMemLength - (ientries*ientrysz))) { LPCSTR psznames = (LPCSTR)(lpStream + iinfoptr); UINT maxnamelen = ientrysz; + // copy a max of 32 bytes. if (maxnamelen > 32) maxnamelen = 32; for (UINT i=0; i<ientries; i++) if (i < m_nSamples) { lstrcpyn(m_szNames[i+1], psznames + i*ientrysz, maxnamelen); + m_szNames[i+1][31] = '\0'; } } } @@ -754,6 +761,7 @@ if ((trknameofs) && (trknameofs + trknamelen < dwMemLength)) { lstrcpyn(ChnSettings[i].szName, (LPCSTR)(lpStream+trknameofs), MAX_CHANNELNAME); + ChnSettings[i].szName[MAX_CHANNELNAME-1] = '\0'; } } }
signature.asc
Description: OpenPGP digital signature
