Hi, On Thu, 22 Jun 2017 18:49:16 +0200 Salvatore Bonaccorso <car...@debian.org> wrote: > Control: retitle -1 unrar-nonfree: CVE-2012-6706: VMSF_DELTA filter in unrar > allows arbitrary memory write > > CVE-2012-6706 was assigned by MITRE for this issue.
I've prepared a backported patch of the relevant changes from 5.5.5 for jessie and stretch. Review and testing is welcome of course :) I haven't checked if the patch applies to wheezy as well but it should be at least a starting point. Cheers, Felix
diff -Nru unrar-nonfree-5.2.7/debian/changelog unrar-nonfree-5.2.7/debian/changelog --- unrar-nonfree-5.2.7/debian/changelog 2015-03-27 22:54:31.000000000 +0100 +++ unrar-nonfree-5.2.7/debian/changelog 2017-06-22 20:47:18.000000000 +0200 @@ -1,3 +1,11 @@ +unrar-nonfree (1:5.2.7-0.1+deb8u1) jessie; urgency=medium + + * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters. + - Backported from 5.5.5 + - Fixes CVE-2012-6706 + + -- Felix Geyer <fge...@debian.org> Thu, 22 Jun 2017 20:47:18 +0200 + unrar-nonfree (1:5.2.7-0.1) unstable; urgency=high * Non-maintainer upload. diff -Nru unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 --- unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 1970-01-01 01:00:00.000000000 +0100 +++ unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 2017-06-22 20:46:24.000000000 +0200 @@ -0,0 +1,44 @@ +--- unrar-nonfree-5.3.2.org/rarvm.cpp ++++ unrar-nonfree-5.3.2/rarvm.cpp +@@ -965,7 +965,7 @@ + { + int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2; + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize); +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2) ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>MAX3_UNPACK_CHANNELS || Channels==0) + break; + + // Bytes from same channels are grouped to continual data blocks, +@@ -984,7 +984,7 @@ + byte *SrcData=Mem,*DestData=SrcData+DataSize; + const int Channels=3; + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize); +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0) ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0 || DataSize<3 || Width>DataSize || PosR>2) + break; + for (int CurChannel=0;CurChannel<Channels;CurChannel++) + { +@@ -1029,7 +1029,7 @@ + int DataSize=R[4],Channels=R[0]; + byte *SrcData=Mem,*DestData=SrcData+DataSize; + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize); +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2) ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>128 || Channels==0) + break; + for (int CurChannel=0;CurChannel<Channels;CurChannel++) + { +--- unrar-nonfree-5.3.2.orig/unpack.hpp ++++ unrar-nonfree-5.3.2/unpack.hpp +@@ -7,6 +7,12 @@ + // Maximum number of filters per entire data block. + #define MAX_UNPACK_FILTERS 8192 + ++// Limit maximum number of channels in RAR3 delta filter to some reasonable ++// value to prevent too slow processing of corrupt archives with invalid ++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS. ++// No need to provide it for RAR5, which uses only 5 bits to store channels. ++#define MAX3_UNPACK_CHANNELS 1024 ++ + // Maximum number of filters per entire data block for RAR3 unpack. + #define MAX3_FILTERS 1024 + diff -Nru unrar-nonfree-5.2.7/debian/patches/series unrar-nonfree-5.2.7/debian/patches/series --- unrar-nonfree-5.2.7/debian/patches/series 2013-08-15 16:56:10.000000000 +0200 +++ unrar-nonfree-5.2.7/debian/patches/series 2017-06-22 20:46:33.000000000 +0200 @@ -1 +1,2 @@ fix-buildflags +CVE-2012-6706
diff -Nru unrar-nonfree-5.3.2/debian/changelog unrar-nonfree-5.3.2/debian/changelog --- unrar-nonfree-5.3.2/debian/changelog 2015-08-10 14:58:20.000000000 +0200 +++ unrar-nonfree-5.3.2/debian/changelog 2017-06-22 20:20:40.000000000 +0200 @@ -1,3 +1,11 @@ +unrar-nonfree (1:5.3.2-1+deb9u1) stretch; urgency=medium + + * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters. + - Backported from 5.5.5 + - Fixes CVE-2012-6706 + + -- Felix Geyer <fge...@debian.org> Thu, 22 Jun 2017 20:20:40 +0200 + unrar-nonfree (1:5.3.2-1) unstable; urgency=medium * New upstream release (Closes: #759586) diff -Nru unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706 unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706 --- unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706 1970-01-01 01:00:00.000000000 +0100 +++ unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706 2017-06-22 20:20:40.000000000 +0200 @@ -0,0 +1,44 @@ +--- unrar-nonfree-5.3.2.org/rarvm.cpp ++++ unrar-nonfree-5.3.2/rarvm.cpp +@@ -965,7 +965,7 @@ + { + int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2; + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize); +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2) ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>MAX3_UNPACK_CHANNELS || Channels==0) + break; + + // Bytes from same channels are grouped to continual data blocks, +@@ -984,7 +984,7 @@ + byte *SrcData=Mem,*DestData=SrcData+DataSize; + const int Channels=3; + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize); +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0) ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0 || DataSize<3 || Width>DataSize || PosR>2) + break; + for (int CurChannel=0;CurChannel<Channels;CurChannel++) + { +@@ -1029,7 +1029,7 @@ + int DataSize=R[4],Channels=R[0]; + byte *SrcData=Mem,*DestData=SrcData+DataSize; + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize); +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2) ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>128 || Channels==0) + break; + for (int CurChannel=0;CurChannel<Channels;CurChannel++) + { +--- unrar-nonfree-5.3.2.orig/unpack.hpp ++++ unrar-nonfree-5.3.2/unpack.hpp +@@ -13,6 +13,12 @@ + // from two data blocks. + #define MAX3_UNPACK_FILTERS 8192 + ++// Limit maximum number of channels in RAR3 delta filter to some reasonable ++// value to prevent too slow processing of corrupt archives with invalid ++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS. ++// No need to provide it for RAR5, which uses only 5 bits to store channels. ++#define MAX3_UNPACK_CHANNELS 1024 ++ + // Write data in 4 MB or smaller blocks. Must not exceed PACK_MAX_WRITE, + // so we keep number of buffered filter in unpacker reasonable. + #define UNPACK_MAX_WRITE 0x400000 diff -Nru unrar-nonfree-5.3.2/debian/patches/series unrar-nonfree-5.3.2/debian/patches/series --- unrar-nonfree-5.3.2/debian/patches/series 2013-08-15 16:56:10.000000000 +0200 +++ unrar-nonfree-5.3.2/debian/patches/series 2017-06-22 20:20:22.000000000 +0200 @@ -1 +1,2 @@ fix-buildflags +CVE-2012-6706