Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.ca...@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #848926,
regarding jessie-pu: package libclamunrar/0.99-0+deb8u2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
848926: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=848926
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal
This update contains four patches which I noticed in upstream's git.
They appeared in July and the last fix (for a fix) was done last week. I
have no idea when 0.99.3 will appear and the changes in the debdiff are
the only (functional changes) in libclamunrar* since the 0.99.
The fixes look like bugs found by afl (or other fuzzer) while throwing
.rar files at clamav.
Sebastian
diff -Nru libclamunrar-0.99/debian/changelog libclamunrar-0.99/debian/changelog
--- libclamunrar-0.99/debian/changelog 2016-02-03 22:10:12.000000000 +0100
+++ libclamunrar-0.99/debian/changelog 2016-12-16 21:38:26.000000000 +0100
@@ -1,3 +1,10 @@
+libclamunrar (0.99-0+deb8u2) stable; urgency=medium
+
+ * Add patches from upstream bugzilla bb11600 and bb11601 to fix out of band
+ access.
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Fri, 16 Dec 2016
21:38:26 +0100
+
libclamunrar (0.99-0+deb8u1) stable; urgency=medium
[ Scott Kitterman ]
@@ -10,7 +17,7 @@
* switch from libclamunrar6 to libclamunrar7
* copy clamav's watch file
* add pkg-config to dependencies so autoreconf does not break
- * don't links against libpcre if available.
+ * don't link against libpcre if available.
-- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Wed, 03 Feb 2016
21:52:51 +0100
diff -Nru libclamunrar-0.99/debian/.git-dpm libclamunrar-0.99/debian/.git-dpm
--- libclamunrar-0.99/debian/.git-dpm 2016-02-03 22:09:03.000000000 +0100
+++ libclamunrar-0.99/debian/.git-dpm 2016-12-16 21:38:26.000000000 +0100
@@ -1,8 +1,8 @@
# see git-dpm(1) from git-dpm package
-1256542cf41587e62a048e687097f23cef1511f0
-1256542cf41587e62a048e687097f23cef1511f0
-1256542cf41587e62a048e687097f23cef1511f0
-1256542cf41587e62a048e687097f23cef1511f0
-libclamunrar_0.98.5.orig.tar.xz
-6d4a3441e142002ffdaa76ad313bc018985e1999
-304828
+e677e64787390c59bdb925be08113ebf47aed869
+e677e64787390c59bdb925be08113ebf47aed869
+87f93791ab6959fd522bdf0b1211ff0480cff4c7
+87f93791ab6959fd522bdf0b1211ff0480cff4c7
+libclamunrar_0.99.orig.tar.xz
+3299e943affefb7a1aea0cada292f1c4ec039aed
+311248
diff -Nru libclamunrar-0.99/debian/patches/bb11600.patch
libclamunrar-0.99/debian/patches/bb11600.patch
--- libclamunrar-0.99/debian/patches/bb11600.patch 1970-01-01
01:00:00.000000000 +0100
+++ libclamunrar-0.99/debian/patches/bb11600.patch 2016-12-16
21:38:26.000000000 +0100
@@ -0,0 +1,24 @@
+From 5a04072c135be7b49279792401f10d7b4f723ab5 Mon Sep 17 00:00:00 2001
+From: Steven Morgan <smor...@sourcefire.com>
+Date: Tue, 12 Jul 2016 12:36:29 -0400
+Subject: bb11600 - fix out of bounds stack read.
+
+Patch-Name: bb11600.patch
+---
+ libclamunrar/unrar20.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libclamunrar/unrar20.c b/libclamunrar/unrar20.c
+index ecfe40cf32f3..d938c472e1d8 100644
+--- a/libclamunrar/unrar20.c
++++ b/libclamunrar/unrar20.c
+@@ -117,7 +117,8 @@ static int read_tables20(int fd, unpack_data_t
*unpack_data)
+ n = (rar_getbits(unpack_data) >> 14) + 3;
+ rar_addbits(unpack_data, 2);
+ while ((n-- > 0) && (i < table_size)) {
+- table[i] = table[i-1];
++ if (i>0)
++ table[i] = table[i-1];
+ i++;
+ }
+ } else {
diff -Nru libclamunrar-0.99/debian/patches/bb11600_pt2.patch
libclamunrar-0.99/debian/patches/bb11600_pt2.patch
--- libclamunrar-0.99/debian/patches/bb11600_pt2.patch 1970-01-01
01:00:00.000000000 +0100
+++ libclamunrar-0.99/debian/patches/bb11600_pt2.patch 2016-12-16
21:38:26.000000000 +0100
@@ -0,0 +1,24 @@
+From 6c667e29a8980bef06544bb2c931a18512aaf745 Mon Sep 17 00:00:00 2001
+From: Steven Morgan <smor...@sourcefire.com>
+Date: Tue, 12 Jul 2016 14:31:38 -0400
+Subject: fix possible out of bounds stack read.
+
+Patch-Name: bb11600_pt2.patch
+---
+ libclamunrar/unrar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libclamunrar/unrar.c b/libclamunrar/unrar.c
+index 456da4d6fef9..40a3d63cbd3e 100644
+--- a/libclamunrar/unrar.c
++++ b/libclamunrar/unrar.c
+@@ -469,7 +469,8 @@ static int read_tables(int fd, unpack_data_t *unpack_data)
+ rar_addbits(unpack_data, 7);
+ }
+ while (n-- > 0 && i < table_size) {
+- table[i] = table[i-1];
++ if (i>0)
++ table[i] = table[i-1];
+ i++;
+ }
+ } else {
diff -Nru libclamunrar-0.99/debian/patches/bb11601.patch
libclamunrar-0.99/debian/patches/bb11601.patch
--- libclamunrar-0.99/debian/patches/bb11601.patch 1970-01-01
01:00:00.000000000 +0100
+++ libclamunrar-0.99/debian/patches/bb11601.patch 2016-12-16
21:38:26.000000000 +0100
@@ -0,0 +1,35 @@
+From df000ca42b250f861af33aaca16595e34975b715 Mon Sep 17 00:00:00 2001
+From: Steven Morgan <smor...@sourcefire.com>
+Date: Wed, 13 Jul 2016 14:27:10 -0400
+Subject: bb11601 - check array boundaries in unrarvm rarvm_getbits().
+
+Patch-Name: bb11601.patch
+---
+ libclamunrar/unrarvm.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c
+index 29944cbea82a..1cf5bb629952 100644
+--- a/libclamunrar/unrarvm.c
++++ b/libclamunrar/unrarvm.c
+@@ -215,12 +215,15 @@ unsigned int rarvm_getbits(rarvm_input_t *rarvm_input)
+ {
+ unsigned int bit_field;
+
+- bit_field = (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr] <<
16;
+- bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1]
<< 8;
+- bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+2];
+- bit_field >>= (8-rarvm_input->in_bit);
++ if (rarvm_input->in_addr+2 < rarvm_input->buf_size) {
++ bit_field = (unsigned int)
rarvm_input->in_buf[rarvm_input->in_addr] << 16;
++ bit_field |= (unsigned int)
rarvm_input->in_buf[rarvm_input->in_addr+1] << 8;
++ bit_field |= (unsigned int)
rarvm_input->in_buf[rarvm_input->in_addr+2];
++ bit_field >>= (8-rarvm_input->in_bit);
+
+- return (bit_field & 0xffff);
++ return (bit_field & 0xffff);
++ }
++ return 0;
+ }
+
+ unsigned int rarvm_read_data(rarvm_input_t *rarvm_input)
diff -Nru libclamunrar-0.99/debian/patches/bb11601_pt2.patch
libclamunrar-0.99/debian/patches/bb11601_pt2.patch
--- libclamunrar-0.99/debian/patches/bb11601_pt2.patch 1970-01-01
01:00:00.000000000 +0100
+++ libclamunrar-0.99/debian/patches/bb11601_pt2.patch 2016-12-16
21:38:26.000000000 +0100
@@ -0,0 +1,43 @@
+From e677e64787390c59bdb925be08113ebf47aed869 Mon Sep 17 00:00:00 2001
+From: Steven Morgan <stevm...@cisco.com>
+Date: Wed, 14 Dec 2016 13:29:00 -0500
+Subject: bb11601 - revise buffer limit check due.
+
+Patch-Name: bb11601_pt2.patch
+---
+ libclamunrar/unrarvm.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c
+index 1cf5bb629952..102fe2ebf044 100644
+--- a/libclamunrar/unrarvm.c
++++ b/libclamunrar/unrarvm.c
+@@ -213,17 +213,20 @@ void rarvm_addbits(rarvm_input_t *rarvm_input, int bits)
+
+ unsigned int rarvm_getbits(rarvm_input_t *rarvm_input)
+ {
+- unsigned int bit_field;
++ unsigned int bit_field = 0;
+
+- if (rarvm_input->in_addr+2 < rarvm_input->buf_size) {
++ if (rarvm_input->in_addr < rarvm_input->buf_size) {
+ bit_field = (unsigned int)
rarvm_input->in_buf[rarvm_input->in_addr] << 16;
+- bit_field |= (unsigned int)
rarvm_input->in_buf[rarvm_input->in_addr+1] << 8;
+- bit_field |= (unsigned int)
rarvm_input->in_buf[rarvm_input->in_addr+2];
+- bit_field >>= (8-rarvm_input->in_bit);
+-
+- return (bit_field & 0xffff);
++ if (rarvm_input->in_addr+1 < rarvm_input->buf_size) {
++ bit_field |= (unsigned int)
rarvm_input->in_buf[rarvm_input->in_addr+1] << 8;
++ if (rarvm_input->in_addr+2 < rarvm_input->buf_size) {
++ bit_field |= (unsigned int)
rarvm_input->in_buf[rarvm_input->in_addr+2];
++ }
++ }
+ }
+- return 0;
++ bit_field >>= (8-rarvm_input->in_bit);
++
++ return (bit_field & 0xffff);
+ }
+
+ unsigned int rarvm_read_data(rarvm_input_t *rarvm_input)
diff -Nru libclamunrar-0.99/debian/patches/series
libclamunrar-0.99/debian/patches/series
--- libclamunrar-0.99/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ libclamunrar-0.99/debian/patches/series 2016-12-16 21:38:26.000000000
+0100
@@ -0,0 +1,4 @@
+bb11600.patch
+bb11600_pt2.patch
+bb11601.patch
+bb11601_pt2.patch
--- End Message ---
--- Begin Message ---
Version: 8.7
Hi,
Each of these bugs refers to an update that was included in today's 8.7
point release.
Regards,
Adam
--- End Message ---
