Bug#885619: jessie-pu: package libextractor/1:1.3-2

Thu, 28 Dec 2017 08:33:49 -0800 

Package: release.debian.org
User: release.debian....@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Dear release team,

Would you allow an update of libextractor 1.3-2 in Jessie to fix several minor 
security issues?
7 issues skipped by the security teams:

  * CVE-2017-15266 
<https://security-tracker.debian.org/tracker/CVE-2017-15266>: In GNU 
Libextractor 1.4, there is a Divide-By-Zero in EXTRACTOR_wav_extract_method in
    wav_extractor.c via a zero sample rate.
  * CVE-2017-15922 
<https://security-tracker.debian.org/tracker/CVE-2017-15922>: In GNU 
Libextractor 1.4, there is an out-of-bounds read in the 
EXTRACTOR_dvi_extract_method
    function in plugins/dvi_extractor.c.
  * CVE-2017-15267 
<https://security-tracker.debian.org/tracker/CVE-2017-15267>: In GNU 
Libextractor 1.4, there is a NULL Pointer Dereference in flac_metadata in
    flac_extractor.c.
  * CVE-2017-15602 
<https://security-tracker.debian.org/tracker/CVE-2017-15602>: In GNU 
Libextractor 1.4, there is an integer signedness error for the chunk size in the
    EXTRACTOR_nsfe_extract_method function in plugins/nsfe_extractor.c, leading 
to an infinite loop for a crafted size.
  * CVE-2017-17440 
<https://security-tracker.debian.org/tracker/CVE-2017-17440>: GNU Libextractor 
1.6 allows remote attackers to cause a denial of service (NULL pointer
    dereference and application crash) via a crafted GIF, IT (Impulse Tracker), 
NSFE, S3M (Scream Tracker 3), SID, or XM (eXtended Module) file, as 
demonstrated by the
    EXTRACTOR_xm_extract_method function in plugins/xm_extractor.c.
  * CVE-2017-15600 
<https://security-tracker.debian.org/tracker/CVE-2017-15600>: In GNU 
Libextractor 1.4, there is a NULL Pointer Dereference in the
    EXTRACTOR_nsf_extract_method function of plugins/nsf_extractor.c.
  * CVE-2017-15601 
<https://security-tracker.debian.org/tracker/CVE-2017-15601>: In GNU 
Libextractor 1.4, there is a heap-based buffer overflow in the
    EXTRACTOR_png_extract_method function in plugins/png_extractor.c, related 
to processiTXt and stndup.

You will find attached the full debdiff.


Cheers,
Bertrand

PS These are the same changes as in #885617


diff -Nru libextractor-1.3/debian/changelog libextractor-1.3/debian/changelog
--- libextractor-1.3/debian/changelog	2014-09-30 22:56:54.000000000 +0200
+++ libextractor-1.3/debian/changelog	2017-12-27 19:01:53.000000000 +0100
@@ -1,3 +1,14 @@
+libextractor (1:1.3-2+deb8u1) jessie; urgency=medium
+
+  * Fix CVE-2017-15266, CVE-2017-15267, CVE-2017-15600, CVE-2017-15601,
+    CVE-2017-15602, CVE-2017-15922 and CVE-2017-17440. Leon Zhao discovered
+    several security vulnerabilities, NULL Pointer Dereferences, heap-based
+    buffer overflows, integer signedness errors and out-of-bounds read that
+    may lead to a denial-of-service (application crash) or have other
+    unspecified impact.
+
+ -- Bertrand Marc <bm...@debian.org>  Wed, 27 Dec 2017 19:01:53 +0100
+
 libextractor (1:1.3-2) unstable; urgency=medium
 
   * Build-depend on libmagic-dev and libavresample-dev to enable additional
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15266.patch libextractor-1.3/debian/patches/CVE-2017-15266.patch
--- libextractor-1.3/debian/patches/CVE-2017-15266.patch	1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15266.patch	2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,17 @@
+From: Bertrand Marc <bm...@debian.org>
+Subject: CVE-2017-15266
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00002.html
+Bug-Debian: https://bugs.debian.org/878314
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=b577d5452c5c4ee9d552da62a24b95f461551fe2
+--- a/src/plugins/wav_extractor.c
++++ b/src/plugins/wav_extractor.c
+@@ -109,6 +109,8 @@
+     return;                /* invalid sample size found in wav file */
+   if (0 == channels)
+     return;                /* invalid channels value -- avoid division by 0! */
++  if (0 == sample_rate)
++    return;                /* invalid sample_rate */
+   samples = data_len / (channels * (sample_size >> 3));
+ 
+   snprintf (scratch,
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15267.patch libextractor-1.3/debian/patches/CVE-2017-15267.patch
--- libextractor-1.3/debian/patches/CVE-2017-15267.patch	1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15267.patch	2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,22 @@
+From: Markus Koschany <a...@debian.org>
+Date: Mon, 4 Dec 2017 00:00:15 +0100
+Subject: CVE-2017-15267
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00003.html
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878314
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=6095d7132b57fc7368fc7a40bab2a71b735724d2
+---
+ src/plugins/flac_extractor.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/src/plugins/flac_extractor.c
++++ b/src/plugins/flac_extractor.c
+@@ -339,6 +339,8 @@
+ 	  {
+ 	    entry = &vc->comments[count];
+ 	    eq = (const char*) entry->entry;
++	    if (NULL == eq)
++			break;
+ 	    len = entry->length;
+ 	    ilen = 0;
+ 	    while ( ('=' != *eq) && ('\0' != *eq) &&
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch libextractor-1.3/debian/patches/CVE-2017-15600.patch
--- libextractor-1.3/debian/patches/CVE-2017-15600.patch	1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15600.patch	2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,29 @@
+From: Bertrand Marc <bm...@debian.org>, Markus Koschany <a...@debian.org>
+Subject: CVE-2017-15600
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7
+--- a/src/plugins/nsf_extractor.c
++++ b/src/plugins/nsf_extractor.c
+@@ -152,13 +152,17 @@
+   char nsfversion[32];
+   const struct header *head;
+   void *data;
++  ssize_t ds;
+ 
+-  if (sizeof (struct header) >
+-      ec->read (ec->cls,
+-		&data,
+-		sizeof (struct header)))
++  ds = ec->read (ec->cls,
++                 &data,
++                 sizeof (struct header));
++  if ( (-1 == ds) ||
++       (sizeof (struct header) > ds) )
+     return;
+   head = data; 
++  if (NULL == head)
++    return 0; 
+ 
+   /* Check "magic" id bytes */
+   if (memcmp (head->magicid, "NESM\x1a", 5))
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15601.patch libextractor-1.3/debian/patches/CVE-2017-15601.patch
--- libextractor-1.3/debian/patches/CVE-2017-15601.patch	1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15601.patch	2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,25 @@
+From: Bertrand Marc <bm...@debian.org>
+Subject: CVE-2017-15601
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00006.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=f813535dad4ad860b989952a46266a1469801091
+--- a/src/plugins/png_extractor.c
++++ b/src/plugins/png_extractor.c
+@@ -47,6 +47,8 @@
+ {
+   char *tmp;
+ 
++  if (n + 1 < n)
++    return NULL;
+   if (NULL == (tmp = malloc (n + 1)))
+     return NULL;
+   tmp[n] = '\0';
+@@ -221,6 +223,8 @@
+   compressed = data[pos++];
+   if (compressed && (0 != data[pos++]))
+     return 0;                /* bad compression method */
++  if (pos > length)
++    return 0;
+   language = (char *) &data[pos];
+   ret = 0;
+   if ( (stnlen (language, length - pos) > 0) &&
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15602.patch libextractor-1.3/debian/patches/CVE-2017-15602.patch
--- libextractor-1.3/debian/patches/CVE-2017-15602.patch	1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15602.patch	2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,18 @@
+From: Bertrand Marc <bm...@debian.org>
+Subject: CVE-2017-15602
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=ffab889c1710c7646af9ed360c796a2a0a619efc
+--- a/src/plugins/nsfe_extractor.c
++++ b/src/plugins/nsfe_extractor.c
+@@ -374,7 +374,9 @@
+ 		    8))
+ 	break;
+       chunksize = nsfeuint (data);
+-      off += 8 + chunksize;
++      if (off + chunksize + 8LLU <= off)
++        break; /* protect against looping */
++      off += 8LLU + chunksize;
+       if (0 == memcmp (data + 4, "INFO", 4))
+         ret = info_extract (ec, chunksize);        
+       else if (0 == memcmp (data + 4, "auth", 4))
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15922.patch libextractor-1.3/debian/patches/CVE-2017-15922.patch
--- libextractor-1.3/debian/patches/CVE-2017-15922.patch	1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15922.patch	2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,45 @@
+From: Bertrand Marc <bm...@debian.org>
+Subject: CVE-2017-15922
+
+Bug-Debian: https://bugs.debian.org/880016
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=d4d488b0e5ab13dda241d688d87a07816368f117
+---
+ src/plugins/dvi_extractor.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/dvi_extractor.c b/src/plugins/dvi_extractor.c
+index e4cfa3a..2c9eaa2 100644
+--- a/src/plugins/dvi_extractor.c
++++ b/src/plugins/dvi_extractor.c
+@@ -207,7 +210,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
+     goto CLEANUP;
+   opos = pos;
+   pos = getIntAt (&data[opos + 1]);
+-  if (pos + 25 > size)
++  if ( (pos + 25 > size) ||
++       (pos + 25 < pos) )
+     goto CLEANUP;
+   /* assert pos at 'post' command */
+   if (data[pos] != 248)
+@@ -219,7 +223,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
+     {
+       if (UINT32_MAX == pos)
+         break;
+-      if (pos + 45 > size)
++      if ( (pos + 45 > size) ||
++	   (pos + 45 < pos) )
+ 	goto CLEANUP;
+       if (data[pos] != 139)     /* expect 'bop' */
+ 	goto CLEANUP;
+@@ -268,7 +273,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
+   }
+   /* try to find PDF/ps special */
+   pos = opos;
+-  while (pos < size - 100)
++  while ( (size >= 100) &&
++	  (pos < size - 100) )
+     {
+       switch (data[pos])
+         {
+
diff -Nru libextractor-1.3/debian/patches/CVE-2017-17440.patch libextractor-1.3/debian/patches/CVE-2017-17440.patch
--- libextractor-1.3/debian/patches/CVE-2017-17440.patch	1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-17440.patch	2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,98 @@
+From: Bertrand Marc <bm...@debian.org>
+Subject: CVE-2017-17440
+
+Bug-Debian: https://bugs.debian.org/883528
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e
+--- a/src/plugins/gif_extractor.c
++++ b/src/plugins/gif_extractor.c
+@@ -118,6 +118,8 @@
+       if (GIF_OK !=
+ 	  DGifGetExtension (gif_file, &et, &ext))
+ 	continue;
++      if (NULL == ext)
++        continue;
+       if (COMMENT_EXT_FUNC_CODE == et)
+ 	{
+ 	  ec->proc (ec->cls,
+--- a/src/plugins/it_extractor.c
++++ b/src/plugins/it_extractor.c
+@@ -70,7 +70,7 @@
+   char itversion[8];
+   const struct Header *head;
+ 
+-  if (HEADER_SIZE >
++  if ((ssize_t) HEADER_SIZE >
+       ec->read (ec->cls,
+ 		&data,
+ 		HEADER_SIZE))
+--- a/src/plugins/nsfe_extractor.c
++++ b/src/plugins/nsfe_extractor.c
+@@ -176,7 +176,7 @@
+ 
+   if (size < 8)
+     return 0;
+-  if (size >
++  if ((ssize_t) size >
+       ec->read (ec->cls,
+ 		&data,
+ 		size))
+@@ -244,7 +244,7 @@
+   void *data;
+   const char *cdata;
+ 
+-  if (size >
++  if ((ssize_t) size >
+       ec->read (ec->cls,
+ 		&data,
+ 		size))
+@@ -286,7 +286,7 @@
+ 
+   if (left < 1)
+     return 0;
+-  if (size >
++  if ((ssize_t) size >
+       ec->read (ec->cls,
+ 		&data,
+ 		size))
+@@ -343,7 +343,7 @@
+   uint32_t chunksize;
+   int ret;
+   
+-  if (sizeof (struct header) >
++  if ((ssize_t) sizeof (struct header) >
+       ec->read (ec->cls,
+ 		&data,
+ 		sizeof (struct header)))
+--- a/src/plugins/s3m_extractor.c
++++ b/src/plugins/s3m_extractor.c
+@@ -80,7 +80,7 @@
+   struct S3MHeader header;
+   char song_name_NT[29];
+ 
+-  if (sizeof (header) >
++  if ((ssize_t) sizeof (header) >
+       ec->read (ec->cls,
+ 		&data,
+ 		sizeof (header)))
+--- a/src/plugins/sid_extractor.c
++++ b/src/plugins/sid_extractor.c
+@@ -176,7 +176,7 @@
+   const struct header *head;
+   void *data;
+ 
+-  if (sizeof (struct header) >
++  if ((ssize_t) sizeof (struct header) >
+       ec->read (ec->cls,
+ 		&data,
+ 		sizeof (struct header)))
+--- a/src/plugins/xm_extractor.c
++++ b/src/plugins/xm_extractor.c
+@@ -70,7 +70,7 @@
+   char xmversion[8];
+   size_t n;
+ 
+-  if (sizeof (struct Header) >
++  if ((ssize_t) sizeof (struct Header) >
+       ec->read (ec->cls,
+ 		&data,
+ 		sizeof (struct Header)))
diff -Nru libextractor-1.3/debian/patches/series libextractor-1.3/debian/patches/series
--- libextractor-1.3/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/series	2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,9 @@
+CVE-2017-15266.patch
+CVE-2017-15267.patch
+CVE-2017-15600.patch
+CVE-2017-15601.patch
+CVE-2017-15602.patch
+CVE-2017-15922.patch
+CVE-2017-17440.patch
+
+

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to