Package: release.debian.org Severity: normal Tags: stretch User: [email protected] Usertags: pu
Dear stable release managers, there are two open CVEs for libmspack in Stretch: * CVE-2018-18584 * CVE-2018-18585 As the security team does not rate them as appropriate for an own DSA, but want to see an update in Stretch, I would like to ask for an update via PU. Thanks! Thorsten -- System Information: Debian Release: 10 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.14.0-3-amd64 (SMP w/1 CPU core)Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru libmspack-0.5/debian/changelog libmspack-0.5/debian/changelog --- libmspack-0.5/debian/changelog 2018-08-02 19:18:37.000000000 +0200 +++ libmspack-0.5/debian/changelog 2018-10-26 19:03:02.000000000 +0200 @@ -1,3 +1,15 @@ +libmspack (0.5-1+deb9u3) stretch; urgency=high + + * Non-maintainer upload by the LTS Team. + * CVE-2018-18584 (Closes: #911640) + Fixing the size of the CAB block input buffer, which is too small + for the maximal Quantum block, prevents an out-of-bounds write. + * CVE-2018-18585 (Closes: #911637) + Blank filenames (having length zero or their 1st or 2nd byte is + null) should be rejected. + + -- Thorsten Alteholz <[email protected]> Fri, 26 Oct 2018 19:03:02 +0200 + libmspack (0.5-1+deb9u2) stretch-security; urgency=high * Non-maintainer upload. diff -Nru libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch --- libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch 2018-10-26 19:03:02.000000000 +0200 @@ -0,0 +1,35 @@ +Index: libmspack-0.5/mspack/cab.h +=================================================================== +--- libmspack-0.5.orig/mspack/cab.h 2018-10-26 14:11:57.146094291 +0200 ++++ libmspack-0.5/mspack/cab.h 2018-10-26 14:11:57.114094292 +0200 +@@ -1,5 +1,5 @@ + /* This file is part of libmspack. +- * (C) 2003-2004 Stuart Caie. ++ * (C) 2003-2018 Stuart Caie. + * + * libmspack is free software; you can redistribute it and/or modify it under + * the terms of the GNU Lesser General Public License (LGPL) version 2.1 +@@ -70,6 +70,14 @@ + #define CAB_BLOCKMAX (32768) + #define CAB_INPUTMAX (CAB_BLOCKMAX+6144) + ++/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block ++ * plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment. ++ * ++ * When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be ++ * up to 65535 bytes, so max input buffer size needed is 65535 + 1 ++ */ ++#define CAB_INPUTBUF (65535 + 1) ++ + /* There are no more than 65535 data blocks per folder, so a folder cannot + * be more than 32768*65535 bytes in length. As files cannot span more than + * one folder, this is also their max offset, length and offset+length limit. +@@ -100,7 +108,7 @@ + struct mspack_file *infh; /* input file handle */ + struct mspack_file *outfh; /* output file handle */ + unsigned char *i_ptr, *i_end; /* input data consumed, end */ +- unsigned char input[CAB_INPUTMAX]; /* one input block of data */ ++ unsigned char input[CAB_INPUTBUF]; /* one input block of data */ + }; + + struct mscab_decompressor_p { diff -Nru libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch --- libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch 1970-01-01 01:00:00.000000000 +0100 +++ libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch 2018-10-26 19:03:02.000000000 +0200 @@ -0,0 +1,22 @@ +Index: libmspack-0.5/mspack/chmd.c +=================================================================== +--- libmspack-0.5.orig/mspack/chmd.c 2018-10-26 14:12:19.494093621 +0200 ++++ libmspack-0.5/mspack/chmd.c 2018-10-26 14:12:19.482093622 +0200 +@@ -447,14 +447,14 @@ + while (num_entries--) { + READ_ENCINT(name_len); + if (name_len > (unsigned int) (end - p)) goto chunk_end; +- /* consider blank filenames to be an error */ +- if (name_len == 0) goto chunk_end; + name = p; p += name_len; +- + READ_ENCINT(section); + READ_ENCINT(offset); + READ_ENCINT(length); + ++ /* ignore blank or one-char (e.g. "/") filenames we'd return as blank */ ++ if (name_len < 2 || !name[0] || !name[1]) continue; ++ + /* empty files and directory names are stored as a file entry at + * offset 0 with length 0. We want to keep empty files, but not + * directory names, which end with a "/" */ diff -Nru libmspack-0.5/debian/patches/series libmspack-0.5/debian/patches/series --- libmspack-0.5/debian/patches/series 2018-07-21 16:46:08.000000000 +0200 +++ libmspack-0.5/debian/patches/series 2018-10-26 19:03:02.000000000 +0200 @@ -4,3 +4,6 @@ 0004-kwaj_read_headers-fix-handling-of-non-terminated-str.patch 0005-Fix-off-by-one-error-in-chmd-TOLOWER-fallback.patch 0006-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch + +0007-CVE-2018-18584.patch +0008-CVE-2018-18585.patch
