Your message dated Sat, 10 Nov 2018 10:42:56 +0000
with message-id <1541846576.3542.38.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.6
has caused the Debian Bug report #912159,
regarding stretch-pu: package libmspack/0.5-1+deb9u3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
912159: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912159
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Dear stable release managers,
there are two open CVEs for libmspack in Stretch:
* CVE-2018-18584
* CVE-2018-18585
As the security team does not rate them as appropriate for an own DSA, but
want to see an update in Stretch, I would like to ask for an update via PU.
Thanks!
Thorsten
-- System Information:
Debian Release: 10
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libmspack-0.5/debian/changelog libmspack-0.5/debian/changelog
--- libmspack-0.5/debian/changelog 2018-08-02 19:18:37.000000000 +0200
+++ libmspack-0.5/debian/changelog 2018-10-26 19:03:02.000000000 +0200
@@ -1,3 +1,15 @@
+libmspack (0.5-1+deb9u3) stretch; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2018-18584 (Closes: #911640)
+ Fixing the size of the CAB block input buffer, which is too small
+ for the maximal Quantum block, prevents an out-of-bounds write.
+ * CVE-2018-18585 (Closes: #911637)
+ Blank filenames (having length zero or their 1st or 2nd byte is
+ null) should be rejected.
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Fri, 26 Oct 2018 19:03:02 +0200
+
libmspack (0.5-1+deb9u2) stretch-security; urgency=high
* Non-maintainer upload.
diff -Nru libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch
libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch
--- libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch 1970-01-01
01:00:00.000000000 +0100
+++ libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch 2018-10-26
19:03:02.000000000 +0200
@@ -0,0 +1,35 @@
+Index: libmspack-0.5/mspack/cab.h
+===================================================================
+--- libmspack-0.5.orig/mspack/cab.h 2018-10-26 14:11:57.146094291 +0200
++++ libmspack-0.5/mspack/cab.h 2018-10-26 14:11:57.114094292 +0200
+@@ -1,5 +1,5 @@
+ /* This file is part of libmspack.
+- * (C) 2003-2004 Stuart Caie.
++ * (C) 2003-2018 Stuart Caie.
+ *
+ * libmspack is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU Lesser General Public License (LGPL) version 2.1
+@@ -70,6 +70,14 @@
+ #define CAB_BLOCKMAX (32768)
+ #define CAB_INPUTMAX (CAB_BLOCKMAX+6144)
+
++/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block
++ * plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment.
++ *
++ * When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be
++ * up to 65535 bytes, so max input buffer size needed is 65535 + 1
++ */
++#define CAB_INPUTBUF (65535 + 1)
++
+ /* There are no more than 65535 data blocks per folder, so a folder cannot
+ * be more than 32768*65535 bytes in length. As files cannot span more than
+ * one folder, this is also their max offset, length and offset+length limit.
+@@ -100,7 +108,7 @@
+ struct mspack_file *infh; /* input file handle
*/
+ struct mspack_file *outfh; /* output file handle
*/
+ unsigned char *i_ptr, *i_end; /* input data consumed, end
*/
+- unsigned char input[CAB_INPUTMAX]; /* one input block of data
*/
++ unsigned char input[CAB_INPUTBUF]; /* one input block of data
*/
+ };
+
+ struct mscab_decompressor_p {
diff -Nru libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch
libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch
--- libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch 1970-01-01
01:00:00.000000000 +0100
+++ libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch 2018-10-26
19:03:02.000000000 +0200
@@ -0,0 +1,22 @@
+Index: libmspack-0.5/mspack/chmd.c
+===================================================================
+--- libmspack-0.5.orig/mspack/chmd.c 2018-10-26 14:12:19.494093621 +0200
++++ libmspack-0.5/mspack/chmd.c 2018-10-26 14:12:19.482093622 +0200
+@@ -447,14 +447,14 @@
+ while (num_entries--) {
+ READ_ENCINT(name_len);
+ if (name_len > (unsigned int) (end - p)) goto chunk_end;
+- /* consider blank filenames to be an error */
+- if (name_len == 0) goto chunk_end;
+ name = p; p += name_len;
+-
+ READ_ENCINT(section);
+ READ_ENCINT(offset);
+ READ_ENCINT(length);
+
++ /* ignore blank or one-char (e.g. "/") filenames we'd return as blank */
++ if (name_len < 2 || !name[0] || !name[1]) continue;
++
+ /* empty files and directory names are stored as a file entry at
+ * offset 0 with length 0. We want to keep empty files, but not
+ * directory names, which end with a "/" */
diff -Nru libmspack-0.5/debian/patches/series
libmspack-0.5/debian/patches/series
--- libmspack-0.5/debian/patches/series 2018-07-21 16:46:08.000000000 +0200
+++ libmspack-0.5/debian/patches/series 2018-10-26 19:03:02.000000000 +0200
@@ -4,3 +4,6 @@
0004-kwaj_read_headers-fix-handling-of-non-terminated-str.patch
0005-Fix-off-by-one-error-in-chmd-TOLOWER-fallback.patch
0006-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch
+
+0007-CVE-2018-18584.patch
+0008-CVE-2018-18585.patch
--- End Message ---
--- Begin Message ---
Version: 9.6
Hi,
The update referenced by each of these bugs was included in this
morning's stretch point release.
Regards,
Adam
--- End Message ---
