Bug#987246: marked as done (buster-pu: package tnef/1.4.12-1.2)

Sat, 19 Jun 2021 03:02:28 -0700 

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id 
<5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.ca...@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #987246,
regarding buster-pu: package tnef/1.4.12-1.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
987246: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987246
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu

The attached debdiff for tnef fixes CVE-2019-18849 in Buster.

It is marked as no-dsa by the security team.
The fix has been uploaded to Jessie long time ago and nobody complained up to now. 

  Thorsten
diff -Nru tnef-1.4.12/debian/changelog tnef-1.4.12/debian/changelog
--- tnef-1.4.12/debian/changelog        2017-05-29 15:03:02.000000000 +0200
+++ tnef-1.4.12/debian/changelog        2021-04-18 10:03:02.000000000 +0200
@@ -1,3 +1,12 @@
+tnef (1.4.12-1.2+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2019-18849 (Closes: #944851)
+    Using emails with a crafted winmail.dat application/ms-tnef attachment
+    might allow to change .ssh/authorized_keys.
+
+ -- Thorsten Alteholz <[email protected]>  Sun, 18 Apr 2021 10:03:02 +0200
+
 tnef (1.4.12-1.2) unstable; urgency=medium
 
   * Non-maintainer upload by the Wheezy LTS Team. (Closes: #862442)
diff -Nru tnef-1.4.12/debian/patches/CVE-2019-18849.patch 
tnef-1.4.12/debian/patches/CVE-2019-18849.patch
--- tnef-1.4.12/debian/patches/CVE-2019-18849.patch     1970-01-01 
01:00:00.000000000 +0100
+++ tnef-1.4.12/debian/patches/CVE-2019-18849.patch     2021-04-18 
10:03:02.000000000 +0200
@@ -0,0 +1,147 @@
+Index: tnef-1.4.12/src/alloc.c
+===================================================================
+--- tnef-1.4.12.orig/src/alloc.c       2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/alloc.c    2021-04-16 09:49:11.063016905 +0200
+@@ -72,13 +72,14 @@
+ 
+ /* attempts to malloc memory, if fails print error and call abort */
+ void*
+-xmalloc (size_t num, size_t size)
++xmalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+-
+-    void *ptr = malloc (res);
++    if (res + extra < res)
++        abort();
++    void *ptr = malloc (res + extra);
+     if (!ptr
+         && (size != 0))         /* some libc don't like size == 0 */
+     {
+@@ -90,41 +91,44 @@
+ 
+ /* Allocates memory but only up to a limit */
+ void*
+-checked_xmalloc (size_t num, size_t size)
++checked_xmalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+-
++    if (res + extra < res)
++        abort();
+     alloc_limit_assert ("checked_xmalloc", res);
+-    return xmalloc (num, size);
++    return xmalloc (num, size, extra);
+ }
+ 
+ /* xmallocs memory and clears it out */
+ void*
+-xcalloc (size_t num, size_t size)
++xcalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+ 
+     void *ptr;
+-    ptr = malloc(res);
++    if (res + extra < res)
++        abort();
++    ptr = malloc(res + extra);
+     if (ptr)
+     {
+-        memset (ptr, '\0', (res));
++        memset (ptr, '\0', (res + extra));
+     }
+     return ptr;
+ }
+ 
+ /* xcallocs memory but only up to a limit */
+ void*
+-checked_xcalloc (size_t num, size_t size)
++checked_xcalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+ 
+     alloc_limit_assert ("checked_xcalloc", (res));
+-    return xcalloc (num, size);
++    return xcalloc (num, size, extra);
+ }
+Index: tnef-1.4.12/src/alloc.h
+===================================================================
+--- tnef-1.4.12.orig/src/alloc.h       2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/alloc.h    2021-04-16 09:49:11.063016905 +0200
+@@ -35,19 +35,23 @@
+ extern void set_alloc_limit (size_t size);
+ extern size_t get_alloc_limit();
+ extern void alloc_limit_assert (char *fn_name, size_t size);
+-extern void* checked_xmalloc (size_t num, size_t size);
+-extern void* xmalloc (size_t num, size_t size);
+-extern void* checked_xcalloc (size_t num, size_t size);
+-extern void* xcalloc (size_t num, size_t size);
++extern void* checked_xmalloc (size_t num, size_t size, size_t extra);
++extern void* xmalloc (size_t num, size_t size, size_t extra);
++extern void* checked_xcalloc (size_t num, size_t size, size_t extra);
++extern void* xcalloc (size_t num, size_t size, size_t extra);
+ 
+ #define XMALLOC(_type,_num)                                   \
+-        ((_type*)xmalloc((_num), sizeof(_type)))
++  ((_type*)xmalloc((_num), sizeof(_type), 0))
+ #define XCALLOC(_type,_num)                                   \
+-        ((_type*)xcalloc((_num), sizeof (_type)))
++  ((_type*)xcalloc((_num), sizeof (_type), 0))
+ #define CHECKED_XMALLOC(_type,_num)                           \
+-        ((_type*)checked_xmalloc((_num),sizeof(_type)))
+-#define CHECKED_XCALLOC(_type,_num)                           \
+-        ((_type*)checked_xcalloc((_num),sizeof(_type)))
++  ((_type*)checked_xmalloc((_num),sizeof(_type),0))
++#define CHECKED_XMALLOC_ADDNULL(_type,_num)                           \
++  ((_type*)checked_xmalloc((_num),sizeof(_type),1))
++#define CHECKED_XCALLOC(_type,_num)                   \
++  ((_type*)checked_xcalloc((_num),sizeof(_type),0))
++#define CHECKED_XCALLOC_ADDNULL(_type,_num)           \
++  ((_type*)checked_xcalloc((_num),sizeof(_type),1))
+ #define XFREE(_ptr)                                           \
+         do { if (_ptr) { free (_ptr); _ptr = 0; } } while (0)
+ 
+Index: tnef-1.4.12/src/attr.c
+===================================================================
+--- tnef-1.4.12.orig/src/attr.c        2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/attr.c     2021-04-16 09:49:59.640149076 +0200
+@@ -244,7 +244,11 @@
+     attr->type = (type_and_name >> 16);
+     attr->name = ((type_and_name << 16) >> 16);
+     attr->len = geti32(in);
+-    attr->buf = CHECKED_XCALLOC (unsigned char, attr->len);
++    /* Allocate an extra byte for the null terminator,
++       in case the input lacks it,
++       this avoids strdup() being invoked on possibly non-terminated
++       input later (file.c, file_add_attr()). */
++    attr->buf = CHECKED_XCALLOC_ADDNULL(unsigned char, attr->len);
+     
+     (void)getbuf(in, attr->buf, attr->len);
+     
+Index: tnef-1.4.12/src/mapi_attr.c
+===================================================================
+--- tnef-1.4.12.orig/src/mapi_attr.c   2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/mapi_attr.c        2021-04-16 09:51:07.653589451 +0200
+@@ -314,8 +314,11 @@
+               }
+               else
+               {
+-                  v->data.buf = CHECKED_XMALLOC(unsigned char, v->len);
+-                  memmove (v->data.buf, buf+idx, v->len);
++                 /* add space for a null terminator, in case of evil input */
++                    v->data.buf = CHECKED_XMALLOC_ADDNULL(unsigned char, 
v->len);
++                    memmove (v->data.buf, buf+idx, v->len);
++                    v->data.buf[v->len] = '\0';
++
+               }
+ 
+               idx += pad_to_4byte(v->len);
diff -Nru tnef-1.4.12/debian/patches/series tnef-1.4.12/debian/patches/series
--- tnef-1.4.12/debian/patches/series   2017-05-29 15:03:02.000000000 +0200
+++ tnef-1.4.12/debian/patches/series   2021-04-18 10:03:02.000000000 +0200
@@ -4,3 +4,5 @@
 fix-regression-1.patch
 fix-regression-2.patch
 CVE-2017-8911.patch
+
+CVE-2019-18849.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---

Reply via email to