Hi, Cyril Brulebois wrote: > Axel Beckert <[email protected]> (11/04/2012): > > I'd have sent that anyway, just wanted to ask beforehand. Will let you > > know when I have the package ready. > > (having look quickly at the bug report now:) please make sure to fix the > package in unstable beforehands.
Done now, despite not by the patch upstream attached but by their new upstream release. Cyril Brulebois wrote: > Axel Beckert <[email protected]> (11/04/2012): > > Nico Golde wrote: > > > Please upload these fixes to stable-proposed-updates instead. > > > > I guess that's ok with the SRM. > > We can't tell until we see a debdiff against the package in stable. Attached. I'm though still waiting for a CVE ID. Pinged the security team again an hour ago or so. Regards, Axel -- ,''`. | Axel Beckert <[email protected]>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE `- | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
diff -Nru links2-2.3~pre1/debian/changelog links2-2.3~pre1/debian/changelog --- links2-2.3~pre1/debian/changelog 2010-07-09 17:08:57.000000000 +0200 +++ links2-2.3~pre1/debian/changelog 2012-04-24 17:57:23.000000000 +0200 @@ -1,3 +1,9 @@ +links2 (2.3~pre1-1+squeeze1) stable-proposed-updates; urgency=low + + * Fix several security issues reported by upstream (Closes: #668227) + + -- Axel Beckert <[email protected]> Tue, 24 Apr 2012 17:57:12 +0200 + links2 (2.3~pre1-1) unstable; urgency=low [Gürkan Sengün] diff -Nru links2-2.3~pre1/debian/patches/security-fixes-668227.diff links2-2.3~pre1/debian/patches/security-fixes-668227.diff --- links2-2.3~pre1/debian/patches/security-fixes-668227.diff 1970-01-01 01:00:00.000000000 +0100 +++ links2-2.3~pre1/debian/patches/security-fixes-668227.diff 2012-04-24 17:46:04.000000000 +0200 @@ -0,0 +1,163 @@ +This patch fixes: + +Buffer overflow when pasting too long text from clipboard to dialog boxes + (not remotely exploitable) +A write out of allocated memory in the graphics rendeder (potentionally + exploitable) +An infinite loop when parsing invalid usemap specification in text and + graphics mode (can cause browser lockup, but not otherwise exploitable) +Accesses out of memory in the xbm decoder (potentionally exploitable) + +--- + bfu.c | 3 ++- + dip.c | 3 ++- + html.c | 6 +++++- + xbm.c | 20 ++++++++++---------- + 4 files changed, 19 insertions(+), 13 deletions(-) + +Index: links-2.3pre1/bfu.c +=================================================================== +--- links-2.3pre1.orig/bfu.c 2012-04-09 23:39:47.000000000 +0200 ++++ links-2.3pre1/bfu.c 2012-04-09 23:39:56.000000000 +0200 +@@ -1382,7 +1382,8 @@ void dialog_func(struct window *win, str + clipbd_paste: + clipboard = get_clipboard_text(term); + if (clipboard) { +- if (strlen(di->cdata) < di->item->dlen - strlen(clipboard)) { ++ if (strlen(di->cdata) + strlen(clipboard) < (size_t)di->item->dlen || ++ strlen(di->cdata) + strlen(clipboard) < strlen(di->cdata)) { + memmove(di->cdata + di->cpos + strlen(clipboard), di->cdata + di->cpos, strlen(di->cdata) - di->cpos + 1); + memcpy(&di->cdata[di->cpos], clipboard, strlen(clipboard)); + di->cpos += strlen(clipboard); +Index: links-2.3pre1/dip.c +=================================================================== +--- links-2.3pre1.orig/dip.c 2012-04-09 23:39:47.000000000 +0200 ++++ links-2.3pre1/dip.c 2012-04-09 23:39:56.000000000 +0200 +@@ -1901,6 +1901,7 @@ int g_wrap_text(struct wrap_struct *w) + while (*w->text) { + int u; + int s; ++ unsigned char *l_text = w->text; + if (*w->text == ' ') w->last_wrap = w->text, + w->last_wrap_obj = w->obj; + GET_UTF_8(w->text, u); +@@ -1913,7 +1914,7 @@ int g_wrap_text(struct wrap_struct *w) + if (u != 0xad || *w->text == ' ') continue; + s = g_char_width(w->style, '-'); + if (w->pos + s <= w->width || (!w->last_wrap && !w->last_wrap_obj)) { +- w->last_wrap = w->text; ++ w->last_wrap = l_text; + w->last_wrap_obj = w->obj; + continue; + } +Index: links-2.3pre1/html.c +=================================================================== +--- links-2.3pre1.orig/html.c 2012-04-09 23:39:47.000000000 +0200 ++++ links-2.3pre1/html.c 2012-04-09 23:39:56.000000000 +0200 +@@ -2920,6 +2920,7 @@ int get_image_map(unsigned char *head, u + lblen = 0; + se3: + ss = s; ++ se4: + while (ss < eof && *ss != '<') ss++; + if (ss >= eof) { + mem_free(label); +@@ -2933,7 +2934,10 @@ int get_image_map(unsigned char *head, u + s = skip_comment(s, eof); + goto se3; + } +- if (parse_element(s, eof, NULL, NULL, NULL, &ss)) goto se3; ++ if (parse_element(s, eof, NULL, NULL, NULL, &ss)) { ++ ss = s + 1; ++ goto se4; ++ } + if (!((namelen == 1 && !casecmp(name, "A", 1)) || + (namelen == 2 && !casecmp(name, "/A", 2)) || + (namelen == 3 && !casecmp(name, "MAP", 3)) || +Index: links-2.3pre1/xbm.c +=================================================================== +--- links-2.3pre1.orig/xbm.c 2012-04-09 23:39:47.000000000 +0200 ++++ links-2.3pre1/xbm.c 2012-04-09 23:39:56.000000000 +0200 +@@ -44,7 +44,7 @@ struct xbm_decoder{ + extern int get_foreground(int rgb); + + unsigned char *my_memmem(unsigned char *, int, unsigned char *, int); +-void xbm_decode(struct cached_image *, unsigned char *, int); ++int xbm_decode(struct cached_image *, unsigned char *, int); + + + unsigned char *my_memmem(unsigned char *h, int hl, unsigned char *n, int nl) +@@ -138,7 +138,7 @@ static inline void put_eight(struct cach + + /* opravdovy dekoder xbm, data jsou bez komentaru */ + /* length is always !=NULL */ +-void xbm_decode(struct cached_image *cimg, unsigned char *data, int length) ++int xbm_decode(struct cached_image *cimg, unsigned char *data, int length) + { + struct xbm_decoder *deco=(struct xbm_decoder *)cimg->decoder; + /* okurky v decu ;-) */ +@@ -146,13 +146,13 @@ void xbm_decode(struct cached_image *cim + int must_return=0; + + restart_again: +- if (must_return&&!length)return; ++ if (must_return&&!length)return 0; + must_return=0; + a=min(length,XBM_BUFFER_LEN-deco->buffer_pos); + memcpy(deco->buffer+deco->buffer_pos,data,a); + length-=a; + deco->buffer_pos+=a; +- if (!deco->buffer_pos)return; /* z toho nic plodnyho nevznikne */ ++ if (!deco->buffer_pos)return 0; /* z toho nic plodnyho nevznikne */ + data+=a; + if (!deco->in_data_block&&deco->partnum) + { +@@ -220,7 +220,7 @@ restart_again: + cimg->green_gamma=display_green_gamma; + cimg->blue_gamma=display_blue_gamma; + cimg->strip_optimized=0; +- if (header_dimensions_known(cimg)) {img_end(cimg);return;} ++ if (header_dimensions_known(cimg)) {img_end(cimg);return 1;} + + deco->in_data_block=1; + p++; +@@ -239,7 +239,7 @@ restart_again: + deco->buffer_pos=a; + if (deco->partnum)must_return=1; + else put_eight(cimg,(b==16&&d>2)||(b==10&&deco->actual_eight>255)?16:8); +- if (deco->image_pos>=deco->pixels) {img_end(cimg);return;} ++ if (deco->image_pos>=deco->pixels) {img_end(cimg);return 1;} + goto restart_again; + + } +@@ -261,9 +261,9 @@ cycle_again: + unsigned char *p; + p=memchr(data,'/',length); + if (!p){xbm_decode(cimg, data, length);return;} +- xbm_decode(cimg, data, p-data); +- data=p+1; /* preskocim lomitko */ ++ if (xbm_decode(cimg, data, p-data)) return; + length-=p-data+1; ++ data=p+1; /* preskocim lomitko */ + deco->state=1; + goto cycle_again; + } +@@ -271,7 +271,7 @@ cycle_again: + case 1: /* za 1. lomitkem */ + { + if (*data=='*'){deco->state=2;data++;length--;goto cycle_again;} /* zacal komentar */ +- xbm_decode(cimg, "/", 1); ++ if (xbm_decode(cimg, "/", 1)) return; + deco->state=0; /* to nebyl komentar */ + goto cycle_again; + } +@@ -281,8 +281,8 @@ cycle_again: + unsigned char *p; + p=memchr(data,'*',length); + if (!p)return; /* furt komentar */ +- data=p+1; /* preskocim hvezdicku */ + length-=p-data+1; ++ data=p+1; /* preskocim hvezdicku */ + deco->state=3; + goto cycle_again; + } diff -Nru links2-2.3~pre1/debian/patches/series links2-2.3~pre1/debian/patches/series --- links2-2.3~pre1/debian/patches/series 2010-07-08 18:31:37.000000000 +0200 +++ links2-2.3~pre1/debian/patches/series 2012-04-24 17:51:57.000000000 +0200 @@ -1,3 +1,3 @@ patches-as-of-link2-2.2-1.diff verify-ssl-certs-510417.diff - +security-fixes-668227.diff
signature.asc
Description: Digital signature
