Your message dated Wed, 25 Feb 2015 19:10:38 +0000
with message-id <[email protected]>
and subject line Re: Bug#779236: unblock: unace/1.2b-12
has caused the Debian Bug report #779236,
regarding unblock: unace/1.2b-12
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
779236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779236
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock unace. It fixes CVE-2015-2063.
unblock unace/1.2b-12
Cheers,
Moritz
debdiff:
diff -Nru unace-1.2b/debian/changelog unace-1.2b/debian/changelog
--- unace-1.2b/debian/changelog 2014-05-11 07:30:11.000000000 +0200
+++ unace-1.2b/debian/changelog 2015-02-24 11:55:37.000000000 +0100
@@ -1,3 +1,10 @@
+unace (1.2b-12) unstable; urgency=high
+
+ * Fix buffer overflow when reading ace files with file headers smaller
+ than expected. Fixes CVE-2015-2063. (Closes: #775003)
+
+ -- Guillem Jover <[email protected]> Tue, 24 Feb 2015 10:47:45 +0100
+
unace (1.2b-11) unstable; urgency=medium
* Now using Standards-Version 3.9.5 (no changes needed).
diff -Nru unace-1.2b/debian/patches/006_security-afl.patch
unace-1.2b/debian/patches/006_security-afl.patch
--- unace-1.2b/debian/patches/006_security-afl.patch 1970-01-01
01:00:00.000000000 +0100
+++ unace-1.2b/debian/patches/006_security-afl.patch 2015-02-24
11:55:37.000000000 +0100
@@ -0,0 +1,88 @@
+Description: Fixes a buffer overflow when reading bogus file headers
+ The header parser was not checking if it had read enough data when trying
+ to parse the header from memory, causing it to accept files with headers
+ smaller than expected.
+ .
+ Fixes CVE-2015-2063.
+Author: Guillem Jover <[email protected]>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/775003
+Forwarded: no
+Last-Update: 2015-02-24
+
+---
+ unace.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/unace.c
++++ b/unace.c
+@@ -113,6 +113,7 @@ INT read_header(INT print_err)
+ {
+ USHORT rd,
+ head_size,
++ need_size,
+ crc_ok;
+ LONG crc;
+ UCHAR *tp=readbuf;
+@@ -128,6 +129,9 @@ INT read_header(INT print_err)
+ #endif
+ // read size_headrdb bytes into
+ head_size = head.HEAD_SIZE; // header structure
++ need_size = 3;
++ if (need_size > head.HEAD_SIZE)
++ return 0;
+ rd = (head_size > size_headrdb) ? size_headrdb : head_size;
+ if (read(archan, readbuf, rd) < rd)
+ return 0;
+@@ -147,7 +151,12 @@ INT read_header(INT print_err)
+ head.HEAD_FLAGS=BUFP2WORD(tp);
+
+ if (head.HEAD_FLAGS & ACE_ADDSIZE)
++ {
++ need_size += 4;
++ if (need_size > head.HEAD_SIZE)
++ return 0;
+ skipsize = head.ADDSIZE = BUF2LONG(tp); // get ADDSIZE
++ }
+ else
+ skipsize = 0;
+
+@@ -158,6 +167,9 @@ INT read_header(INT print_err)
+ switch (head.HEAD_TYPE) // specific buffer to head conversion
+ {
+ case MAIN_BLK:
++ need_size += 24;
++ if (need_size > head.HEAD_SIZE)
++ return 0;
+ memcpy(mhead.ACESIGN, tp, acesign_len); tp+=acesign_len;
+ mhead.VER_MOD=*tp++;
+ mhead.VER_CR =*tp++;
+@@ -168,9 +180,15 @@ INT read_header(INT print_err)
+ mhead.RES2 =BUFP2WORD(tp);
+ mhead.RES =BUFP2LONG(tp);
+ mhead.AV_SIZE=*tp++;
+- memcpy(mhead.AV, tp, rd-(USHORT)(tp-readbuf));
++ if (mhead.AV_SIZE > sizeof(mhead.AV) ||
++ mhead.AV_SIZE + need_size > head.HEAD_SIZE)
++ return 0;
++ memcpy(mhead.AV, tp, mhead.AV_SIZE);
+ break;
+ case FILE_BLK:
++ need_size += 28;
++ if (need_size > head.HEAD_SIZE)
++ return 0;
+ fhead.PSIZE =BUFP2LONG(tp);
+ fhead.SIZE =BUFP2LONG(tp);
+ fhead.FTIME =BUFP2LONG(tp);
+@@ -181,7 +199,10 @@ INT read_header(INT print_err)
+ fhead.TECH.PARM =BUFP2WORD(tp);
+ fhead.RESERVED =BUFP2WORD(tp);
+ fhead.FNAME_SIZE=BUFP2WORD(tp);
+- memcpy(fhead.FNAME, tp, rd-(USHORT)(tp-readbuf));
++ if (fhead.FNAME_SIZE > sizeof(fhead.FNAME) ||
++ fhead.FNAME_SIZE + need_size > head.HEAD_SIZE)
++ return 0;
++ memcpy(fhead.FNAME, tp, fhead.FNAME_SIZE);
+ break;
+ // default: (REC_BLK and future things):
+ // do nothing 'cause isn't needed for extraction
diff -Nru unace-1.2b/debian/patches/series unace-1.2b/debian/patches/series
--- unace-1.2b/debian/patches/series 2012-04-27 03:32:38.000000000 +0200
+++ unace-1.2b/debian/patches/series 2015-02-24 11:55:37.000000000 +0100
@@ -3,3 +3,4 @@
003_security.patch
004_64_bit_clean.patch
005_format-security.patch
+006_security-afl.patch
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
On Wed, 2015-02-25 at 19:59 +0100, Moritz Muehlenhoff wrote:
> Please unblock unace. It fixes CVE-2015-2063.
Unblocked.
Regards,
Adam
--- End Message ---
