Bug#526657: libmodplug: proposed debdiff to fix CVE-2009-1438 and PATinst() Buffer Overflow Vulnerability

2009-05-06 Thread Giuseppe Iuculano 
Hi,

I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.

Proposed debdiffs in attachment.

Cheers,
Giuseppe.
diff -u libmodplug-0.7/src/libmodplug/stdafx.h 
libmodplug-0.7/src/libmodplug/stdafx.h
--- libmodplug-0.7/src/libmodplug/stdafx.h
+++ libmodplug-0.7/src/libmodplug/stdafx.h
@@ -22,44 +22,42 @@
 inline void ProcessPlugins(int n) {}
 
 #else
-
+#if defined(HAVE_CONFIG_H)  !defined(CONFIG_H_INCLUDED)
+# include config.h
+# define CONFIG_H_INCLUDED 1
+#endif
+#ifdef HAVE_INTTYPES_H
+# include inttypes.h
+#endif
+#ifdef HAVE_STDINT_H
+# include stdint.h
+#endif
 #include stdlib.h
 #include stdio.h
 #include string.h
 
-typedef signed char CHAR;
-typedef unsigned char UCHAR;
-typedef unsigned char* PUCHAR;
-typedef unsigned short USHORT;
-#if defined(__x86_64__)
-typedef unsigned int ULONG;
-typedef unsigned int UINT;
-typedef unsigned int DWORD;
-typedef int LONG;
-typedef long LONGLONG;
-typedef int * LPLONG;
-typedef unsigned int * LPDWORD;
-#else
-typedef unsigned long ULONG;
-typedef unsigned long UINT;
-typedef unsigned long DWORD;
-typedef long LONG;
-typedef long long LONGLONG;
-typedef long * LPLONG;
-typedef unsigned long * LPDWORD;
-#endif
-typedef unsigned short WORD;
-typedef unsigned char BYTE;
-typedef unsigned char * LPBYTE;
+typedef int8_t CHAR;
+typedef uint8_t UCHAR;
+typedef uint8_t* PUCHAR;
+typedef uint16_t USHORT;
+typedef uint32_t ULONG;
+typedef uint32_t UINT;
+typedef uint32_t DWORD;
+typedef int32_t LONG;
+typedef int64_t LONGLONG;
+typedef int32_t* LPLONG;
+typedef uint32_t* LPDWORD;
+typedef uint16_t WORD;
+typedef uint8_t BYTE;
+typedef uint8_t* LPBYTE;
 typedef bool BOOL;
-typedef char * LPSTR;
-typedef void *  LPVOID;
-typedef unsigned short * LPWORD;
-typedef const char * LPCSTR;
-typedef void * PVOID;
+typedef char* LPSTR;
+typedef void* LPVOID;
+typedef uint16_t* LPWORD;
+typedef const char* LPCSTR;
+typedef void* PVOID;
 typedef void VOID;
 
-
 inline LONG MulDiv (long a, long b, long c)
 {
   // if (!c) return 0;
diff -u libmodplug-0.7/debian/changelog libmodplug-0.7/debian/changelog
--- libmodplug-0.7/debian/changelog
+++ libmodplug-0.7/debian/changelog
@@ -1,3 +1,11 @@
+libmodplug (1:0.7-5.3) oldstable-security; urgency=high
+
+  * Non-maintainer upload.
+  * Fixed CSoundFile::ReadMed() Integer Overflow in src/load_med.cp
+(Closes: #526657) (CVE-2009-1438)
+
+ -- Giuseppe Iuculano giuse...@iuculano.it  Sat, 02 May 2009 18:16:49 +0200
+
 libmodplug (1:0.7-5.2) unstable; urgency=medium
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- libmodplug-0.7.orig/src/load_med.cpp
+++ libmodplug-0.7/src/load_med.cpp
@@ -692,21 +692,24 @@
}
}
// Song Comments
-   UINT annotxt = bswapBE32(pmex-annotxt);
-   UINT annolen = bswapBE32(pmex-annolen);
-   if ((annotxt)  (annolen)  (annotxt+annolen = dwMemLength))
+   uint32_t annotxt = bswapBE32(pmex-annotxt);
+   uint32_t annolen = bswapBE32(pmex-annolen);
+   if ((annotxt)  (annolen)  (annotxt + annolen  annotxt) // 
overflow checks.
+(annotxt+annolen = dwMemLength))
{
m_lpszSongComments = new char[annolen+1];
memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
m_lpszSongComments[annolen] = 0;
}
// Song Name
-   UINT songname = bswapBE32(pmex-songname);
-   UINT songnamelen = bswapBE32(pmex-songnamelen);
-   if ((songname)  (songnamelen)  (songname+songnamelen = 
dwMemLength))
+   uint32_t songname = bswapBE32(pmex-songname);
+   uint32_t songnamelen = bswapBE32(pmex-songnamelen);
+   if ((songname)  (songnamelen)  (songname+songnamelen  
songname)
+(songname+songnamelen = dwMemLength))
{
if (songnamelen  31) songnamelen = 31;
memcpy(m_szNames[0], lpStream+songname, songnamelen);
+   m_szNames[0][31] = '\0';
}
// Sample Names
DWORD smpinfoex = bswapBE32(pmex-iinfo);
@@ -716,14 +719,18 @@
UINT ientries = bswapBE16(pmex-i_ext_entries);
UINT ientrysz = bswapBE16(pmex-i_ext_entrsz);
 
-   if ((iinfoptr)  (ientrysz  256)  (iinfoptr + 
ientries*ientrysz  dwMemLength))
+   if ((iinfoptr)  (ientrysz  256)  
+(ientries*ientrysz  dwMemLength)  
+(iinfoptr  dwMemLength - (ientries*ientrysz)))
{
LPCSTR psznames = (LPCSTR)(lpStream + iinfoptr);
UINT maxnamelen = ientrysz;
+   // copy a max of 32 bytes.
if (maxnamelen

Bug#526657: libmodplug: proposed debdiff to fix CVE-2009-1438 and PATinst() Buffer Overflow Vulnerability

2009-05-06 Thread Giuseppe Iuculano 
Zed Pobre ha scritto:
 On Wed, May 06, 2009 at 10:50:00AM +0200, Giuseppe Iuculano wrote:
 Hi,

 I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
 
 My plan was to fix this by packaging the new upstream version this
 weekend that fixes this officially, but if you don't want to wait,
 that's fine.
 

Yes, this is fine in unstable. For stable and oldstable we need to backport 
fixes.

Cheers,
Giuseppe.



signature.asc
Description: OpenPGP digital signature