subject:"Bug#867328\: jessie\-pu\: package libclamunrar\/0.99\-0\+deb8u3"

Bug#867328: jessie-pu: package libclamunrar/0.99-0+deb8u3

2017-07-15 Thread Adam D. Barratt

Control: tags -1 + pending

On Sat, 2017-07-15 at 14:15 -0400, Scott Kitterman wrote:
> On Sat, 15 Jul 2017 11:36:07 +0100 "Adam D. Barratt"  barratt.org.uk> wrote:
> > Control: tags -1 + confirmed
> > 
> > On Wed, 2017-07-05 at 21:24 +0200, Sebastian Andrzej Siewior wrote:
> > > This is an update to Jessie with a patch from git which fixes
> > > CVE-2012-6706. The final clamav release is planned for the end of July,
> > > this is the only commit in the libclamunrar part so far.
> > 
> > Please use a changelog distribution of "jessie", rather than
> > "oldstable", and feel free to upload.
> 
> Thanks.  I've loaded it for Sebastian with that change as he's currently 
> offline for a bit.

Flagged for acceptance.

Regards,

Adam

Bug#867328: jessie-pu: package libclamunrar/0.99-0+deb8u3

2017-07-15 Thread Scott Kitterman

On Sat, 15 Jul 2017 11:36:07 +0100 "Adam D. Barratt"  wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2017-07-05 at 21:24 +0200, Sebastian Andrzej Siewior wrote:
> > This is an update to Jessie with a patch from git which fixes
> > CVE-2012-6706. The final clamav release is planned for the end of July,
> > this is the only commit in the libclamunrar part so far.
> 
> Please use a changelog distribution of "jessie", rather than
> "oldstable", and feel free to upload.

Thanks.  I've loaded it for Sebastian with that change as he's currently 
offline for a bit.

Scott K

Bug#867328: jessie-pu: package libclamunrar/0.99-0+deb8u3

2017-07-15 Thread Adam D. Barratt

Control: tags -1 + confirmed

On Wed, 2017-07-05 at 21:24 +0200, Sebastian Andrzej Siewior wrote:
> This is an update to Jessie with a patch from git which fixes
> CVE-2012-6706. The final clamav release is planned for the end of July,
> this is the only commit in the libclamunrar part so far.

Please use a changelog distribution of "jessie", rather than
"oldstable", and feel free to upload.

Regards,

Adam

Bug#867328: jessie-pu: package libclamunrar/0.99-0+deb8u3

2017-07-05 Thread Sebastian Andrzej Siewior

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

This is an update to Jessie with a patch from git which fixes
CVE-2012-6706. The final clamav release is planned for the end of July,
this is the only commit in the libclamunrar part so far.

Sebastian
diff -Nru libclamunrar-0.99/debian/changelog libclamunrar-0.99/debian/changelog
--- libclamunrar-0.99/debian/changelog	2016-12-16 21:38:26.0 +0100
+++ libclamunrar-0.99/debian/changelog	2017-07-05 21:20:40.0 +0200
@@ -1,3 +1,10 @@
+libclamunrar (0.99-0+deb8u3) oldstable; urgency=medium
+
+  * Cherry pick fix for arbitrary memory write. CVE-2012-6706
+(Closes: #867223).
+
+ -- Sebastian Andrzej Siewior   Wed, 05 Jul 2017 21:20:40 +0200
+
 libclamunrar (0.99-0+deb8u2) stable; urgency=medium
 
   * Add patches from upstream bugzilla bb11600 and bb11601 to fix out of band
diff -Nru libclamunrar-0.99/debian/.git-dpm libclamunrar-0.99/debian/.git-dpm
--- libclamunrar-0.99/debian/.git-dpm	2016-12-16 21:38:26.0 +0100
+++ libclamunrar-0.99/debian/.git-dpm	2017-07-05 21:19:45.0 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e677e64787390c59bdb925be08113ebf47aed869
-e677e64787390c59bdb925be08113ebf47aed869
+bced92bf269023e533fa3433f57205aa77c40eec
+bced92bf269023e533fa3433f57205aa77c40eec
 87f93791ab6959fd522bdf0b1211ff0480cff4c7
 87f93791ab6959fd522bdf0b1211ff0480cff4c7
 libclamunrar_0.99.orig.tar.xz
diff -Nru libclamunrar-0.99/debian/patches/series libclamunrar-0.99/debian/patches/series
--- libclamunrar-0.99/debian/patches/series	2016-12-16 21:38:26.0 +0100
+++ libclamunrar-0.99/debian/patches/series	2017-07-05 21:19:45.0 +0200
@@ -2,3 +2,4 @@
 bb11600_pt2.patch
 bb11601.patch
 bb11601_pt2.patch
+unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch
diff -Nru libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch
--- libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch	1970-01-01 01:00:00.0 +0100
+++ libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch	2017-07-05 21:19:45.0 +0200
@@ -0,0 +1,173 @@
+From bced92bf269023e533fa3433f57205aa77c40eec Mon Sep 17 00:00:00 2001
+From: Mickey Sola 
+Date: Thu, 29 Jun 2017 14:02:03 -0400
+Subject: unrar - adding proposed changes to fix RAR VMSF_DELTA Filter
+ Signedness error
+
+CVE: CVE-2012-6706: arbitrary memory write
+BTS: #867223
+Patch-Name: unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch
+---
+ libclamunrar/unrarvm.c | 55 ++
+ 1 file changed, 29 insertions(+), 26 deletions(-)
+
+diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c
+index 102fe2ebf044..b21e242fa72b 100644
+--- a/libclamunrar/unrarvm.c
 b/libclamunrar/unrarvm.c
+@@ -213,9 +213,9 @@ void rarvm_addbits(rarvm_input_t *rarvm_input, int bits)
+ 
+ unsigned int rarvm_getbits(rarvm_input_t *rarvm_input)
+ {
+-	unsigned int bit_field = 0;
++unsigned int bit_field = 0;
+ 
+-	if (rarvm_input->in_addr < rarvm_input->buf_size) {
++if (rarvm_input->in_addr < rarvm_input->buf_size) {
+ bit_field = (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr] << 16;
+ if (rarvm_input->in_addr+1 < rarvm_input->buf_size) {
+ bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8;
+@@ -314,10 +314,10 @@ static unsigned int *rarvm_get_operand(rarvm_data_t *rarvm_data,
+ 	}
+ }
+ 
+-static unsigned int filter_itanium_getbits(unsigned char *data, int bit_pos, int bit_count)
++static unsigned int filter_itanium_getbits(unsigned char *data, unsigned int bit_pos, unsigned int bit_count)
+ {
+-	int in_addr=bit_pos/8;
+-	int in_bit=bit_pos&7;
++	unsigned int in_addr=bit_pos/8;
++	unsigned int in_bit=bit_pos&7;
+ 	unsigned int bit_field=(unsigned int)data[in_addr++];
+ 	bit_field|=(unsigned int)data[in_addr++] << 8;
+ 	bit_field|=(unsigned int)data[in_addr++] << 16;
+@@ -326,10 +326,10 @@ static unsigned int filter_itanium_getbits(unsigned char *data, int bit_pos, int
+ 	return(bit_field & (0x>>(32-bit_count)));
+ }
+ 
+-static void filter_itanium_setbits(unsigned char *data, unsigned int bit_field, int bit_pos, int bit_count)
++static void filter_itanium_setbits(unsigned char *data, unsigned int bit_field, unsigned int bit_pos, unsigned int bit_count)
+ {
+-	int i, in_addr=bit_pos/8;
+-	int in_bit=bit_pos&7;
++	unsigned int i, in_addr=bit_pos/8;
++	unsigned int in_bit=bit_pos&7;
+ 	unsigned int and_mask=0x>>(32-bit_count);
+ 	and_mask=~(and_mask<

Bug#867328: jessie-pu: package libclamunrar/0.99-0+deb8u3

Bug#867328: jessie-pu: package libclamunrar/0.99-0+deb8u3

Bug#867328: jessie-pu: package libclamunrar/0.99-0+deb8u3

Bug#867328: jessie-pu: package libclamunrar/0.99-0+deb8u3

4 matches

Site Navigation

Mail list logo

Footer information