Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi,
I'd like to fix CVE-2019-13615 in libebml in stetch (the security team
classified it as no-DSA). The proposed debdiff is attached.
Cheers
--
Sebastian Ramacher
diff --git a/debian/changelog b/debian/changelog
index 5982b33..b32cf11 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libebml (1.3.4-1+deb9u1) stretch; urgency=medium
+
+ * debian/patches: Apply upstream fixes for heap-based buffer over-reads.
+(CVE-2019-13615) (Closes: #932241)
+
+ -- Sebastian Ramacher Sun, 11 Aug 2019 22:09:57 +0200
+
libebml (1.3.4-1) unstable; urgency=medium
* New upstream release
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 682c4cf..3e5b7c4 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,6 @@
[DEFAULT]
upstream-branch = upstream
-debian-branch = master
+debian-branch = stretch
upstream-tag = upstream/%(version)s
debian-tag = debian/%(version)s
pristine-tar = True
diff --git
a/debian/patches/0001-Check-the-max-size-to-read-before-actually-reading.patch
b/debian/patches/0001-Check-the-max-size-to-read-before-actually-reading.patch
new file mode 100644
index 000..e2bbf3c
--- /dev/null
+++
b/debian/patches/0001-Check-the-max-size-to-read-before-actually-reading.patch
@@ -0,0 +1,40 @@
+From: Steve Lhomme
+Date: Mon, 27 Nov 2017 09:48:32 +0100
+Subject: Check the max size to read before actually reading
+
+The size check waas also missing from the length parsing
+---
+ src/EbmlElement.cpp | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp
+index d25abe8..b92522e 100644
+--- a/src/EbmlElement.cpp
b/src/EbmlElement.cpp
+@@ -398,12 +398,14 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback &
DataStream, const EbmlSe
+ memmove([0],[1], --ReadIndex);
+ }
+
++ if (MaxDataSize <= ReadSize)
++break;
+ if (DataStream.read([ReadIndex++], 1) == 0) {
+ return NULL; // no more data ?
+ }
+ ReadSize++;
+
+-} while (!bFound && MaxDataSize > ReadSize);
++} while (!bFound);
+
+ SizeIdx = ReadIndex;
+ ReadIndex -= PossibleID_Length;
+@@ -422,6 +424,10 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback &
DataStream, const EbmlSe
+ bFound = false;
+ break;
+ }
++ if (MaxDataSize <= ReadSize) {
++bFound = false;
++break;
++ }
+ if( DataStream.read( [SizeIdx++], 1 ) == 0 ) {
+ return NULL; // no more data ?
+ }
diff --git
a/debian/patches/0002-Do-not-output-an-element-with-size-Unknown-if-it-s-n.patch
b/debian/patches/0002-Do-not-output-an-element-with-size-Unknown-if-it-s-n.patch
new file mode 100644
index 000..a7c08e4
--- /dev/null
+++
b/debian/patches/0002-Do-not-output-an-element-with-size-Unknown-if-it-s-n.patch
@@ -0,0 +1,38 @@
+From: Steve Lhomme
+Date: Wed, 6 Dec 2017 09:32:13 +0100
+Subject: Do not output an element with size Unknown if it's not allowed
+
+Similar to what is done in FindNextID().
+
+SetSizeInfinite() doesn't actually set anything. SetSizeIsFinite() is the one
+that actually sets it and it is an internal API.
+---
+ src/EbmlElement.cpp | 14 ++
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp
+index b92522e..26510c7 100644
+--- a/src/EbmlElement.cpp
b/src/EbmlElement.cpp
+@@ -451,15 +451,13 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback &
DataStream, const EbmlSe
+ // 1 : same level
+ // + : further parent
+ if (Result->ValidateSize() && (SizeFound == SizeUnknown ||
UpperLevel > 0 || MaxDataSize == 0 || MaxDataSize >= (PossibleID_Length +
PossibleSizeLength + SizeFound))) {
+-if (SizeFound == SizeUnknown) {
+- Result->SetSizeInfinite();
++if (SizeFound != SizeUnknown || Result->SetSizeInfinite()) {
++ Result->SizePosition = DataStream.getFilePointer() - SizeIdx +
EBML_ID_LENGTH(PossibleID);
++ Result->ElementPosition = Result->SizePosition -
EBML_ID_LENGTH(PossibleID);
++ // place the file at the beggining of the data
++ DataStream.setFilePointer(Result->SizePosition + _SizeLength);
++ return Result;
+ }
+-
+-Result->SizePosition = DataStream.getFilePointer() - SizeIdx +
EBML_ID_LENGTH(PossibleID);
+-Result->ElementPosition = Result->SizePosition -
EBML_ID_LENGTH(PossibleID);
+-// place the file at the beggining of the data
+-DataStream.setFilePointer(Result->SizePosition + _SizeLength);
+-return Result;
+ }
+ }
+ delete Result;
diff --git
a/debian/patches/0003-Exit-the-max-size-loop-when-there-s-nothing-left-pos.patch