Bug#934518: stretch-pu: package libebml/1.3.4-1

2019-08-13 Thread Sebastian Ramacher 
On 2019-08-13 18:22:48, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Sun, 2019-08-11 at 23:08 +0200, Sebastian Ramacher wrote:
> > I'd like to fix CVE-2019-13615 in libebml in stetch (the security
> > team
> > classified it as no-DSA). The proposed debdiff is attached.
> > 
> 
> Please go ahead; thanks.

Thanks, uploaded.

Cheers
-- 
Sebastian Ramacher


signature.asc
Description: PGP signature

Bug#934518: stretch-pu: package libebml/1.3.4-1

2019-08-13 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2019-08-11 at 23:08 +0200, Sebastian Ramacher wrote:
> I'd like to fix CVE-2019-13615 in libebml in stetch (the security
> team
> classified it as no-DSA). The proposed debdiff is attached.
> 

Please go ahead; thanks.

Regards,

Adam

Bug#934518: stretch-pu: package libebml/1.3.4-1

2019-08-11 Thread Sebastian Ramacher 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hi,

I'd like to fix CVE-2019-13615 in libebml in stetch (the security team
classified it as no-DSA). The proposed debdiff is attached.

Cheers
-- 
Sebastian Ramacher
diff --git a/debian/changelog b/debian/changelog
index 5982b33..b32cf11 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libebml (1.3.4-1+deb9u1) stretch; urgency=medium
+
+  * debian/patches: Apply upstream fixes for heap-based buffer over-reads.
+(CVE-2019-13615) (Closes: #932241)
+
+ -- Sebastian Ramacher   Sun, 11 Aug 2019 22:09:57 +0200
+
 libebml (1.3.4-1) unstable; urgency=medium
 
   * New upstream release
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 682c4cf..3e5b7c4 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,6 +1,6 @@
 [DEFAULT]
 upstream-branch = upstream
-debian-branch = master
+debian-branch = stretch
 upstream-tag = upstream/%(version)s
 debian-tag = debian/%(version)s
 pristine-tar = True
diff --git 
a/debian/patches/0001-Check-the-max-size-to-read-before-actually-reading.patch 
b/debian/patches/0001-Check-the-max-size-to-read-before-actually-reading.patch
new file mode 100644
index 000..e2bbf3c
--- /dev/null
+++ 
b/debian/patches/0001-Check-the-max-size-to-read-before-actually-reading.patch
@@ -0,0 +1,40 @@
+From: Steve Lhomme 
+Date: Mon, 27 Nov 2017 09:48:32 +0100
+Subject: Check the max size to read before actually reading
+
+The size check waas also missing from the length parsing
+---
+ src/EbmlElement.cpp | 8 +++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp
+index d25abe8..b92522e 100644
+--- a/src/EbmlElement.cpp
 b/src/EbmlElement.cpp
+@@ -398,12 +398,14 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & 
DataStream, const EbmlSe
+ memmove([0],[1], --ReadIndex);
+   }
+ 
++  if (MaxDataSize <= ReadSize)
++break;
+   if (DataStream.read([ReadIndex++], 1) == 0) {
+ return NULL; // no more data ?
+   }
+   ReadSize++;
+ 
+-} while (!bFound && MaxDataSize > ReadSize);
++} while (!bFound);
+ 
+ SizeIdx = ReadIndex;
+ ReadIndex -= PossibleID_Length;
+@@ -422,6 +424,10 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & 
DataStream, const EbmlSe
+ bFound = false;
+ break;
+   }
++  if (MaxDataSize <= ReadSize) {
++bFound = false;
++break;
++  }
+   if( DataStream.read( [SizeIdx++], 1 ) == 0 ) {
+ return NULL; // no more data ?
+   }
diff --git 
a/debian/patches/0002-Do-not-output-an-element-with-size-Unknown-if-it-s-n.patch
 
b/debian/patches/0002-Do-not-output-an-element-with-size-Unknown-if-it-s-n.patch
new file mode 100644
index 000..a7c08e4
--- /dev/null
+++ 
b/debian/patches/0002-Do-not-output-an-element-with-size-Unknown-if-it-s-n.patch
@@ -0,0 +1,38 @@
+From: Steve Lhomme 
+Date: Wed, 6 Dec 2017 09:32:13 +0100
+Subject: Do not output an element with size Unknown if it's not allowed
+
+Similar to what is done in FindNextID().
+
+SetSizeInfinite() doesn't actually set anything. SetSizeIsFinite() is the one
+that actually sets it and it is an internal API.
+---
+ src/EbmlElement.cpp | 14 ++
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/src/EbmlElement.cpp b/src/EbmlElement.cpp
+index b92522e..26510c7 100644
+--- a/src/EbmlElement.cpp
 b/src/EbmlElement.cpp
+@@ -451,15 +451,13 @@ EbmlElement * EbmlElement::FindNextElement(IOCallback & 
DataStream, const EbmlSe
+   //  1 : same level
+   //  + : further parent
+   if (Result->ValidateSize() && (SizeFound == SizeUnknown || 
UpperLevel > 0 || MaxDataSize == 0 || MaxDataSize >= (PossibleID_Length + 
PossibleSizeLength + SizeFound))) {
+-if (SizeFound == SizeUnknown) {
+-  Result->SetSizeInfinite();
++if (SizeFound != SizeUnknown || Result->SetSizeInfinite()) {
++  Result->SizePosition = DataStream.getFilePointer() - SizeIdx + 
EBML_ID_LENGTH(PossibleID);
++  Result->ElementPosition = Result->SizePosition - 
EBML_ID_LENGTH(PossibleID);
++  // place the file at the beggining of the data
++  DataStream.setFilePointer(Result->SizePosition + _SizeLength);
++  return Result;
+ }
+-
+-Result->SizePosition = DataStream.getFilePointer() - SizeIdx + 
EBML_ID_LENGTH(PossibleID);
+-Result->ElementPosition = Result->SizePosition - 
EBML_ID_LENGTH(PossibleID);
+-// place the file at the beggining of the data
+-DataStream.setFilePointer(Result->SizePosition + _SizeLength);
+-return Result;
+   }
+ }
+ delete Result;
diff --git 
a/debian/patches/0003-Exit-the-max-size-loop-when-there-s-nothing-left-pos.patch