Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hi, I'd like to fix CVE-2012-6706 in jessie, see #865461 for details. debdiff is attached. The same request for stretch is at #866516 Cheers, Felix
diff -Nru unrar-nonfree-5.2.7/debian/changelog unrar-nonfree-5.2.7/debian/changelog --- unrar-nonfree-5.2.7/debian/changelog 2015-03-27 22:54:31.000000000 +0100 +++ unrar-nonfree-5.2.7/debian/changelog 2017-06-22 20:47:18.000000000 +0200 @@ -1,3 +1,12 @@ +unrar-nonfree (1:5.2.7-0.1+deb8u1) jessie; urgency=medium + + * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters. + - Backported from 5.5.5 + - CVE-2012-6706 + - Closes #865461 + + -- Felix Geyer <fge...@debian.org> Thu, 22 Jun 2017 20:47:18 +0200 + unrar-nonfree (1:5.2.7-0.1) unstable; urgency=high * Non-maintainer upload. diff -Nru unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 --- unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 1970-01-01 01:00:00.000000000 +0100 +++ unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 2017-06-22 20:46:24.000000000 +0200 @@ -0,0 +1,44 @@ +--- unrar-nonfree-5.3.2.org/rarvm.cpp ++++ unrar-nonfree-5.3.2/rarvm.cpp +@@ -965,7 +965,7 @@ + { + int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2; + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize); +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2) ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>MAX3_UNPACK_CHANNELS || Channels==0) + break; + + // Bytes from same channels are grouped to continual data blocks, +@@ -984,7 +984,7 @@ + byte *SrcData=Mem,*DestData=SrcData+DataSize; + const int Channels=3; + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize); +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0) ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0 || DataSize<3 || Width>DataSize || PosR>2) + break; + for (int CurChannel=0;CurChannel<Channels;CurChannel++) + { +@@ -1029,7 +1029,7 @@ + int DataSize=R[4],Channels=R[0]; + byte *SrcData=Mem,*DestData=SrcData+DataSize; + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize); +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2) ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>128 || Channels==0) + break; + for (int CurChannel=0;CurChannel<Channels;CurChannel++) + { +--- unrar-nonfree-5.3.2.orig/unpack.hpp ++++ unrar-nonfree-5.3.2/unpack.hpp +@@ -7,6 +7,12 @@ + // Maximum number of filters per entire data block. + #define MAX_UNPACK_FILTERS 8192 + ++// Limit maximum number of channels in RAR3 delta filter to some reasonable ++// value to prevent too slow processing of corrupt archives with invalid ++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS. ++// No need to provide it for RAR5, which uses only 5 bits to store channels. ++#define MAX3_UNPACK_CHANNELS 1024 ++ + // Maximum number of filters per entire data block for RAR3 unpack. + #define MAX3_FILTERS 1024 + diff -Nru unrar-nonfree-5.2.7/debian/patches/series unrar-nonfree-5.2.7/debian/patches/series --- unrar-nonfree-5.2.7/debian/patches/series 2013-08-15 16:56:10.000000000 +0200 +++ unrar-nonfree-5.2.7/debian/patches/series 2017-06-22 20:46:33.000000000 +0200 @@ -1 +1,2 @@ fix-buildflags +CVE-2012-6706