Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
I'd like to fix CVE-2012-6706 in jessie, see #865461 for details.
debdiff is attached.
The same request for stretch is at #866516
Cheers,
Felix
diff -Nru unrar-nonfree-5.2.7/debian/changelog
unrar-nonfree-5.2.7/debian/changelog
--- unrar-nonfree-5.2.7/debian/changelog 2015-03-27 22:54:31.000000000
+0100
+++ unrar-nonfree-5.2.7/debian/changelog 2017-06-22 20:47:18.000000000
+0200
@@ -1,3 +1,12 @@
+unrar-nonfree (1:5.2.7-0.1+deb8u1) jessie; urgency=medium
+
+ * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters.
+ - Backported from 5.5.5
+ - CVE-2012-6706
+ - Closes #865461
+
+ -- Felix Geyer <fge...@debian.org> Thu, 22 Jun 2017 20:47:18 +0200
+
unrar-nonfree (1:5.2.7-0.1) unstable; urgency=high
* Non-maintainer upload.
diff -Nru unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706
unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706
--- unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 1970-01-01
01:00:00.000000000 +0100
+++ unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 2017-06-22
20:46:24.000000000 +0200
@@ -0,0 +1,44 @@
+--- unrar-nonfree-5.3.2.org/rarvm.cpp
++++ unrar-nonfree-5.3.2/rarvm.cpp
+@@ -965,7 +965,7 @@
+ {
+ int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2;
+ SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+- if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 ||
(uint)Channels>MAX3_UNPACK_CHANNELS || Channels==0)
+ break;
+
+ // Bytes from same channels are grouped to continual data blocks,
+@@ -984,7 +984,7 @@
+ byte *SrcData=Mem,*DestData=SrcData+DataSize;
+ const int Channels=3;
+ SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+- if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0)
++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0 ||
DataSize<3 || Width>DataSize || PosR>2)
+ break;
+ for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+ {
+@@ -1029,7 +1029,7 @@
+ int DataSize=R[4],Channels=R[0];
+ byte *SrcData=Mem,*DestData=SrcData+DataSize;
+ SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+- if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>128 ||
Channels==0)
+ break;
+ for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+ {
+--- unrar-nonfree-5.3.2.orig/unpack.hpp
++++ unrar-nonfree-5.3.2/unpack.hpp
+@@ -7,6 +7,12 @@
+ // Maximum number of filters per entire data block.
+ #define MAX_UNPACK_FILTERS 8192
+
++// Limit maximum number of channels in RAR3 delta filter to some reasonable
++// value to prevent too slow processing of corrupt archives with invalid
++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS.
++// No need to provide it for RAR5, which uses only 5 bits to store channels.
++#define MAX3_UNPACK_CHANNELS 1024
++
+ // Maximum number of filters per entire data block for RAR3 unpack.
+ #define MAX3_FILTERS 1024
+
diff -Nru unrar-nonfree-5.2.7/debian/patches/series
unrar-nonfree-5.2.7/debian/patches/series
--- unrar-nonfree-5.2.7/debian/patches/series 2013-08-15 16:56:10.000000000
+0200
+++ unrar-nonfree-5.2.7/debian/patches/series 2017-06-22 20:46:33.000000000
+0200
@@ -1 +1,2 @@
fix-buildflags
+CVE-2012-6706
