Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

I'd like to fix CVE-2012-6706 in jessie, see #865461 for details.
debdiff is attached.

The same request for stretch is at #866516

Cheers,
Felix
diff -Nru unrar-nonfree-5.2.7/debian/changelog 
unrar-nonfree-5.2.7/debian/changelog
--- unrar-nonfree-5.2.7/debian/changelog        2015-03-27 22:54:31.000000000 
+0100
+++ unrar-nonfree-5.2.7/debian/changelog        2017-06-22 20:47:18.000000000 
+0200
@@ -1,3 +1,12 @@
+unrar-nonfree (1:5.2.7-0.1+deb8u1) jessie; urgency=medium
+
+  * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters.
+    - Backported from 5.5.5
+    - CVE-2012-6706
+    - Closes #865461
+
+ -- Felix Geyer <fge...@debian.org>  Thu, 22 Jun 2017 20:47:18 +0200
+
 unrar-nonfree (1:5.2.7-0.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 
unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706
--- unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706    1970-01-01 
01:00:00.000000000 +0100
+++ unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706    2017-06-22 
20:46:24.000000000 +0200
@@ -0,0 +1,44 @@
+--- unrar-nonfree-5.3.2.org/rarvm.cpp
++++ unrar-nonfree-5.3.2/rarvm.cpp
+@@ -965,7 +965,7 @@
+       {
+         int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || 
(uint)Channels>MAX3_UNPACK_CHANNELS || Channels==0)
+           break;
+ 
+         // Bytes from same channels are grouped to continual data blocks,
+@@ -984,7 +984,7 @@
+         byte *SrcData=Mem,*DestData=SrcData+DataSize;
+         const int Channels=3;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0 || 
DataSize<3 || Width>DataSize || PosR>2)
+           break;
+         for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+         {
+@@ -1029,7 +1029,7 @@
+         int DataSize=R[4],Channels=R[0];
+         byte *SrcData=Mem,*DestData=SrcData+DataSize;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>128 || 
Channels==0)
+           break;
+         for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+         {
+--- unrar-nonfree-5.3.2.orig/unpack.hpp
++++ unrar-nonfree-5.3.2/unpack.hpp
+@@ -7,6 +7,12 @@
+ // Maximum number of filters per entire data block.
+ #define MAX_UNPACK_FILTERS       8192
+ 
++// Limit maximum number of channels in RAR3 delta filter to some reasonable
++// value to prevent too slow processing of corrupt archives with invalid
++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS.
++// No need to provide it for RAR5, which uses only 5 bits to store channels.
++#define MAX3_UNPACK_CHANNELS      1024
++
+ // Maximum number of filters per entire data block for RAR3 unpack.
+ #define MAX3_FILTERS             1024
+ 
diff -Nru unrar-nonfree-5.2.7/debian/patches/series 
unrar-nonfree-5.2.7/debian/patches/series
--- unrar-nonfree-5.2.7/debian/patches/series   2013-08-15 16:56:10.000000000 
+0200
+++ unrar-nonfree-5.2.7/debian/patches/series   2017-06-22 20:46:33.000000000 
+0200
@@ -1 +1,2 @@
 fix-buildflags
+CVE-2012-6706

Reply via email to