Processed: Re: Bug#885617: stretch-pu: package libextractor/1:1.3-4

[Debian Bug Tracking System]

Processing control commands:

> tags -1 -moreinfo +confirmed
Bug #885617 [release.debian.org] stretch-pu: package libextractor/1:1.3-4
Removed tag(s) moreinfo.
Bug #885617 [release.debian.org] stretch-pu: package libextractor/1:1.3-4
Added tag(s) confirmed.

-- 
885617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#885617: stretch-pu: package libextractor/1:1.3-4

[Adam D. Barratt]

Control: tags -1 -moreinfo +confirmed

On Sun, 2018-02-25 at 19:18 +0100, Bertrand Marc wrote:
> Le 10/02/2018 à 11:13, Julien Cristau a écrit :
> > Control: tag -1 moreinfo
> > 
> > On Thu, Dec 28, 2017 at 17:11:02 +0100, Bertrand Marc wrote:
> > 
> > > diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch
> > > libextractor-1.3/debian/patches/CVE-2017-15600.patch
> > > --- libextractor-1.3/debian/patches/CVE-2017-15600.patch  1
> > > 970-01-01 01:00:00.0 +0100
> > > +++ libextractor-1.3/debian/patches/CVE-2017-15600.patch  2
> > > 017-12-28 11:39:33.0 +0100
> > > @@ -0,0 +1,29 @@
> > > +From: Bertrand Marc , Markus Koschany  > > ian.org>
> > > +Subject: CVE-2017-15600
> > > +
> > > +Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor
> > > /2017-10/msg4.html
> > > +Origin: https://gnunet.org/git/libextractor.git/commit/?id=38e89
> > > 33539ee9d044057b18a971c2eae3c21aba7
> > > +--- a/src/plugins/nsf_extractor.c
> > >  b/src/plugins/nsf_extractor.c
> > > +@@ -152,13 +152,17 @@
> > > +   char nsfversion[32];
> > > +   const struct header *head;
> > > +   void *data;
> > > ++  ssize_t ds;
> > > + 
> > > +-  if (sizeof (struct header) >
> > > +-  ec->read (ec->cls,
> > > +-,
> > > +-sizeof (struct header)))
> > > ++  ds = ec->read (ec->cls,
> > > ++ ,
> > > ++ sizeof (struct header));
> > > ++  if ( (-1 == ds) ||
> > > ++   (sizeof (struct header) > ds) )
> > > + return;
> > > +   head = data; 
> > > ++  if (NULL == head)
> > > ++return 0; 
> > > + 
> > 
> > Curious how that works.  3 lines above is plain "return", and here
> > "return 0".  What's the type of that function and how did the
> > compiler
> > not flag this?
> > 
> > Cheers,
> > Julien
> 
> Indeed, sorry. The type of the function was changed from void (in
> wheezy) to int (in jessie). I updated the patch attached accordingly.
> 

Please go ahead.

Regards,

Adam

Bug#885617: stretch-pu: package libextractor/1:1.3-4

[Bertrand Marc]

Le 10/02/2018 à 11:13, Julien Cristau a écrit :
> Control: tag -1 moreinfo
>
> On Thu, Dec 28, 2017 at 17:11:02 +0100, Bertrand Marc wrote:
>
>> diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch 
>> libextractor-1.3/debian/patches/CVE-2017-15600.patch
>> --- libextractor-1.3/debian/patches/CVE-2017-15600.patch 1970-01-01 
>> 01:00:00.0 +0100
>> +++ libextractor-1.3/debian/patches/CVE-2017-15600.patch 2017-12-28 
>> 11:39:33.0 +0100
>> @@ -0,0 +1,29 @@
>> +From: Bertrand Marc , Markus Koschany 
>> +Subject: CVE-2017-15600
>> +
>> +Bug-Upstream: 
>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg4.html
>> +Origin: 
>> https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7
>> +--- a/src/plugins/nsf_extractor.c
>>  b/src/plugins/nsf_extractor.c
>> +@@ -152,13 +152,17 @@
>> +   char nsfversion[32];
>> +   const struct header *head;
>> +   void *data;
>> ++  ssize_t ds;
>> + 
>> +-  if (sizeof (struct header) >
>> +-  ec->read (ec->cls,
>> +-   ,
>> +-   sizeof (struct header)))
>> ++  ds = ec->read (ec->cls,
>> ++ ,
>> ++ sizeof (struct header));
>> ++  if ( (-1 == ds) ||
>> ++   (sizeof (struct header) > ds) )
>> + return;
>> +   head = data; 
>> ++  if (NULL == head)
>> ++return 0; 
>> + 
> Curious how that works.  3 lines above is plain "return", and here
> "return 0".  What's the type of that function and how did the compiler
> not flag this?
>
> Cheers,
> Julien

Indeed, sorry. The type of the function was changed from void (in wheezy) to 
int (in jessie). I updated the patch attached accordingly.


Cheers,

Bertrand

diff -Nru libextractor-1.3/debian/changelog libextractor-1.3/debian/changelog
--- libextractor-1.3/debian/changelog	2016-04-26 22:58:56.0 +0200
+++ libextractor-1.3/debian/changelog	2017-12-28 11:39:33.0 +0100
@@ -1,3 +1,14 @@
+libextractor (1:1.3-4+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2017-15266, CVE-2017-15267, CVE-2017-15600, CVE-2017-15601,
+CVE-2017-15602, CVE-2017-15922 and CVE-2017-17440. Leon Zhao discovered
+several security vulnerabilities, NULL Pointer Dereferences, heap-based
+buffer overflows, integer signedness errors and out-of-bounds read that
+may lead to a denial-of-service (application crash) or have other
+unspecified impact.
+
+ -- Bertrand Marc   Thu, 28 Dec 2017 11:39:33 +0100
+
 libextractor (1:1.3-4) unstable; urgency=medium
 
   * Update debian/patches/ffmpeg2.9.patch with a new commit taken from upstream
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15266.patch libextractor-1.3/debian/patches/CVE-2017-15266.patch
--- libextractor-1.3/debian/patches/CVE-2017-15266.patch	1970-01-01 01:00:00.0 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15266.patch	2017-12-28 11:39:33.0 +0100
@@ -0,0 +1,17 @@
+From: Bertrand Marc 
+Subject: CVE-2017-15266
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg2.html
+Bug-Debian: https://bugs.debian.org/878314
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=b577d5452c5c4ee9d552da62a24b95f461551fe2
+--- a/src/plugins/wav_extractor.c
 b/src/plugins/wav_extractor.c
+@@ -109,6 +109,8 @@
+ return;/* invalid sample size found in wav file */
+   if (0 == channels)
+ return;/* invalid channels value -- avoid division by 0! */
++  if (0 == sample_rate)
++return;/* invalid sample_rate */
+   samples = data_len / (channels * (sample_size >> 3));
+ 
+   snprintf (scratch,
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15267.patch libextractor-1.3/debian/patches/CVE-2017-15267.patch
--- libextractor-1.3/debian/patches/CVE-2017-15267.patch	1970-01-01 01:00:00.0 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15267.patch	2017-12-28 11:39:33.0 +0100
@@ -0,0 +1,22 @@
+From: Markus Koschany 
+Date: Mon, 4 Dec 2017 00:00:15 +0100
+Subject: CVE-2017-15267
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg3.html
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878314
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=6095d7132b57fc7368fc7a40bab2a71b735724d2
+---
+ src/plugins/flac_extractor.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/src/plugins/flac_extractor.c
 b/src/plugins/flac_extractor.c
+@@ -339,6 +339,8 @@
+ 	  {
+ 	entry = >comments[count];
+ 	eq = (const char*) entry->entry;
++	if (NULL == eq)
++			break;
+ 	len = entry->length;
+ 	ilen = 0;
+ 	while ( ('=' != *eq) && ('\0' != *eq) &&
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch libextractor-1.3/debian/patches/CVE-2017-15600.patch
--- libextractor-1.3/debian/patches/CVE-2017-15600.patch	1970-01-01 01:00:00.0 +0100
+++ 

Bug#885617: stretch-pu: package libextractor/1:1.3-4

[Julien Cristau]

Control: tag -1 moreinfo

On Thu, Dec 28, 2017 at 17:11:02 +0100, Bertrand Marc wrote:

> diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch 
> libextractor-1.3/debian/patches/CVE-2017-15600.patch
> --- libextractor-1.3/debian/patches/CVE-2017-15600.patch  1970-01-01 
> 01:00:00.0 +0100
> +++ libextractor-1.3/debian/patches/CVE-2017-15600.patch  2017-12-28 
> 11:39:33.0 +0100
> @@ -0,0 +1,29 @@
> +From: Bertrand Marc , Markus Koschany 
> +Subject: CVE-2017-15600
> +
> +Bug-Upstream: 
> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg4.html
> +Origin: 
> https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7
> +--- a/src/plugins/nsf_extractor.c
>  b/src/plugins/nsf_extractor.c
> +@@ -152,13 +152,17 @@
> +   char nsfversion[32];
> +   const struct header *head;
> +   void *data;
> ++  ssize_t ds;
> + 
> +-  if (sizeof (struct header) >
> +-  ec->read (ec->cls,
> +-,
> +-sizeof (struct header)))
> ++  ds = ec->read (ec->cls,
> ++ ,
> ++ sizeof (struct header));
> ++  if ( (-1 == ds) ||
> ++   (sizeof (struct header) > ds) )
> + return;
> +   head = data; 
> ++  if (NULL == head)
> ++return 0; 
> + 

Curious how that works.  3 lines above is plain "return", and here
"return 0".  What's the type of that function and how did the compiler
not flag this?

Cheers,
Julien

Processed: Re: Bug#885617: stretch-pu: package libextractor/1:1.3-4

[Debian Bug Tracking System]

Processing control commands:

> tag -1 moreinfo
Bug #885617 [release.debian.org] stretch-pu: package libextractor/1:1.3-4
Added tag(s) moreinfo.

-- 
885617: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=885617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#885617: stretch-pu: package libextractor/1:1.3-4

[Bertrand Marc]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Dear release team,

Would you allow an update of libextractor 1.3-4 in Stretch to fix several minor 
security issues?
7 issues skipped by the security teams:

  * CVE-2017-15266 
: In GNU 
Libextractor 1.4, there is a Divide-By-Zero in EXTRACTOR_wav_extract_method in
wav_extractor.c via a zero sample rate.
  * CVE-2017-15922 
: In GNU 
Libextractor 1.4, there is an out-of-bounds read in the 
EXTRACTOR_dvi_extract_method
function in plugins/dvi_extractor.c.
  * CVE-2017-15267 
: In GNU 
Libextractor 1.4, there is a NULL Pointer Dereference in flac_metadata in
flac_extractor.c.
  * CVE-2017-15602 
: In GNU 
Libextractor 1.4, there is an integer signedness error for the chunk size in the
EXTRACTOR_nsfe_extract_method function in plugins/nsfe_extractor.c, leading 
to an infinite loop for a crafted size.
  * CVE-2017-17440 
: GNU Libextractor 
1.6 allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted GIF, IT (Impulse Tracker), 
NSFE, S3M (Scream Tracker 3), SID, or XM (eXtended Module) file, as 
demonstrated by the
EXTRACTOR_xm_extract_method function in plugins/xm_extractor.c.
  * CVE-2017-15600 
: In GNU 
Libextractor 1.4, there is a NULL Pointer Dereference in the
EXTRACTOR_nsf_extract_method function of plugins/nsf_extractor.c.
  * CVE-2017-15601 
: In GNU 
Libextractor 1.4, there is a heap-based buffer overflow in the
EXTRACTOR_png_extract_method function in plugins/png_extractor.c, related 
to processiTXt and stndup.

You will find attached the full debdiff.


Cheers,

Bertrand

diff -Nru libextractor-1.3/debian/changelog libextractor-1.3/debian/changelog
--- libextractor-1.3/debian/changelog	2016-04-26 22:58:56.0 +0200
+++ libextractor-1.3/debian/changelog	2017-12-28 11:39:33.0 +0100
@@ -1,3 +1,14 @@
+libextractor (1:1.3-4+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2017-15266, CVE-2017-15267, CVE-2017-15600, CVE-2017-15601,
+CVE-2017-15602, CVE-2017-15922 and CVE-2017-17440. Leon Zhao discovered
+several security vulnerabilities, NULL Pointer Dereferences, heap-based
+buffer overflows, integer signedness errors and out-of-bounds read that
+may lead to a denial-of-service (application crash) or have other
+unspecified impact.
+
+ -- Bertrand Marc   Thu, 28 Dec 2017 11:39:33 +0100
+
 libextractor (1:1.3-4) unstable; urgency=medium
 
   * Update debian/patches/ffmpeg2.9.patch with a new commit taken from upstream
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15266.patch libextractor-1.3/debian/patches/CVE-2017-15266.patch
--- libextractor-1.3/debian/patches/CVE-2017-15266.patch	1970-01-01 01:00:00.0 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15266.patch	2017-12-28 11:39:33.0 +0100
@@ -0,0 +1,17 @@
+From: Bertrand Marc 
+Subject: CVE-2017-15266
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg2.html
+Bug-Debian: https://bugs.debian.org/878314
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=b577d5452c5c4ee9d552da62a24b95f461551fe2
+--- a/src/plugins/wav_extractor.c
 b/src/plugins/wav_extractor.c
+@@ -109,6 +109,8 @@
+ return;/* invalid sample size found in wav file */
+   if (0 == channels)
+ return;/* invalid channels value -- avoid division by 0! */
++  if (0 == sample_rate)
++return;/* invalid sample_rate */
+   samples = data_len / (channels * (sample_size >> 3));
+ 
+   snprintf (scratch,
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15267.patch libextractor-1.3/debian/patches/CVE-2017-15267.patch
--- libextractor-1.3/debian/patches/CVE-2017-15267.patch	1970-01-01 01:00:00.0 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15267.patch	2017-12-28 11:39:33.0 +0100
@@ -0,0 +1,22 @@
+From: Markus Koschany 
+Date: Mon, 4 Dec 2017 00:00:15 +0100
+Subject: CVE-2017-15267
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg3.html
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878314
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=6095d7132b57fc7368fc7a40bab2a71b735724d2
+---
+ src/plugins/flac_extractor.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/src/plugins/flac_extractor.c
 b/src/plugins/flac_extractor.c
+@@ -339,6 +339,8 @@
+ 	  {
+ 	entry = >comments[count];
+