Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
[Adam D. Barratt]
> I intentionally asked for a debdiff, not a pointer to a repository. Bug
> reports should stand alone and not be reliant on external resources
> which may change or disappear.
>
> Is the diff in <2fla8ikrwpn.fsf@diskless.uio.no> still current?
I did not provide a debdiff, because the diff is still current, if you
only want the CVEs fixed, and I did not know if that was the case. If
in addition the extra issue with invalid months reads should be fixed,
the attached patch should solve it. It is the change currently in the
debian/jessie branch in git. The only change between the two is the
upstr-11-out-of-bounds.diff file and associated updates to serial and
changelog.
So the questions I hope the release managers can answer is this: Is it
ok to update dosfstools with either of the two proposed patches? If
not, should we limit it to only those fixing CVEs?
--
Happy hacking
Petter Reinholdtsen
diff --git a/debian/changelog b/debian/changelog
index 4f1e009..44f2105 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+dosfstools (3.0.27-1+deb8u1) unstable; urgency=medium
+
+ * Non-maintainer upload to fix security issue.
+ * Added d/gbp.conf to document git branch used for Jessie updates.
+ * [CVE-2015-8872] Invalid memory read in fsck.vfat
+ * [CVE-2016-4804] Heap overflow in function read_fat()
+ * Added upstr-11-out-of-bounds.diff to avoid invalid memory read in
+ fsck.fat when month is negative.
+
+ -- Petter Reinholdtsen <pere@debian.org> Mon, 13 Jun 2016 08:17:24 +0200
+
dosfstools (3.0.27-1) unstable; urgency=medium
* New upstream version 3.0.27
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..3926a07
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/jessie
+pristine-tar = True
diff --git a/debian/patches/CVE-2015-8872.diff b/debian/patches/CVE-2015-8872.diff
new file mode 100644
index 0000000..8709cc4
--- /dev/null
+++ b/debian/patches/CVE-2015-8872.diff
@@ -0,0 +1,33 @@
+Description: Fix CVE-2015-8872 using patches from upstream.
+
+ The patch is based on file used to update the CVE in Wheezy. It
+ contained the fix in
+ https://github.com/dosfstools/dosfstools/commit/39ce90fe75661ed8842551cd44ea7fec278a60a1
+ Then the dosfstools maintainer noticed the patch in
+ https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7
+ was missing. It is included here (off by one error, fixed by using
+ +1 instead of -1.
+
+ See also https://bugs.debian.org/827160 .
+
+Index: dosfstools-collab/src/fat.c
+===================================================================
+--- dosfstools-collab.orig/src/fat.c 2016-06-13 08:07:44.669688617 +0200
++++ dosfstools-collab/src/fat.c 2016-06-13 08:07:44.665688587 +0200
+@@ -197,10 +197,12 @@
+ data[1] = new >> 4;
+ } else {
+ FAT_ENTRY subseqEntry;
+- get_fat(&subseqEntry, fs->fat, cluster + 1, fs);
++ if (cluster != fs->clusters + 1)
++ get_fat(&subseqEntry, fs->fat, cluster + 1, fs);
++ else
++ subseqEntry.value = 0;
+ data[0] = new & 0xff;
+- data[1] = (new >> 8) | (cluster == fs->clusters - 1 ? 0 :
+- (0xff & subseqEntry.value) << 4);
++ data[1] = (new >> 8) | ((0xff & subseqEntry.value) << 4);
+ }
+ size = 2;
+ break;
+
diff --git a/debian/patches/CVE-2016-4804.diff b/debian/patches/CVE-2016-4804.diff
new file mode 100644
index 0000000..d28174c
--- /dev/null
+++ b/debian/patches/CVE-2016-4804.diff
@@ -0,0 +1,64 @@
+https://github.com/dosfstools/dosfstools/commit/e8eff147e9da1185f9afd5b25948153a3b97cf52
+
+Index: dosfstools-collab/src/boot.c
+===================================================================
+--- dosfstools-collab.orig/src/boot.c 2016-06-13 07:59:10.337694024 +0200
++++ dosfstools-collab/src/boot.c 2016-06-13 08:00:46.290436480 +0200
+@@ -101,8 +101,8 @@
+ (unsigned long long)fs->fat_start,
+ (unsigned long long)fs->fat_start / lss);
+ printf("%10d FATs, %d bit entries\n", b->fats, fs->fat_bits);
+- printf("%10d bytes per FAT (= %u sectors)\n", fs->fat_size,
+- fs->fat_size / lss);
++ printf("%10lld bytes per FAT (= %llu sectors)\n", (long long)fs->fat_size,
++ (long long)fs->fat_size / lss);
+ if (!fs->root_cluster) {
+ printf("Root directory starts at byte %llu (sector %llu)\n",
+ (unsigned long long)fs->root_start,
+@@ -326,7 +326,7 @@
+ struct boot_sector b;
+ unsigned total_sectors;
+ unsigned short logical_sector_size, sectors;
+- unsigned fat_length;
++ off_t fat_length;
+ loff_t data_size;
+
+ fs_read(0, sizeof(b), &b);
+@@ -354,8 +354,12 @@
+ /* Can't access last odd sector anyway, so round down */
+ fs_test((loff_t) ((total_sectors & ~1) - 1) * (loff_t) logical_sector_size,
+ logical_sector_size);
++
+ fat_length = le16toh(b.fat_length) ?
+ le16toh(b.fat_length) : le32toh(b.fat32_length);
++ if (!fat_length)
++ die("FAT size is zero.");
++
+ fs->fat_start = (loff_t) le16toh(b.reserved) * logical_sector_size;
+ fs->root_start = ((loff_t) le16toh(b.reserved) + b.fats * fat_length) *
+ logical_sector_size;
+@@ -363,7 +367,11 @@
+ fs->data_start = fs->root_start + ROUND_TO_MULTIPLE(fs->root_entries <<
+ MSDOS_DIR_BITS,
+ logical_sector_size);
++
+ data_size = (loff_t) total_sectors *logical_sector_size - fs->data_start;
++ if (data_size < fs->cluster_size)
++ die("Filesystem has no space for any data clusters");
++
+ fs->clusters = data_size / fs->cluster_size;
+ fs->root_cluster = 0; /* indicates standard, pre-FAT32 root dir */
+ fs->fsinfo_start = 0; /* no FSINFO structure */
+diff --git a/src/fsck.fat.h b/src/fsck.fat.h
+index e5ade5b..639b569 100644
+--- a/src/fsck.fat.h
++++ b/src/fsck.fat.h
+@@ -158,7 +158,7 @@ typedef struct {
+ typedef struct {
+ int nfats;
+ loff_t fat_start;
+- unsigned int fat_size; /* unit is bytes */
++ off_t fat_size; /* unit is bytes */
+ unsigned int fat_bits; /* size of a FAT entry */
+ unsigned int eff_fat_bits; /* # of used bits in a FAT entry */
+ uint32_t root_cluster; /* 0 for old-style root dir */
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..59af7b3
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,3 @@
+CVE-2016-4804.diff
+CVE-2015-8872.diff
+upstr-11-out-of-bounds.diff
diff --git a/debian/patches/upstr-11-out-of-bounds.diff b/debian/patches/upstr-11-out-of-bounds.diff
new file mode 100644
index 0000000..e720967
--- /dev/null
+++ b/debian/patches/upstr-11-out-of-bounds.diff
@@ -0,0 +1,32 @@
+Description: Avoid invalid memory read in fsck.fat when month is negative
+Upstream-Bug: https://github.com/dosfstools/dosfstools/issues/11
+Origin: https://github.com/dosfstools/dosfstools/commit/2aad1c83c7d010de36afbe79c9fde22c50aa2f74
+
+diff --git a/src/check.c b/src/check.c
+index e8aaf92..ba618e5 100644
+--- a/src/check.c
++++ b/src/check.c
+@@ -224,9 +224,9 @@ static char *path_name(DOS_FILE * file)
+ return path;
+ }
+
+-static int day_n[] =
+- { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 0, 0, 0, 0 };
+- /* JanFebMarApr May Jun Jul Aug Sep Oct Nov Dec */
++static const int day_n[] =
++ { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 0, 0, 0, 0 };
++/* Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec */
+
+ /* Convert a MS-DOS time/date pair to a UNIX date (seconds since 1 1 70). */
+
+@@ -236,6 +236,10 @@ static time_t date_dos2unix(unsigned short time, unsigned short date)
+ time_t secs;
+
+ month = ((date >> 5) & 15) - 1;
++ if (month < 0) {
++ /* make sure that nothing bad happens if the month bits were zero */
++ month = 0;
++ }
+ year = date >> 9;
+ secs =
+ (time & 31) * 2 + 60 * ((time >> 5) & 63) + (time >> 11) * 3600 +
Reply to: