[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1061572: marked as done (bullseye-pu: package unadf/0.7.11a-4+deb11u1)

Your message dated Sat, 10 Feb 2024 13:02:58 +0000
with message-id <E1rYn0U-002xtL-VH@coccia.debian.org>
and subject line Released with 11.9
has caused the Debian Bug report #1061572,
regarding bullseye-pu: package unadf/0.7.11a-4+deb11u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1061572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061572
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: unadf@packages.debian.org
Control: affects -1 + src:unadf

Addresses two no-dsa security issues, same fix already rolled out
for Bookworm. Debdiff below.

Cheers,
        Moritz

diff -Nru unadf-0.7.11a/debian/changelog unadf-0.7.11a/debian/changelog
--- unadf-0.7.11a/debian/changelog	2016-09-24 17:43:06.000000000 +0200
+++ unadf-0.7.11a/debian/changelog	2023-11-24 16:39:48.000000000 +0100
@@ -1,3 +1,9 @@
+unadf (0.7.11a-4+deb11u1) bullseye; urgency=medium
+
+  * CVE-2016-1243 / CVE-2016-1244 (Closes: #838248)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Fri, 24 Nov 2023 18:34:16 +0100
+
 unadf (0.7.11a-4) unstable; urgency=high
 
   * Orphan package with security issues.
diff -Nru unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244 unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244
--- unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244	1970-01-01 01:00:00.000000000 +0100
+++ unadf-0.7.11a/debian/patches/CVE-2016-1243_CVE-2016-1244	2023-11-24 16:38:37.000000000 +0100
@@ -0,0 +1,146 @@
+Description: Fix unsafe extraction by using mkdir() instead of shell command
+  This commit fixes following vulnerabilities:
+
+  - CVE-2016-1243: stack buffer overflow caused by blindly trusting on
+    pathname lengths of archived files
+
+    Stack allocated buffer sysbuf was filled with sprintf() without any
+    bounds checking in extracTree() function.
+
+  - CVE-2016-1244: execution of unsanitized input
+
+    Shell command used for creating directory paths was constructed by
+    concatenating names of archived files to the end of the command
+    string.
+
+  So, if the user was tricked to extract a specially crafted .adf file,
+  the attacker was able to execute arbitrary code with privileges of the
+  user.
+
+  This commit fixes both issues by
+
+    1) replacing mkdir shell commands with mkdir() function calls
+    2) removing redundant sysbuf buffer
+
+Author: Tuomas Räsänen <tuomasjjrasanen@tjjr.fi>
+Last-Update: 2016-09-20
+--
+--- a/Demo/unadf.c
++++ b/Demo/unadf.c
+@@ -24,6 +24,8 @@
+ 
+ #define UNADF_VERSION "1.0"
+ 
++#include <sys/stat.h>
++#include <sys/types.h>
+ 
+ #include<stdlib.h>
+ #include<errno.h>
+@@ -31,17 +33,15 @@
+ 
+ #include "adflib.h"
+ 
+-/* The portable way used to create a directory is to call the MKDIR command via the
+- * system() function.
+- * It is used to create the 'dir1' directory, like the 'dir1/dir11' directory
++/* The portable way used to create a directory is to call mkdir()
++ * which is defined by following standards: SVr4, BSD, POSIX.1-2001
++ * and POSIX.1-2008
+  */
+ 
+ /* the portable way to check if a directory 'dir1' already exists i'm using is to
+  * do fopen('dir1','rb'). NULL is returned if 'dir1' doesn't exists yet, an handle instead
+  */
+ 
+-#define MKDIR "mkdir"
+-
+ #ifdef WIN32
+ #define DIRSEP '\\'
+ #else
+@@ -51,6 +51,13 @@
+ #define EXTBUFL 1024*8
+ 
+ 
++static void mkdirOrLogErr(const char *const path)
++{
++	if (mkdir(path, S_IRWXU | S_IRWXG | S_IRWXO))
++		fprintf(stderr, "mkdir: cannot create directory '%s': %s\n",
++			path, strerror(errno));
++}
++
+ void help()
+ {
+     puts("unadf [-lrcsp -v n] dumpname.adf [files-with-path] [-d extractdir]");
+@@ -152,7 +159,6 @@ void extractTree(struct Volume *vol, str
+ {
+ 	struct Entry* entry;
+     char *buf;
+-    char sysbuf[200];
+ 
+     while(tree) {
+         entry = (struct Entry*)tree->content;
+@@ -162,16 +168,14 @@ void extractTree(struct Volume *vol, str
+                 buf=(char*)malloc(strlen(path)+1+strlen(entry->name)+1);
+                 if (!buf) return;
+                 sprintf(buf,"%s%c%s",path,DIRSEP,entry->name);
+-                sprintf(sysbuf,"%s %s",MKDIR,buf);
+                 if (!qflag) printf("x - %s%c\n",buf,DIRSEP);
++                if (!pflag) mkdirOrLogErr(buf);
+             }
+             else {
+-                sprintf(sysbuf,"%s %s",MKDIR,entry->name);
+                 if (!qflag) printf("x - %s%c\n",entry->name,DIRSEP);
++                if (!pflag) mkdirOrLogErr(entry->name);
+             }
+ 
+-            if (!pflag) system(sysbuf);
+-
+ 	        if (tree->subdir!=NULL) {
+                 if (adfChangeDir(vol,entry->name)==RC_OK) {
+                     if (buf!=NULL)
+@@ -301,21 +305,20 @@ void processFile(struct Volume *vol, cha
+         extractFile(vol, name, path, extbuf, pflag, qflag);
+     }
+     else {
+-        /* the all-in-one string : to call system(), to find the filename, the convert dir sep char ... */
+-        bigstr=(char*)malloc(strlen(MKDIR)+1+strlen(path)+1+strlen(name)+1);
++        bigstr=(char*)malloc(strlen(path)+1+strlen(name)+1);
+         if (!bigstr) { fprintf(stderr,"processFile : malloc"); return; }
+ 
+         /* to build to extract path */
+         if (strlen(path)>0) {
+-            sprintf(bigstr,"%s %s%c%s",MKDIR,path,DIRSEP,name);
+-            cdstr = bigstr+strlen(MKDIR)+1+strlen(path)+1;
++            sprintf(bigstr,"%s%c%s",path,DIRSEP,name);
++            cdstr = bigstr+strlen(path)+1;
+         }
+         else {
+-            sprintf(bigstr,"%s %s",MKDIR,name);
+-            cdstr = bigstr+strlen(MKDIR)+1;
++            sprintf(bigstr,"%s",name);
++            cdstr = bigstr;
+         }
+         /* the directory in which the file will be extracted */
+-        fullname =  bigstr+strlen(MKDIR)+1;
++        fullname =  bigstr;
+ 
+         /* finds the filename, and separates it from the path */
+         filename = strrchr(bigstr,'/')+1;
+@@ -333,7 +336,7 @@ void processFile(struct Volume *vol, cha
+                     return;
+                 tfile = fopen(fullname,"r"); /* the only portable way to test if the dir exists */
+                 if (tfile==NULL) { /* does't exist : create it */
+-                    if (!pflag) system(bigstr);
++                    if (!pflag) mkdirOrLogErr(bigstr);
+                     if (!qflag) printf("x - %s%c\n",fullname,DIRSEP);
+                 }
+                 else
+@@ -350,7 +353,7 @@ void processFile(struct Volume *vol, cha
+                     return;
+                 tfile = fopen(fullname,"r");
+                 if (tfile==NULL) {
+-                    if (!pflag) system(bigstr);
++                    if (!pflag) mkdirOrLogErr(bigstr);
+                     if (!qflag) printf("x - %s%c\n",fullname,DIRSEP);
+                 }
+                 else
diff -Nru unadf-0.7.11a/debian/patches/series unadf-0.7.11a/debian/patches/series
--- unadf-0.7.11a/debian/patches/series	2016-09-19 04:43:24.000000000 +0200
+++ unadf-0.7.11a/debian/patches/series	2023-11-24 16:38:37.000000000 +0100
@@ -1,3 +1,5 @@
 source-code-fixes
 64-bit-fixes
 add-hardening-flags-in-compiler-options
+CVE-2016-1243_CVE-2016-1244
+

--- End Message ---
--- Begin Message --- 
Version: 11.9

The upload requested in this bug has been released as part of 11.9.

--- End Message ---
Reply to: