Regression caused by fix for Bug#781228: freexl: Multiple vulnerabilities
- To: team@security.debian.org
- Cc: 781228@bugs.debian.org, Debian GIS Project <debian-gis@lists.debian.org>
- Subject: Regression caused by fix for Bug#781228: freexl: Multiple vulnerabilities
- From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
- Date: Thu, 12 Nov 2015 22:31:55 +0100
- Message-id: <[🔎] 5645054B.2060305@xs4all.nl>
- In-reply-to: <20150329173408.GB6887@pisco.westfalen.local>
- References: <20150326090004.16312.52896.reportbug@m25s06.vlinux.de> <e2efcce86e2a1904157be0719f5fe35c.squirrel@webmail.xs4all.nl> <20150326132348.GA3942@pisco.westfalen.local> <55145F89.6040705@xs4all.nl> <20150326210602.GA20949@inutil.org> <20150329173408.GB6887@pisco.westfalen.local>
Dear Security Team,
The patch to fix multiple vulnerabilities identified by American Fuzzy
Lop reported in #781228 caused a regressed as reported in the GDAL issue
tracker:
https://trac.osgeo.org/gdal/ticket/6200
The change to fix this regression was included in freexl (1.0.1-1~exp1),
but not in the security updates for
jessie (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1).
I've prepared updates to fix this regression for jessie & wheezy, see
the attached debdiffs.
Are these regression fixes appropriate for upload to
{wheezy,jessie}-security or should they be uploaded to proposed-updates
instead?
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
diff -Nru freexl-1.0.0b/debian/changelog freexl-1.0.0b/debian/changelog
--- freexl-1.0.0b/debian/changelog 2015-07-19 12:21:54.000000000 +0200
+++ freexl-1.0.0b/debian/changelog 2015-11-12 22:24:56.000000000 +0100
@@ -1,3 +1,9 @@
+freexl (1.0.0b-1+deb7u3) UNRELEASED; urgency=medium
+
+ * Add patch to fix regression introduced by afl-vulnerabilitities.patch.
+
+ -- Bas Couwenberg <sebastic@debian.org> Thu, 12 Nov 2015 22:04:49 +0100
+
freexl (1.0.0b-1+deb7u2) wheezy-security; urgency=high
* Add patch to fix 32 bit multiplication overflow.
diff -Nru freexl-1.0.0b/debian/patches/afl-vulnerabilitities-regression.patch freexl-1.0.0b/debian/patches/afl-vulnerabilitities-regression.patch
--- freexl-1.0.0b/debian/patches/afl-vulnerabilitities-regression.patch 1970-01-01 01:00:00.000000000 +0100
+++ freexl-1.0.0b/debian/patches/afl-vulnerabilitities-regression.patch 2015-11-12 22:25:21.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Fix regression introduced by afl-vulnerabilitities.patch.
+ Initially reported as a bug in GDAL and traced to FreeXL, see:
+ https://trac.osgeo.org/gdal/ticket/6200
+Origin: https://www.gaia-gis.it/fossil/freexl/fdiff?v1=61618ce51a9b0c15&v2=4f9408c216ead322&sbs=1
+Author: Alessandro Furieri <a.furieri@lqt.it>
+Bug-Debian: https://bugs.debian.org/781228
+
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -3655,7 +3655,7 @@ read_biff_next_record (biff_workbook * w
+ unsigned int already_done;
+ unsigned int chunk =
+ workbook->sector_end - (workbook->p_in - workbook->sector_buf);
+- if (workbook->sector_end <= (workbook->p_in - workbook->sector_buf))
++ if (workbook->sector_end < (workbook->p_in - workbook->sector_buf))
+ return -1;
+ memcpy (workbook->record, workbook->p_in, chunk);
+ workbook->p_in += chunk;
diff -Nru freexl-1.0.0b/debian/patches/series freexl-1.0.0b/debian/patches/series
--- freexl-1.0.0b/debian/patches/series 2015-07-19 12:10:15.000000000 +0200
+++ freexl-1.0.0b/debian/patches/series 2015-11-12 22:23:41.000000000 +0100
@@ -1,2 +1,3 @@
afl-vulnerabilitities.patch
32bit-multiplication-overflow.patch
+afl-vulnerabilitities-regression.patch
diff -Nru freexl-1.0.0g/debian/changelog freexl-1.0.0g/debian/changelog
--- freexl-1.0.0g/debian/changelog 2015-07-19 13:45:38.000000000 +0200
+++ freexl-1.0.0g/debian/changelog 2015-11-12 22:10:04.000000000 +0100
@@ -1,3 +1,9 @@
+freexl (1.0.0g-1+deb8u3) UNRELEASED; urgency=medium
+
+ * Add patch to fix regression introduced by afl-vulnerabilitities.patch.
+
+ -- Bas Couwenberg <sebastic@debian.org> Thu, 12 Nov 2015 22:04:49 +0100
+
freexl (1.0.0g-1+deb8u2) jessie-security; urgency=high
* Add patch to fix 32 bit multiplication overflow.
diff -Nru freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch
--- freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch 1970-01-01 01:00:00.000000000 +0100
+++ freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch 2015-11-12 21:59:43.000000000 +0100
@@ -0,0 +1,18 @@
+Description: Fix regression introduced by afl-vulnerabilitities.patch.
+ Initially reported as a bug in GDAL and traced to FreeXL, see:
+ https://trac.osgeo.org/gdal/ticket/6200
+Origin: https://www.gaia-gis.it/fossil/freexl/fdiff?v1=61618ce51a9b0c15&v2=4f9408c216ead322&sbs=1
+Author: Alessandro Furieri <a.furieri@lqt.it>
+Bug-Debian: https://bugs.debian.org/781228
+
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -3770,7 +3770,7 @@ read_biff_next_record (biff_workbook * w
+ unsigned int already_done;
+ unsigned int chunk =
+ workbook->sector_end - (workbook->p_in - workbook->sector_buf);
+- if (workbook->sector_end <= (workbook->p_in - workbook->sector_buf))
++ if (workbook->sector_end < (workbook->p_in - workbook->sector_buf))
+ return -1;
+ memcpy (workbook->record, workbook->p_in, chunk);
+ workbook->p_in += chunk;
diff -Nru freexl-1.0.0g/debian/patches/series freexl-1.0.0g/debian/patches/series
--- freexl-1.0.0g/debian/patches/series 2015-07-19 13:45:38.000000000 +0200
+++ freexl-1.0.0g/debian/patches/series 2015-11-12 21:51:03.000000000 +0100
@@ -1,2 +1,3 @@
afl-vulnerabilitities.patch
32bit-multiplication-overflow.patch
+afl-vulnerabilitities-regression.patch
Reply to: