Re: [debian-lts] unrtf package
Hi all,
I would like to send debdiff file of unrtf package for reviewing.
Because the previous upload of unrtf modify source code directly,
so I did the same.
Could anyone please review it and give me some comment.
Thanks and best regards
CongNT
On 07/01/2015 08:51, Nguyen Cong wrote:
Hi all,
I would like to take care of package unrtf.
Because I can not add my name on dla-needed.txt file yet so
I have to send email here.
Sorry for this inconvenience.
Thanks and best regards
Cong
--
=====================================================================
Nguyen The Cong (Mr)
Software Engineer
Toshiba Software Development (Vietnam) Co.,Ltd
519 Kim Ma street, Ba Dinh District, Hanoi, Vietnam
tel: +84-4-2220 8801 (Ext. 208)
e-mail: cong.nguyenthe@toshiba-tsdv.com
=====================================================================
Note: This e-mail message may contain personal information or confidential information. If you are not the addressee of this message, please delete this message and kindly notify the sender as soon as possible - do not copy, use, or disclose this message.
diff -u unrtf-0.19.3/convert.c unrtf-0.19.3/convert.c
--- unrtf-0.19.3/convert.c
+++ unrtf-0.19.3/convert.c
@@ -250,6 +250,8 @@
CHECK_PARAM_NOT_NULL(w);
while (w) {
char *s = word_string (w);
+ if (!s)
+ return;
if (*s == '\\') {
++s;
if (!strncmp (s, "yr", 2) && isdigit(s[2])) {
@@ -333,6 +335,8 @@
if ((w2=w->child)) {
tmp = word_string (w2);
+ if (!tmp)
+ break;
if (!strncmp("\\f",tmp,2)) {
num = atoi (&tmp[2]);
name[0]=0;
@@ -461,14 +465,15 @@
char *s;
s = word_string(child);
-
+ if (!s)
+ return;
if (!inline_mode) {
if (!strcmp("\\title", s)) {
printf (op->document_title_begin);
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
printf ("%s", s2);
w2=w2->next;
}
@@ -479,7 +484,7 @@
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
printf ("%s,", s2);
w2=w2->next;
}
@@ -490,7 +495,7 @@
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
printf ("%s", s2);
w2=w2->next;
}
@@ -502,7 +507,7 @@
w2=child->next;
while (w2) {
char *s2 = word_string(w2);
- if (s2[0] != '\\')
+ if (s2 && s2[0] != '\\')
printf ("%s", s2);
w2=w2->next;
}
@@ -613,7 +618,9 @@
while(w) {
char *s = word_string (w);
-
+ if (s == 0 || total_colors >= MAX_COLORS) {
+ break;
+ }
#if 0
printf (op->comment_begin);
printf ("found this color table word: %s", word_string(w));
@@ -671,7 +678,7 @@
cmd_cf (Word *w, int align, char has_param, short num) {
char str[40];
- if (!has_param || num>=total_colors) {
+ if (!has_param || num < 0 || num>=total_colors) {
warning_handler ("font color change attempted is invalid");
}
else
@@ -698,7 +705,7 @@
cmd_cb (Word *w, int align, char has_param, short num) {
char str[40];
- if (!has_param || num>=total_colors) {
+ if (!has_param || num < 0 || num>=total_colors) {
warning_handler ("font color change attempted is invalid");
}
else
@@ -757,6 +764,8 @@
char *s;
s = word_string(child);
+ if (!s)
+ return FALSE;
if (!strcmp("\\*", s)) {
w2=child->next;
@@ -774,7 +783,7 @@
if(s && !strcmp(s, "SYMBOL") )
{
w4=w3->next;
- while(w4 && !strcmp(word_string(w4), " "))
+ while(w4 && word_string(w4) && !strcmp(word_string(w4), " "))
w4 = w4->next;
s4 = word_string(w4);
if(s4)
@@ -792,7 +801,7 @@
Word *w4;
char *s4;
w4=w3->next;
- while (w4 && !strcmp(" ", word_string(w4)))
+ while (w4 && word_string(w4) && !strcmp(" ", word_string(w4)))
w4=w4->next;
if (w4) {
s4=word_string(w4);
@@ -857,7 +866,7 @@
{
char str[40];
- if (!has_param || num>=total_colors) {
+ if (!has_param || num < 0 || num>=total_colors) {
warning_handler ("font background color change attempted is invalid");
}
else
diff -u unrtf-0.19.3/debian/changelog unrtf-0.19.3/debian/changelog
--- unrtf-0.19.3/debian/changelog
+++ unrtf-0.19.3/debian/changelog
@@ -1,3 +1,17 @@
+unrtf (0.19.3-1.2+deb6u1) squeeze-lts; urgency=high
+
+ * Non-maintainer upload.
+ * Security fixes, closes: #772811
+ - Fix CVE-2014-9274: check that accesses to color table stay within bounds
+ - Fix CVE-2014-9275: various crashes
+ Patches taken from upstream commits:
+ - CVE-2014-9274: b0cef89a170a66bc48f8dd288ce562ea8ca91f7a
+
+ - CVE-2014-9275: 1df886f2e65f7c512a6217588ae8d94d4bcbc63d
+ 3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3
+
+ -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com> Tue, 30 Dec 2014 14:42:06 +0700
+
unrtf (0.19.3-1.1) unstable; urgency=HIGH
* NMU
only in patch2:
unchanged:
--- unrtf-0.19.3.orig/hash.c
+++ unrtf-0.19.3/hash.c
@@ -121,8 +121,8 @@
hi->str = my_strdup(str);
- i = *str;
- if (i=='\\') i=str[1];
+ i = (unsigned char)*str;
+ if (i=='\\') i=(unsigned char)str[1];
i <<= 24;
hi->value = i | (hash_value++ & 0xffffff);
hi->next = NULL;
Reply to: