Re: [debian-lts] unrtf package

[Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>]

Hi Thorsten,

> the previous release had the version number 0.19.3-1.1, so you should 
> not use 0.19.3-1.2... 
Oops, stupid mistake. I fixed it.
Could you please check it.

Thanks and best regards
Cong
On 10/01/2015 23:44, Thorsten Alteholz wrote:
> Hi Cong,
>
> On Wed, 7 Jan 2015, Nguyen Cong wrote:
> > I would like to send debdiff file of unrtf package for reviewing.
>
> the previous release had the version number 0.19.3-1.1, so you should 
> not use 0.19.3-1.2...
>
>   Thorsten

--
=====================================================================
Nguyen The Cong (Mr)
Software Engineer
Toshiba Software Development (Vietnam) Co.,Ltd
519 Kim Ma street, Ba Dinh District, Hanoi, Vietnam
tel:    +84-4-2220 8801 (Ext. 208)
e-mail:cong.nguyenthe@toshiba-tsdv.com
=====================================================================

Note: This e-mail message may contain personal information or confidential information. If you are not the addressee of this message, please delete this message and kindly notify the sender as soon as possible - do not copy, use, or disclose this message.

diff -u unrtf-0.19.3/convert.c unrtf-0.19.3/convert.c
--- unrtf-0.19.3/convert.c
+++ unrtf-0.19.3/convert.c
@@ -250,6 +250,8 @@
 	CHECK_PARAM_NOT_NULL(w);
 	while (w) {
 	 	char *s = word_string (w);
+		if (!s)
+			return;
 		if (*s == '\\') {
 			++s;
 			if (!strncmp (s, "yr", 2) && isdigit(s[2])) {
@@ -333,6 +335,8 @@
 
 		if ((w2=w->child)) {
 			tmp = word_string (w2);
+			if (!tmp)
+				break;
 			if (!strncmp("\\f",tmp,2)) {
 				num = atoi (&tmp[2]);
 				name[0]=0;
@@ -461,14 +465,15 @@
 			char *s;
 
 			s = word_string(child);
-
+			if (!s)
+				return;
 			if (!inline_mode) {
 				if (!strcmp("\\title", s)) {
 					printf (op->document_title_begin);
 					w2=child->next;
 					while (w2) {
 						char *s2 = word_string(w2);
-						if (s2[0] != '\\') 
+						if (s2 && s2[0] != '\\')
 							printf ("%s", s2);
 						w2=w2->next;
 					}
@@ -479,7 +484,7 @@
 					w2=child->next;
 					while (w2) {
 						char *s2 = word_string(w2);
-						if (s2[0] != '\\') 
+						if (s2 && s2[0] != '\\')
 							printf ("%s,", s2);
 						w2=w2->next;
 					}
@@ -490,7 +495,7 @@
 					w2=child->next;
 					while (w2) {
 						char *s2 = word_string(w2);
-						if (s2[0] != '\\') 
+						if (s2 && s2[0] != '\\')
 							printf ("%s", s2);
 						w2=w2->next;
 					}
@@ -502,7 +507,7 @@
 					w2=child->next;
 					while (w2) {
 						char *s2 = word_string(w2);
-						if (s2[0] != '\\') 
+						if (s2 && s2[0] != '\\')
 							printf ("%s", s2);
 						w2=w2->next;
 					}
@@ -613,7 +618,9 @@
 
 	while(w) {
 		char *s = word_string (w);
-
+		if (s == 0 || total_colors >= MAX_COLORS) {
+			break;
+		}
 #if 0
 		printf (op->comment_begin);
 		printf ("found this color table word: %s", word_string(w));
@@ -671,7 +678,7 @@
 cmd_cf (Word *w, int align, char has_param, short num) {
 	char str[40];
 
-	if (!has_param || num>=total_colors) {
+	if (!has_param || num < 0 || num>=total_colors) {
 		warning_handler ("font color change attempted is invalid");
 	}
 	else
@@ -698,7 +705,7 @@
 cmd_cb (Word *w, int align, char has_param, short num) {
 	char str[40];
 
-	if (!has_param || num>=total_colors) {
+	if (!has_param || num < 0 || num>=total_colors) {
 		warning_handler ("font color change attempted is invalid");
 	}
 	else
@@ -757,6 +764,8 @@
 			char *s;
 
 			s = word_string(child);
+			if (!s)
+				return FALSE;
 
 			if (!strcmp("\\*", s)) {
 				w2=child->next;
@@ -774,7 +783,7 @@
 						if(s && !strcmp(s, "SYMBOL") )
 						{
 						w4=w3->next;
-						while(w4 && !strcmp(word_string(w4), " "))
+						while(w4 && word_string(w4) && !strcmp(word_string(w4), " "))
 							w4 = w4->next;
 						s4 = word_string(w4);
 						if(s4)
@@ -792,7 +801,7 @@
 								Word *w4;
 								char *s4;
 								w4=w3->next;
-								while (w4 && !strcmp(" ", word_string(w4)))
+								while (w4 && word_string(w4) && !strcmp(" ", word_string(w4)))
 									w4=w4->next;
 								if (w4) {
 									s4=word_string(w4);
@@ -857,7 +866,7 @@
 {
 	char str[40];
 
-	if (!has_param || num>=total_colors) {
+	if (!has_param || num < 0 || num>=total_colors) {
 		warning_handler ("font background color change attempted is invalid");
 	}
 	else
diff -u unrtf-0.19.3/debian/changelog unrtf-0.19.3/debian/changelog
--- unrtf-0.19.3/debian/changelog
+++ unrtf-0.19.3/debian/changelog
@@ -1,3 +1,17 @@
+unrtf (0.19.3-1.1+deb6u1) squeeze-lts; urgency=high
+
+  * Non-maintainer upload.
+  * Security fixes, closes: #772811
+     - Fix CVE-2014-9274: check that accesses to color table stay within bounds
+     - Fix CVE-2014-9275: various crashes
+    Patches taken from upstream commits:
+     - CVE-2014-9274: b0cef89a170a66bc48f8dd288ce562ea8ca91f7a
+
+     - CVE-2014-9275: 1df886f2e65f7c512a6217588ae8d94d4bcbc63d
+                      3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3
+
+ -- Nguyen Cong <cong.nguyenthe@toshiba-tsdv.com>  Tue, 30 Dec 2014 14:42:06 +0700
+
 unrtf (0.19.3-1.1) unstable; urgency=HIGH
 
   * NMU
only in patch2:
unchanged:
--- unrtf-0.19.3.orig/hash.c
+++ unrtf-0.19.3/hash.c
@@ -121,8 +121,8 @@
 
 	hi->str = my_strdup(str);
 
-	i = *str;
-	if (i=='\\') i=str[1];
+	i = (unsigned char)*str;
+	if (i=='\\') i=(unsigned char)str[1];
 	i <<= 24;
 	hi->value = i | (hash_value++ & 0xffffff);
 	hi->next = NULL;