Hi, El 04/11/15 a las 15:12, Raphael Hertzog escribió: ... > For nspr: > https://security-tracker.debian.org/tracker/CVE-2015-7183 > I've prepared the packages to fix this issue in squeeze, wheezy and jessie. Please, find attached the debdiffs for review. Mike, security team, please, tell me if they are Ok, if you agree to upload them or if you want me to do it. Cheers, Santiago
diff -Nru nspr-4.8.6/debian/changelog nspr-4.8.6/debian/changelog
--- nspr-4.8.6/debian/changelog 2015-11-15 16:45:59.000000000 +0100
+++ nspr-4.8.6/debian/changelog 2015-11-17 10:36:25.000000000 +0100
@@ -1,3 +1,11 @@
+nspr (4.8.6-1+squeeze3) squeeze-lts; urgency=high
+
+ * Non-maintainer upload by the Squeeze LTS team.
+ * Fix CVE-2015-7183, MFSA-2015-133: heap-buffer overflow in
+ PL_ARENA_ALLOCATE
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Sun, 15 Nov 2015 16:56:49 +0100
+
nspr (4.8.6-1+squeeze2) squeeze-lts; urgency=high
* CVE-2014-1545
diff -Nru nspr-4.8.6/debian/patches/CVE-2015-7183-1.patch nspr-4.8.6/debian/patches/CVE-2015-7183-1.patch
--- nspr-4.8.6/debian/patches/CVE-2015-7183-1.patch 2015-11-15 16:45:59.000000000 +0100
+++ nspr-4.8.6/debian/patches/CVE-2015-7183-1.patch 2015-11-17 10:28:50.000000000 +0100
@@ -54,7 +54,40 @@
memcpy(newp, p, size);
--- a/mozilla/nsprpub/lib/ds/plarena.h
+++ b/mozilla/nsprpub/lib/ds/plarena.h
-@@ -110,29 +110,36 @@
+@@ -91,6 +91,32 @@
+ };
+
+ /*
++ * WARNING: The PL_MAKE_MEM_ macros are for internal use by NSPR. Do NOT use
++ * them in your code.
++ *
++ * NOTE: Valgrind support to be added.
++ *
++ * The PL_MAKE_MEM_ macros are modeled after the MOZ_MAKE_MEM_ macros in
++ * Mozilla's mfbt/MemoryChecking.h. Only AddressSanitizer is supported now.
++ *
++ * Provides a common interface to the ASan (AddressSanitizer) and Valgrind
++ * functions used to mark memory in certain ways. In detail, the following
++ * three macros are provided:
++ *
++ * PL_MAKE_MEM_NOACCESS - Mark memory as unsafe to access (e.g. freed)
++ * PL_MAKE_MEM_UNDEFINED - Mark memory as accessible, with content undefined
++ * PL_MAKE_MEM_DEFINED - Mark memory as accessible, with content defined
++ *
++ * With Valgrind in use, these directly map to the three respective Valgrind
++ * macros. With ASan in use, the NOACCESS macro maps to poisoning the memory,
++ * while the UNDEFINED/DEFINED macros unpoison memory.
++ *
++ * With no memory checker available, all macros expand to the empty statement.
++ */
++
++#define PL_MAKE_MEM_UNDEFINED(addr, size)
++
++/*
+ * If the including .c file uses only one power-of-2 alignment, it may define
+ * PL_ARENA_CONST_ALIGN_MASK to the alignment mask and save a few instructions
+ * per ALLOCATE and GROW.
+@@ -110,29 +136,36 @@
PLArena *_a = (pool)->current; \
PRUint32 _nb = PL_ARENA_ALIGN(pool, nb); \
PRUword _p = _a->avail; \
diff -Nru nspr-4.8.6/debian/patches/CVE-2015-7183-2.patch nspr-4.8.6/debian/patches/CVE-2015-7183-2.patch
--- nspr-4.8.6/debian/patches/CVE-2015-7183-2.patch 2015-11-15 16:45:59.000000000 +0100
+++ nspr-4.8.6/debian/patches/CVE-2015-7183-2.patch 2015-11-17 10:28:50.000000000 +0100
@@ -10,7 +10,7 @@
--- a/mozilla/nsprpub/lib/ds/plarena.h
+++ b/mozilla/nsprpub/lib/ds/plarena.h
-@@ -108,9 +108,9 @@
+@@ -134,9 +134,9 @@
#define PL_ARENA_ALLOCATE(p, pool, nb) \
PR_BEGIN_MACRO \
PLArena *_a = (pool)->current; \
@@ -22,7 +22,7 @@
_p = 0; \
} else if (_nb > (_a->limit - _a->avail)) { \
_p = (PRUword)PL_ArenaAllocate(pool, _nb); \
-@@ -119,26 +119,26 @@
+@@ -145,26 +145,26 @@
} \
p = (void *)_p; \
if (p) { \
diff -Nru nspr-4.9.2/debian/changelog nspr-4.9.2/debian/changelog
--- nspr-4.9.2/debian/changelog 2014-06-13 13:00:15.000000000 +0200
+++ nspr-4.9.2/debian/changelog 2015-11-17 10:30:21.000000000 +0100
@@ -1,3 +1,11 @@
+nspr (2:4.9.2-1+deb7u3) wheezy-security; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-7183, MFSA-2015-133: heap-buffer overflow in
+ PL_ARENA_ALLOCATE
+
+ -- Santiago Ruano Rincón <santiago@debian.org> Mon, 16 Nov 2015 19:52:14 +0100
+
nspr (2:4.9.2-1+deb7u2) wheezy-security; urgency=low
* CVE-2014-1545
diff -Nru nspr-4.9.2/debian/patches/CVE-2015-7183-1.patch nspr-4.9.2/debian/patches/CVE-2015-7183-1.patch
--- nspr-4.9.2/debian/patches/CVE-2015-7183-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ nspr-4.9.2/debian/patches/CVE-2015-7183-1.patch 2015-11-17 10:28:50.000000000 +0100
@@ -0,0 +1,137 @@
+
+# HG changeset patch
+# User Ryan Sleevi <ryan.sleevi@gmail.com>
+# Date 1444930561 -7200
+# Node ID c9c965b2b19cb7076dbadc19c9e68ec4a9cd4ea0
+# Parent f40f22264704fdb13026a4ee17749b2d2cc71605
+Fix bug 1205157, r=wtc
+Origin, upstream: http://hg.mozilla.org/projects/nspr/rev/c9c965b2b19c
+Reviewed-by: Santiago R.R <santiagorr@riseup.net>
+
+--- a/mozilla/nsprpub/lib/ds/plarena.c
++++ b/mozilla/nsprpub/lib/ds/plarena.c
+@@ -126,6 +126,9 @@
+ pool->mask = PR_BITMASK(PR_CeilingLog2(align));
+
+ pool->first.next = NULL;
++ /* Set all three addresses in pool->first to the same dummy value.
++ * These addresses are only compared with each other, but never
++ * dereferenced. */
+ pool->first.base = pool->first.avail = pool->first.limit =
+ (PRUword)PL_ARENA_ALIGN(pool, &pool->first + 1);
+ pool->current = &pool->first;
+@@ -169,10 +172,14 @@
+ {
+ PLArena *a;
+ char *rp; /* returned pointer */
++ PRUint32 nbOld;
+
+ PR_ASSERT((nb & pool->mask) == 0);
+
++ nbOld = nb;
+ nb = (PRUword)PL_ARENA_ALIGN(pool, nb); /* force alignment */
++ if (nb < nbOld)
++ return NULL;
+
+ /* attempt to allocate from arenas at pool->current */
+ {
+@@ -232,6 +239,7 @@
+ a->base = a->avail = (PRUword)PL_ARENA_ALIGN(pool, a + 1);
+ rp = (char *)a->avail;
+ a->avail += nb;
++ PR_ASSERT(a->avail <= a->limit);
+ /* the newly allocated arena is linked after pool->current
+ * and becomes pool->current */
+ a->next = pool->current->next;
+@@ -254,6 +262,8 @@
+ {
+ void *newp;
+
++ if (PR_UINT32_MAX - size < incr)
++ return NULL;
+ PL_ARENA_ALLOCATE(newp, pool, size + incr);
+ if (newp)
+ memcpy(newp, p, size);
+--- a/mozilla/nsprpub/lib/ds/plarena.h
++++ b/mozilla/nsprpub/lib/ds/plarena.h
+@@ -91,6 +91,32 @@
+ };
+
+ /*
++ * WARNING: The PL_MAKE_MEM_ macros are for internal use by NSPR. Do NOT use
++ * them in your code.
++ *
++ * NOTE: Valgrind support to be added.
++ *
++ * The PL_MAKE_MEM_ macros are modeled after the MOZ_MAKE_MEM_ macros in
++ * Mozilla's mfbt/MemoryChecking.h. Only AddressSanitizer is supported now.
++ *
++ * Provides a common interface to the ASan (AddressSanitizer) and Valgrind
++ * functions used to mark memory in certain ways. In detail, the following
++ * three macros are provided:
++ *
++ * PL_MAKE_MEM_NOACCESS - Mark memory as unsafe to access (e.g. freed)
++ * PL_MAKE_MEM_UNDEFINED - Mark memory as accessible, with content undefined
++ * PL_MAKE_MEM_DEFINED - Mark memory as accessible, with content defined
++ *
++ * With Valgrind in use, these directly map to the three respective Valgrind
++ * macros. With ASan in use, the NOACCESS macro maps to poisoning the memory,
++ * while the UNDEFINED/DEFINED macros unpoison memory.
++ *
++ * With no memory checker available, all macros expand to the empty statement.
++ */
++
++#define PL_MAKE_MEM_UNDEFINED(addr, size)
++
++/*
+ * If the including .c file uses only one power-of-2 alignment, it may define
+ * PL_ARENA_CONST_ALIGN_MASK to the alignment mask and save a few instructions
+ * per ALLOCATE and GROW.
+@@ -110,29 +136,36 @@
+ PLArena *_a = (pool)->current; \
+ PRUint32 _nb = PL_ARENA_ALIGN(pool, nb); \
+ PRUword _p = _a->avail; \
+- PRUword _q = _p + _nb; \
+- if (_q > _a->limit) \
++ if (_nb < nb) { \
++ _p = 0; \
++ } else if (_nb > (_a->limit - _a->avail)) { \
+ _p = (PRUword)PL_ArenaAllocate(pool, _nb); \
+- else \
+- _a->avail = _q; \
++ } else { \
++ _a->avail += _nb; \
++ } \
+ p = (void *)_p; \
+- PL_ArenaCountAllocation(pool, nb); \
++ if (p) { \
++ PL_MAKE_MEM_UNDEFINED(p, nb); \
++ PL_ArenaCountAllocation(pool, nb); \
++ } \
+ PR_END_MACRO
+
+ #define PL_ARENA_GROW(p, pool, size, incr) \
+ PR_BEGIN_MACRO \
+ PLArena *_a = (pool)->current; \
+ PRUint32 _incr = PL_ARENA_ALIGN(pool, incr); \
+- PRUword _p = _a->avail; \
+- PRUword _q = _p + _incr; \
+- if (_p == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \
+- _q <= _a->limit) { \
+- _a->avail = _q; \
++ if (_incr < incr) { \
++ p = NULL; \
++ } else if (_a->avail == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \
++ _incr <= (_a->limit - _a->avail)) { \
++ _a->avail += _incr; \
+ PL_ArenaCountInplaceGrowth(pool, size, incr); \
+ } else { \
+ p = PL_ArenaGrow(pool, p, size, incr); \
+ } \
+- PL_ArenaCountGrowth(pool, size, incr); \
++ if (p) {\
++ PL_ArenaCountGrowth(pool, size, incr); \
++ } \
+ PR_END_MACRO
+
+ #define PL_ARENA_MARK(pool) ((void *) (pool)->current->avail)
diff -Nru nspr-4.9.2/debian/patches/CVE-2015-7183-2.patch nspr-4.9.2/debian/patches/CVE-2015-7183-2.patch
--- nspr-4.9.2/debian/patches/CVE-2015-7183-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ nspr-4.9.2/debian/patches/CVE-2015-7183-2.patch 2015-11-17 10:28:50.000000000 +0100
@@ -0,0 +1,58 @@
+
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1444984353 -7200
+# Node ID bd8fb4498fa6ae6450ba9ea313c391ef8e30ccfe
+# Parent 854c880c68ad55fefb2382cdee8e8ea4acd15dcf
+Bug 1205157, add typecasts to handle signed integer parameters, r=ttaubert
+Origin: upstream, http://hg.mozilla.org/projects/nspr/rev/bd8fb4498fa6
+Reviewed-by: Santiago R.R. <santiagorr@riseup.net>
+
+--- a/mozilla/nsprpub/lib/ds/plarena.h
++++ b/mozilla/nsprpub/lib/ds/plarena.h
+@@ -134,9 +134,9 @@
+ #define PL_ARENA_ALLOCATE(p, pool, nb) \
+ PR_BEGIN_MACRO \
+ PLArena *_a = (pool)->current; \
+- PRUint32 _nb = PL_ARENA_ALIGN(pool, nb); \
++ PRUint32 _nb = PL_ARENA_ALIGN(pool, (PRUint32)nb); \
+ PRUword _p = _a->avail; \
+- if (_nb < nb) { \
++ if (_nb < (PRUint32)nb) { \
+ _p = 0; \
+ } else if (_nb > (_a->limit - _a->avail)) { \
+ _p = (PRUword)PL_ArenaAllocate(pool, _nb); \
+@@ -145,26 +145,26 @@
+ } \
+ p = (void *)_p; \
+ if (p) { \
+- PL_MAKE_MEM_UNDEFINED(p, nb); \
+- PL_ArenaCountAllocation(pool, nb); \
++ PL_MAKE_MEM_UNDEFINED(p, (PRUint32)nb); \
++ PL_ArenaCountAllocation(pool, (PRUint32)nb); \
+ } \
+ PR_END_MACRO
+
+ #define PL_ARENA_GROW(p, pool, size, incr) \
+ PR_BEGIN_MACRO \
+ PLArena *_a = (pool)->current; \
+- PRUint32 _incr = PL_ARENA_ALIGN(pool, incr); \
+- if (_incr < incr) { \
++ PRUint32 _incr = PL_ARENA_ALIGN(pool, (PRUint32)incr); \
++ if (_incr < (PRUint32)incr) { \
+ p = NULL; \
+ } else if (_a->avail == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \
+ _incr <= (_a->limit - _a->avail)) { \
+ _a->avail += _incr; \
+- PL_ArenaCountInplaceGrowth(pool, size, incr); \
++ PL_ArenaCountInplaceGrowth(pool, size, (PRUint32)incr); \
+ } else { \
+- p = PL_ArenaGrow(pool, p, size, incr); \
++ p = PL_ArenaGrow(pool, p, size, (PRUint32)incr); \
+ } \
+ if (p) {\
+- PL_ArenaCountGrowth(pool, size, incr); \
++ PL_ArenaCountGrowth(pool, size, (PRUint32)incr); \
+ } \
+ PR_END_MACRO
+
diff -Nru nspr-4.9.2/debian/patches/series nspr-4.9.2/debian/patches/series
--- nspr-4.9.2/debian/patches/series 2014-06-16 19:04:02.000000000 +0200
+++ nspr-4.9.2/debian/patches/series 2015-11-17 10:28:50.000000000 +0100
@@ -1,2 +1,4 @@
CVE-2013-5607.patch
CVE-2014-1545.patch
+CVE-2015-7183-1.patch
+CVE-2015-7183-2.patch
diff -Nru nspr-4.10.7/debian/changelog nspr-4.10.7/debian/changelog
--- nspr-4.10.7/debian/changelog 2014-08-24 01:25:30.000000000 +0200
+++ nspr-4.10.7/debian/changelog 2015-11-17 10:02:48.000000000 +0100
@@ -1,3 +1,11 @@
+nspr (2:4.10.7-1+deb8u1) jessie-security; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-7183, mfsa-2015-133: heap-buffer overflow in
+ PL_ARENA_ALLOCATE
+
+ -- Santiago Ruano Rincón <santiago@debian.org> Mon, 16 Nov 2015 22:55:05 +0100
+
nspr (2:4.10.7-1) unstable; urgency=medium
* New upstream release.
diff -Nru nspr-4.10.7/debian/patches/CVE-2015-7183-1.patch nspr-4.10.7/debian/patches/CVE-2015-7183-1.patch
--- nspr-4.10.7/debian/patches/CVE-2015-7183-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ nspr-4.10.7/debian/patches/CVE-2015-7183-1.patch 2015-11-16 22:54:00.000000000 +0100
@@ -0,0 +1,158 @@
+
+# HG changeset patch
+# User Ryan Sleevi <ryan.sleevi@gmail.com>
+# Date 1444930561 -7200
+# Node ID c9c965b2b19cb7076dbadc19c9e68ec4a9cd4ea0
+# Parent f40f22264704fdb13026a4ee17749b2d2cc71605
+Fix bug 1205157, r=wtc
+Origin, upstream: http://hg.mozilla.org/projects/nspr/rev/c9c965b2b19c
+Reviewed-by: Santiago R.R <santiagorr@riseup.net>
+
+diff --git a/nspr/lib/ds/plarena.c b/nspr/lib/ds/plarena.c
+--- a/nspr/lib/ds/plarena.c
++++ b/nspr/nspr/lib/ds/plarena.c
+@@ -88,16 +88,19 @@ PR_IMPLEMENT(void) PL_InitArenaPool(
+ align = PL_ARENA_DEFAULT_ALIGN;
+
+ if (align < sizeof(pmasks)/sizeof(pmasks[0]))
+ pool->mask = pmasks[align];
+ else
+ pool->mask = PR_BITMASK(PR_CeilingLog2(align));
+
+ pool->first.next = NULL;
++ /* Set all three addresses in pool->first to the same dummy value.
++ * These addresses are only compared with each other, but never
++ * dereferenced. */
+ pool->first.base = pool->first.avail = pool->first.limit =
+ (PRUword)PL_ARENA_ALIGN(pool, &pool->first + 1);
+ pool->current = &pool->first;
+ /*
+ * Compute the net size so that each arena's gross size is |size|.
+ * sizeof(PLArena) + pool->mask is the header and alignment slop
+ * that PL_ArenaAllocate adds to the net size.
+ */
+@@ -139,20 +142,24 @@ PR_IMPLEMENT(void) PL_InitArenaPool(
+ ** See also: bugzilla: 45343.
+ **
+ */
+
+ PR_IMPLEMENT(void *) PL_ArenaAllocate(PLArenaPool *pool, PRUint32 nb)
+ {
+ PLArena *a;
+ char *rp; /* returned pointer */
++ PRUint32 nbOld;
+
+ PR_ASSERT((nb & pool->mask) == 0);
+
++ nbOld = nb;
+ nb = (PRUword)PL_ARENA_ALIGN(pool, nb); /* force alignment */
++ if (nb < nbOld)
++ return NULL;
+
+ /* attempt to allocate from arenas at pool->current */
+ {
+ a = pool->current;
+ do {
+ if ( nb <= a->limit - a->avail ) {
+ pool->current = a;
+ rp = (char *)a->avail;
+@@ -203,16 +210,17 @@ PR_IMPLEMENT(void *) PL_ArenaAllocate(PL
+ a = (PLArena*)PR_MALLOC(sz);
+ }
+ if ( NULL != a ) {
+ a->limit = (PRUword)a + sz;
+ a->base = a->avail = (PRUword)PL_ARENA_ALIGN(pool, a + 1);
+ PL_MAKE_MEM_NOACCESS((void*)a->avail, a->limit - a->avail);
+ rp = (char *)a->avail;
+ a->avail += nb;
++ PR_ASSERT(a->avail <= a->limit);
+ /* the newly allocated arena is linked after pool->current
+ * and becomes pool->current */
+ a->next = pool->current->next;
+ pool->current->next = a;
+ pool->current = a;
+ if ( NULL == pool->first.next )
+ pool->first.next = a;
+ PL_COUNT_ARENA(pool,++);
+@@ -225,16 +233,18 @@ PR_IMPLEMENT(void *) PL_ArenaAllocate(PL
+ return(NULL);
+ } /* --- end PL_ArenaAllocate() --- */
+
+ PR_IMPLEMENT(void *) PL_ArenaGrow(
+ PLArenaPool *pool, void *p, PRUint32 size, PRUint32 incr)
+ {
+ void *newp;
+
++ if (PR_UINT32_MAX - size < incr)
++ return NULL;
+ PL_ARENA_ALLOCATE(newp, pool, size + incr);
+ if (newp)
+ memcpy(newp, p, size);
+ return newp;
+ }
+
+ static void ClearArenaList(PLArena *a, PRInt32 pattern)
+ {
+diff --git a/nspr/lib/ds/plarena.h b/lib/ds/plarena.h
+--- a/nspr/lib/ds/plarena.h
++++ b/nspr/lib/ds/plarena.h
+@@ -134,42 +134,47 @@ void __asan_unpoison_memory_region(void
+ #define PL_ARENA_ALIGN(pool, n) (((PRUword)(n) + (pool)->mask) & ~(pool)->mask)
+ #endif
+
+ #define PL_ARENA_ALLOCATE(p, pool, nb) \
+ PR_BEGIN_MACRO \
+ PLArena *_a = (pool)->current; \
+ PRUint32 _nb = PL_ARENA_ALIGN(pool, nb); \
+ PRUword _p = _a->avail; \
+- PRUword _q = _p + _nb; \
+- if (_q > _a->limit) { \
++ if (_nb < nb) { \
++ _p = 0; \
++ } else if (_nb > (_a->limit - _a->avail)) { \
+ _p = (PRUword)PL_ArenaAllocate(pool, _nb); \
+ } else { \
+- _a->avail = _q; \
++ _a->avail += _nb; \
+ } \
+ p = (void *)_p; \
+- PL_MAKE_MEM_UNDEFINED(p, nb); \
+- PL_ArenaCountAllocation(pool, nb); \
++ if (p) { \
++ PL_MAKE_MEM_UNDEFINED(p, nb); \
++ PL_ArenaCountAllocation(pool, nb); \
++ } \
+ PR_END_MACRO
+
+ #define PL_ARENA_GROW(p, pool, size, incr) \
+ PR_BEGIN_MACRO \
+ PLArena *_a = (pool)->current; \
+ PRUint32 _incr = PL_ARENA_ALIGN(pool, incr); \
+- PRUword _p = _a->avail; \
+- PRUword _q = _p + _incr; \
+- if (_p == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \
+- _q <= _a->limit) { \
++ if (_incr < incr) { \
++ p = NULL; \
++ } else if (_a->avail == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \
++ _incr <= (_a->limit - _a->avail)) { \
+ PL_MAKE_MEM_UNDEFINED((unsigned char *)(p) + size, incr); \
+- _a->avail = _q; \
++ _a->avail += _incr; \
+ PL_ArenaCountInplaceGrowth(pool, size, incr); \
+ } else { \
+ p = PL_ArenaGrow(pool, p, size, incr); \
+ } \
+- PL_ArenaCountGrowth(pool, size, incr); \
++ if (p) {\
++ PL_ArenaCountGrowth(pool, size, incr); \
++ } \
+ PR_END_MACRO
+
+ #define PL_ARENA_MARK(pool) ((void *) (pool)->current->avail)
+ #define PR_UPTRDIFF(p,q) ((PRUword)(p) - (PRUword)(q))
+
+ #define PL_CLEAR_UNUSED_PATTERN(a, pattern) \
+ PR_BEGIN_MACRO \
+ PR_ASSERT((a)->avail <= (a)->limit); \
+
diff -Nru nspr-4.10.7/debian/patches/CVE-2015-7183-2.patch nspr-4.10.7/debian/patches/CVE-2015-7183-2.patch
--- nspr-4.10.7/debian/patches/CVE-2015-7183-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ nspr-4.10.7/debian/patches/CVE-2015-7183-2.patch 2015-11-16 22:54:05.000000000 +0100
@@ -0,0 +1,60 @@
+
+# HG changeset patch
+# User Kai Engert <kaie@kuix.de>
+# Date 1444984353 -7200
+# Node ID bd8fb4498fa6ae6450ba9ea313c391ef8e30ccfe
+# Parent 854c880c68ad55fefb2382cdee8e8ea4acd15dcf
+Bug 1205157, add typecasts to handle signed integer parameters, r=ttaubert
+Origin: upstream, http://hg.mozilla.org/projects/nspr/rev/bd8fb4498fa6
+Reviewed-by: Santiago R.R. <santiagorr@riseup.net>
+
+--- a/nspr/lib/ds/plarena.h
++++ b/nspr/lib/ds/plarena.h
+@@ -137,9 +137,9 @@
+ #define PL_ARENA_ALLOCATE(p, pool, nb) \
+ PR_BEGIN_MACRO \
+ PLArena *_a = (pool)->current; \
+- PRUint32 _nb = PL_ARENA_ALIGN(pool, nb); \
++ PRUint32 _nb = PL_ARENA_ALIGN(pool, (PRUint32)nb); \
+ PRUword _p = _a->avail; \
+- if (_nb < nb) { \
++ if (_nb < (PRUint32)nb) { \
+ _p = 0; \
+ } else if (_nb > (_a->limit - _a->avail)) { \
+ _p = (PRUword)PL_ArenaAllocate(pool, _nb); \
+@@ -148,27 +148,27 @@
+ } \
+ p = (void *)_p; \
+ if (p) { \
+- PL_MAKE_MEM_UNDEFINED(p, nb); \
+- PL_ArenaCountAllocation(pool, nb); \
++ PL_MAKE_MEM_UNDEFINED(p, (PRUint32)nb); \
++ PL_ArenaCountAllocation(pool, (PRUint32)nb); \
+ } \
+ PR_END_MACRO
+
+ #define PL_ARENA_GROW(p, pool, size, incr) \
+ PR_BEGIN_MACRO \
+ PLArena *_a = (pool)->current; \
+- PRUint32 _incr = PL_ARENA_ALIGN(pool, incr); \
+- if (_incr < incr) { \
++ PRUint32 _incr = PL_ARENA_ALIGN(pool, (PRUint32)incr); \
++ if (_incr < (PRUint32)incr) { \
+ p = NULL; \
+ } else if (_a->avail == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \
+ _incr <= (_a->limit - _a->avail)) { \
+- PL_MAKE_MEM_UNDEFINED((unsigned char *)(p) + size, incr); \
++ PL_MAKE_MEM_UNDEFINED((unsigned char *)(p) + size, (PRUint32)incr); \
+ _a->avail += _incr; \
+- PL_ArenaCountInplaceGrowth(pool, size, incr); \
++ PL_ArenaCountInplaceGrowth(pool, size, (PRUint32)incr); \
+ } else { \
+- p = PL_ArenaGrow(pool, p, size, incr); \
++ p = PL_ArenaGrow(pool, p, size, (PRUint32)incr); \
+ } \
+ if (p) {\
+- PL_ArenaCountGrowth(pool, size, incr); \
++ PL_ArenaCountGrowth(pool, size, (PRUint32)incr); \
+ } \
+ PR_END_MACRO
+
diff -Nru nspr-4.10.7/debian/patches/series nspr-4.10.7/debian/patches/series
--- nspr-4.10.7/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ nspr-4.10.7/debian/patches/series 2015-11-16 22:40:56.000000000 +0100
@@ -0,0 +1,2 @@
+CVE-2015-7183-1.patch
+CVE-2015-7183-2.patch
Attachment:
signature.asc
Description: Digital signature