Ben Hutchings 於 2015年12月30日 09:49 寫道: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of macopix: > https://security-tracker.debian.org/tracker/CVE-2015-8614 > > Would you like to take care of this yourself? > > If yes, please follow the workflow we have defined here: > http://wiki.debian.org/LTS/Development > > If that workflow is a burden to you, feel free to just prepare an > updated source package and send it to debian-lts@lists.debian.org > (via a debdiff, or with an URL pointing to the source package, > or even with a pointer to your packaging repository), and the members > of the LTS team will take care of the rest. Indicate clearly whether you > have tested the updated package or not. > > If you don't want to take care of this update, it's not a problem, we > will do our best with your package. Just let us know whether you would > like to review and/or test the updated package before it gets released. > > Thank you very much. > > Ben Hutchings, > on behalf of the Debian LTS team. > > PS: A member of the LTS team might start working on this update at > any point in time. You can verify whether someone is registered > on this update in this file: > https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup > Hi Ben, I've made a patch. As attachment. Should I just push it to unstable? Or I need to do some further steps before that? I didn't see any bug numbers against macopix package for CVE-2015-8614. What's the best next step? Yours, Paul -- PaulLiu (劉穎駿) E-mail: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Description: Fix CVE-2015-8614: no bounds checking on the output buffer conv_jistoeuc(), conv_euctojis(), conv_sjistoeuc() doesn't check the bounds of output buffer. This patch fixes this. Author: Ying-Chun Liu (PaulLiu) <paulliu@debian.org> Last-Update: 2015-12-30 Index: macopix-1.7.4/src/codeconv.c =================================================================== --- macopix-1.7.4.orig/src/codeconv.c +++ macopix-1.7.4/src/codeconv.c @@ -93,36 +93,40 @@ typedef enum (((c) & 0xff) >= 0xa1 && ((c) & 0xff) <= 0xdf) #define K_IN() \ - if (state != JIS_KANJI) { \ + if (state != JIS_KANJI && outlen > 3) { \ *out++ = ESC; \ *out++ = '$'; \ *out++ = 'B'; \ state = JIS_KANJI; \ + outlen -= 3; \ } #define K_OUT() \ - if (state != JIS_ASCII) { \ + if (state != JIS_ASCII && outlen > 3) { \ *out++ = ESC; \ *out++ = '('; \ *out++ = 'B'; \ state = JIS_ASCII; \ + outlen -= 3; \ } #define HW_IN() \ - if (state != JIS_HWKANA) { \ + if (state != JIS_HWKANA && outlen > 3) { \ *out++ = ESC; \ *out++ = '('; \ *out++ = 'I'; \ state = JIS_HWKANA; \ + outlen -= 3; \ } #define AUX_IN() \ - if (state != JIS_AUXKANJI) { \ + if (state != JIS_AUXKANJI && outlen > 4) { \ *out++ = ESC; \ *out++ = '$'; \ *out++ = '('; \ *out++ = 'D'; \ state = JIS_AUXKANJI; \ + outlen -= 4; \ } void conv_jistoeuc(gchar *outbuf, gint outlen, const gchar *inbuf) @@ -170,28 +174,47 @@ void conv_jistoeuc(gchar *outbuf, gint o } else { switch (state) { case JIS_ASCII: - *out++ = *in++; + if (outlen > 1) { + *out++ = *in++; + outlen--; + } break; case JIS_KANJI: - *out++ = *in++ | 0x80; + if (outlen > 1) { + *out++ = *in++ | 0x80; + outlen--; + } if (*in == '\0') break; - *out++ = *in++ | 0x80; + if (outlen > 1) { + *out++ = *in++ | 0x80; + outlen--; + } break; case JIS_HWKANA: - *out++ = 0x8e; - *out++ = *in++ | 0x80; + if (outlen > 2) { + *out++ = 0x8e; + *out++ = *in++ | 0x80; + outlen -= 2; + } break; case JIS_AUXKANJI: - *out++ = 0x8f; - *out++ = *in++ | 0x80; + if (outlen > 2) { + *out++ = 0x8f; + *out++ = *in++ | 0x80; + outlen -= 2; + } if (*in == '\0') break; - *out++ = *in++ | 0x80; + if (outlen > 1) { + *out++ = *in++ | 0x80; + outlen--; + } break; } } } *out = '\0'; + outlen--; } #define JIS_HWDAKUTEN 0x5e @@ -269,18 +292,30 @@ void conv_euctojis(gchar *outbuf, gint o while (*in != '\0') { if (isascii(*in)) { K_OUT(); - *out++ = *in++; + if (outlen > 1) { + *out++ = *in++; + outlen--; + } } else if (iseuckanji(*in)) { if (iseuckanji(*(in + 1))) { K_IN(); - *out++ = *in++ & 0x7f; - *out++ = *in++ & 0x7f; + if (outlen > 2) { + *out++ = *in++ & 0x7f; + *out++ = *in++ & 0x7f; + outlen -= 2; + } } else { K_OUT(); - *out++ = SUBST_CHAR; + if (outlen > 1) { + *out++ = SUBST_CHAR; + outlen--; + } in++; if (*in != '\0' && !isascii(*in)) { - *out++ = SUBST_CHAR; + if (outlen > 1) { + *out++ = SUBST_CHAR; + outlen--; + } in++; } } @@ -303,14 +338,20 @@ void conv_euctojis(gchar *outbuf, gint o else { K_IN(); in += len * 2; - *out++ = jis_ch[0]; - *out++ = jis_ch[1]; + if (outlen > 2) { + *out++ = jis_ch[0]; + *out++ = jis_ch[1]; + outlen -= 2; + } } } else { K_OUT(); in++; if (*in != '\0' && !isascii(*in)) { - *out++ = SUBST_CHAR; + if (outlen > 1) { + *out++ = SUBST_CHAR; + outlen--; + } in++; } } @@ -318,28 +359,41 @@ void conv_euctojis(gchar *outbuf, gint o in++; if (iseuckanji(*in) && iseuckanji(*(in + 1))) { AUX_IN(); - *out++ = *in++ & 0x7f; - *out++ = *in++ & 0x7f; + if (outlen > 2) { + *out++ = *in++ & 0x7f; + *out++ = *in++ & 0x7f; + outlen -= 2; + } } else { K_OUT(); if (*in != '\0' && !isascii(*in)) { - *out++ = SUBST_CHAR; + if (outlen > 1) { + *out++ = SUBST_CHAR; + outlen--; + } in++; if (*in != '\0' && !isascii(*in)) { - *out++ = SUBST_CHAR; + if (outlen > 1) { + *out++ = SUBST_CHAR; + outlen--; + } in++; } } } } else { K_OUT(); - *out++ = SUBST_CHAR; + if (outlen > 1) { + *out++ = SUBST_CHAR; + outlen--; + } in++; } } K_OUT(); *out = '\0'; + outlen--; } void conv_sjistoeuc(gchar *outbuf, gint outlen, const gchar *inbuf) @@ -349,7 +403,10 @@ void conv_sjistoeuc(gchar *outbuf, gint while (*in != '\0') { if (isascii(*in)) { - *out++ = *in++; + if (outlen > 1) { + *out++ = *in++; + outlen--; + } } else if (issjiskanji1(*in)) { if (issjiskanji2(*(in + 1))) { guchar out1 = *in; @@ -365,27 +422,43 @@ void conv_sjistoeuc(gchar *outbuf, gint out2 -= 0x7e; } - *out++ = out1 | 0x80; - *out++ = out2 | 0x80; + if (outlen > 2) { + *out++ = out1 | 0x80; + *out++ = out2 | 0x80; + outlen -= 2; + } in += 2; } else { - *out++ = SUBST_CHAR; + if (outlen > 1) { + *out++ = SUBST_CHAR; + outlen--; + } in++; if (*in != '\0' && !isascii(*in)) { - *out++ = SUBST_CHAR; + if (outlen > 1) { + *out++ = SUBST_CHAR; + outlen--; + } in++; } } } else if (issjishwkana(*in)) { - *out++ = 0x8e; - *out++ = *in++; + if (outlen > 2) { + *out++ = 0x8e; + *out++ = *in++; + outlen -= 2; + } } else { - *out++ = SUBST_CHAR; + if (outlen > 1) { + *out++ = SUBST_CHAR; + outlen--; + } in++; } } *out = '\0'; + outlen--; } void conv_anytoeuc(gchar *outbuf, gint outlen, const gchar *inbuf)
Attachment:
signature.asc
Description: OpenPGP digital signature