[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: squeeze update of macopix?

Ben Hutchings 於 2015年12月30日 09:49 寫道:
> Hello dear maintainer(s),
> 
> the Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of macopix:
> https://security-tracker.debian.org/tracker/CVE-2015-8614
> 
> Would you like to take care of this yourself?
> 
> If yes, please follow the workflow we have defined here:
> http://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> 
> Thank you very much.
> 
> Ben Hutchings,
>   on behalf of the Debian LTS team.
> 
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
> 

Hi Ben,

I've made a patch. As attachment.
Should I just push it to unstable? Or I need to do some further steps
before that?
I didn't see any bug numbers against macopix package for CVE-2015-8614.
What's the best next step?

Yours,
Paul

-- 
                                PaulLiu (劉穎駿)
E-mail: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>

Description: Fix CVE-2015-8614: no bounds checking on the output buffer
 conv_jistoeuc(), conv_euctojis(), conv_sjistoeuc() doesn't check the bounds
 of output buffer. This patch fixes this.
Author: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Last-Update: 2015-12-30
Index: macopix-1.7.4/src/codeconv.c
===================================================================
--- macopix-1.7.4.orig/src/codeconv.c
+++ macopix-1.7.4/src/codeconv.c
@@ -93,36 +93,40 @@ typedef enum
 	(((c) & 0xff) >= 0xa1 && ((c) & 0xff) <= 0xdf)
 
 #define K_IN()				\
-	if (state != JIS_KANJI) {	\
+	if (state != JIS_KANJI && outlen > 3) {	\
 		*out++ = ESC;		\
 		*out++ = '$';		\
 		*out++ = 'B';		\
 		state = JIS_KANJI;	\
+		outlen -= 3;		\
 	}
 
 #define K_OUT()				\
-	if (state != JIS_ASCII) {	\
+	if (state != JIS_ASCII && outlen > 3) {	\
 		*out++ = ESC;		\
 		*out++ = '(';		\
 		*out++ = 'B';		\
 		state = JIS_ASCII;	\
+		outlen -= 3;		\
 	}
 
 #define HW_IN()				\
-	if (state != JIS_HWKANA) {	\
+	if (state != JIS_HWKANA && outlen > 3) {	\
 		*out++ = ESC;		\
 		*out++ = '(';		\
 		*out++ = 'I';		\
 		state = JIS_HWKANA;	\
+		outlen -= 3;		\
 	}
 
 #define AUX_IN()			\
-	if (state != JIS_AUXKANJI) {	\
+	if (state != JIS_AUXKANJI && outlen > 4) {	\
 		*out++ = ESC;		\
 		*out++ = '$';		\
 		*out++ = '(';		\
 		*out++ = 'D';		\
 		state = JIS_AUXKANJI;	\
+		outlen -= 4;		\
 	}
 
 void conv_jistoeuc(gchar *outbuf, gint outlen, const gchar *inbuf)
@@ -170,28 +174,47 @@ void conv_jistoeuc(gchar *outbuf, gint o
 		} else {
 			switch (state) {
 			case JIS_ASCII:
-				*out++ = *in++;
+				if (outlen > 1) {
+					*out++ = *in++;
+					outlen--;
+				}
 				break;
 			case JIS_KANJI:
-				*out++ = *in++ | 0x80;
+				if (outlen > 1) {
+					*out++ = *in++ | 0x80;
+					outlen--;
+				}
 				if (*in == '\0') break;
-				*out++ = *in++ | 0x80;
+				if (outlen > 1) {
+					*out++ = *in++ | 0x80;
+					outlen--;
+				}
 				break;
 			case JIS_HWKANA:
-				*out++ = 0x8e;
-				*out++ = *in++ | 0x80;
+				if (outlen > 2) {
+					*out++ = 0x8e;
+					*out++ = *in++ | 0x80;
+					outlen -= 2;
+				}
 				break;
 			case JIS_AUXKANJI:
-				*out++ = 0x8f;
-				*out++ = *in++ | 0x80;
+				if (outlen > 2) {
+					*out++ = 0x8f;
+					*out++ = *in++ | 0x80;
+					outlen -= 2;
+				}
 				if (*in == '\0') break;
-				*out++ = *in++ | 0x80;
+				if (outlen > 1) {
+					*out++ = *in++ | 0x80;
+					outlen--;
+				}
 				break;
 			}
 		}
 	}
 
 	*out = '\0';
+	outlen--;
 }
 
 #define JIS_HWDAKUTEN		0x5e
@@ -269,18 +292,30 @@ void conv_euctojis(gchar *outbuf, gint o
 	while (*in != '\0') {
 		if (isascii(*in)) {
 			K_OUT();
-			*out++ = *in++;
+			if (outlen > 1) {
+				*out++ = *in++;
+				outlen--;
+			}
 		} else if (iseuckanji(*in)) {
 			if (iseuckanji(*(in + 1))) {
 				K_IN();
-				*out++ = *in++ & 0x7f;
-				*out++ = *in++ & 0x7f;
+				if (outlen > 2) {
+					*out++ = *in++ & 0x7f;
+					*out++ = *in++ & 0x7f;
+					outlen -= 2;
+				}
 			} else {
 				K_OUT();
-				*out++ = SUBST_CHAR;
+				if (outlen > 1) {
+					*out++ = SUBST_CHAR;
+					outlen--;
+				}
 				in++;
 				if (*in != '\0' && !isascii(*in)) {
-					*out++ = SUBST_CHAR;
+					if (outlen > 1) {
+						*out++ = SUBST_CHAR;
+						outlen--;
+					}
 					in++;
 				}
 			}
@@ -303,14 +338,20 @@ void conv_euctojis(gchar *outbuf, gint o
 			  else {
 			    K_IN();
 			    in += len * 2;
-			    *out++ = jis_ch[0];
-			    *out++ = jis_ch[1];
+			    if (outlen > 2) {
+				    *out++ = jis_ch[0];
+				    *out++ = jis_ch[1];
+				    outlen -= 2;
+			    }
 			  }
 			} else {
 				K_OUT();
 				in++;
 				if (*in != '\0' && !isascii(*in)) {
-					*out++ = SUBST_CHAR;
+					if (outlen > 1) {
+						*out++ = SUBST_CHAR;
+						outlen--;
+					}
 					in++;
 				}
 			}
@@ -318,28 +359,41 @@ void conv_euctojis(gchar *outbuf, gint o
 			in++;
 			if (iseuckanji(*in) && iseuckanji(*(in + 1))) {
 				AUX_IN();
-				*out++ = *in++ & 0x7f;
-				*out++ = *in++ & 0x7f;
+				if (outlen > 2) {
+					*out++ = *in++ & 0x7f;
+					*out++ = *in++ & 0x7f;
+					outlen -= 2;
+				}
 			} else {
 				K_OUT();
 				if (*in != '\0' && !isascii(*in)) {
-					*out++ = SUBST_CHAR;
+					if (outlen > 1) {
+						*out++ = SUBST_CHAR;
+						outlen--;
+					}
 					in++;
 					if (*in != '\0' && !isascii(*in)) {
-						*out++ = SUBST_CHAR;
+						if (outlen > 1) {
+							*out++ = SUBST_CHAR;
+							outlen--;
+						}
 						in++;
 					}
 				}
 			}
 		} else {
 			K_OUT();
-			*out++ = SUBST_CHAR;
+			if (outlen > 1) {
+				*out++ = SUBST_CHAR;
+				outlen--;
+			}
 			in++;
 		}
 	}
 
 	K_OUT();
 	*out = '\0';
+	outlen--;
 }
 
 void conv_sjistoeuc(gchar *outbuf, gint outlen, const gchar *inbuf)
@@ -349,7 +403,10 @@ void conv_sjistoeuc(gchar *outbuf, gint
 
 	while (*in != '\0') {
 		if (isascii(*in)) {
-			*out++ = *in++;
+			if (outlen > 1) {
+				*out++ = *in++;
+				outlen--;
+			}
 		} else if (issjiskanji1(*in)) {
 			if (issjiskanji2(*(in + 1))) {
 				guchar out1 = *in;
@@ -365,27 +422,43 @@ void conv_sjistoeuc(gchar *outbuf, gint
 					out2 -= 0x7e;
 				}
 
-				*out++ = out1 | 0x80;
-				*out++ = out2 | 0x80;
+				if (outlen > 2) {
+					*out++ = out1 | 0x80;
+					*out++ = out2 | 0x80;
+					outlen -= 2;
+				}
 				in += 2;
 			} else {
-				*out++ = SUBST_CHAR;
+				if (outlen > 1) {
+					*out++ = SUBST_CHAR;
+					outlen--;
+				}
 				in++;
 				if (*in != '\0' && !isascii(*in)) {
-					*out++ = SUBST_CHAR;
+					if (outlen > 1) {
+						*out++ = SUBST_CHAR;
+						outlen--;
+					}
 					in++;
 				}
 			}
 		} else if (issjishwkana(*in)) {
-			*out++ = 0x8e;
-			*out++ = *in++;
+			if (outlen > 2) {
+				*out++ = 0x8e;
+				*out++ = *in++;
+				outlen -= 2;
+			}
 		} else {
-			*out++ = SUBST_CHAR;
+			if (outlen > 1) {
+				*out++ = SUBST_CHAR;
+				outlen--;
+			}
 			in++;
 		}
 	}
 
 	*out = '\0';
+	outlen--;
 }
 
 void conv_anytoeuc(gchar *outbuf, gint outlen, const gchar *inbuf)

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: