Re: squeeze update of fuseiso?

[Mike Gabriel <mike.gabriel@das-netzwerkteam.de>]

Hi all,

On  Do 16 Jul 2015 20:41:43 CEST, Ben Hutchings wrote:

> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Attached you find a .debdiff for fuseiso in unstable adding two  
patches to fuseiso, that hopefully fix the reported issues [1,2].

Under [1,2] Florian Weimer from Redhat offers two ISO images that  
reproduce the observed issues. I am still waiting for Florian Weimer  
to get back to me about those ISO images (one ISO arrived here in a  
corrupt state, the other ISO I have only just asked for).

I have tested my changes on the code in respect to potential  
breakages, ISO images mount well here with the changes applied. But  
the real test will happen, once I have the reproducer ISO images at  
hand.

Greets,
Mike

[1] https://bugzilla.redhat.com/show_bug.cgi?id=862211
[2] https://bugzilla.redhat.com/show_bug.cgi?id=861358



--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

diff -Nru fuseiso-20070708/debian/changelog fuseiso-20070708/debian/changelog
--- fuseiso-20070708/debian/changelog	2014-10-02 02:55:59.000000000 +0200
+++ fuseiso-20070708/debian/changelog	2015-10-01 10:34:35.000000000 +0200
@@ -1,3 +1,16 @@
+fuseiso (20070708-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * debian/patches (Closes: #779047):
+    + Add 02-prevent-buffer-overflow.patch. Prevent stack-based buffer overflow
+      when concatenating strings to an absolute path names. Prevention is done
+      by checking that the result we stay under the maximum path lenght as given
+      by the platforms PATH_MAX constant.
+    + Add 03-prevent-integer-overflow.patch. Prevent integer overflow in ZISO
+      code. Bail out if a ZF block size > 2^17 is to be read.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Thu, 01 Oct 2015 10:34:33 +0200
+
 fuseiso (20070708-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch
--- fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch	2015-10-01 10:27:16.000000000 +0200
@@ -0,0 +1,35 @@
+Description: Prevent stack-based buffer overflow on too-long path names
+Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+
+--- a/src/isofs.c
++++ b/src/isofs.c
+@@ -1532,13 +1532,23 @@
+             if(path[1] != '\0') { // not root dir
+                 strcat(absolute_entry, "/");
+             };
+-            strcat(absolute_entry, entry);
+-            if(g_hash_table_lookup(lookup_table, absolute_entry)) {
+-                // already in lookup cache
++
++            if(strlen(absolute_entry) + strlen(entry) <= PATH_MAX-1) {
++                strcat(absolute_entry, entry);
++                if(g_hash_table_lookup(lookup_table, absolute_entry)) {
++                    // already in lookup cache
++                    isofs_free_inode(inode);
++                } else {
++                    g_hash_table_insert(lookup_table, g_strdup(absolute_entry), inode);
++                };
++            }
++            else {
++                printf("readdir: absolute path name for entry '%s' exceeding PATH_MAX (%d)\n", entry, PATH_MAX);
+                 isofs_free_inode(inode);
+-            } else {
+-                g_hash_table_insert(lookup_table, g_strdup(absolute_entry), inode);
+-            };
++                free(buf);
++                free(entry);
++                return -EIO;
++            }
+             
+             free(entry);
+             
diff -Nru fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch
--- fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch	2015-10-01 10:31:11.000000000 +0200
@@ -0,0 +1,16 @@
+Description: Prevent integer overflow in ZISO code
+Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+
+--- a/src/isofs.c
++++ b/src/isofs.c
+@@ -1618,6 +1618,10 @@
+ };
+ 
+ static int isofs_real_read_zf(isofs_inode *inode, char *out_buf, size_t size, off_t offset) {
++    if( inode->zf_block_shift > 17 ) {
++        fprintf(stderr, "isofs_real_read_zf: can't handle ZF block size of 2^%d\n", inode->zf_block_shift);
++        return -EIO;
++    }
+     int zf_block_size = 1 << inode->zf_block_shift;
+     int zf_start = offset / zf_block_size;
+     int zf_end = (offset + size) / zf_block_size;
diff -Nru fuseiso-20070708/debian/patches/series fuseiso-20070708/debian/patches/series
--- fuseiso-20070708/debian/patches/series	2012-12-25 08:47:27.000000000 +0100
+++ fuseiso-20070708/debian/patches/series	2015-10-01 06:19:42.000000000 +0200
@@ -1,2 +1,4 @@
 00-support_large_iso.patch
 01-fix_typo.patch
+02-prevent-buffer-overflow.patch
+03-prevent-integer-overflow.patch

Attachment: pgpIVSSBvvMn7.pgp
Description: Digitale PGP-Signatur