Ben Hutchings 於 2015年12月31日 06:37 寫道: > On Wed, 2015-12-30 at 20:19 +0800, Ying-Chun Liu (PaulLiu) wrote: > [...] >> I've made a patch. As attachment. > > I don't think it's a complete fix, as it doesn't check that there's > enough space for the terminating null (or shift sequence, where > needed). > >> Should I just push it to unstable? Or I need to do some further steps >> before that? > > You should probably coordinate with maintainers of other affected > packages, e.g. claws-mail. There is an upstream fix for claws-mail, > although it's not quite right (see my comment on security-tracker). > >> I didn't see any bug numbers against macopix package for CVE-2015-8614. >> What's the best next step? > > So far as I know it's not necessary to create a bug report, though > there's no harm in doing so. > > Ben. > Hi Ben, I synced the code from the claws-mail upstream which fixes the bug. Please see the attachment. Yours, Paul -- PaulLiu (劉穎駿) E-mail: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Description: Fix CVE-2015-8614 I tried to move the code from latest claws-mail upstream which fixes the bug already. Author: Ying-Chun Liu (PaulLiu) <paulliu@debian.org> Last-Update: 2016-02-14 Index: macopix-1.7.4/src/codeconv.c =================================================================== --- macopix-1.7.4.orig/src/codeconv.c +++ macopix-1.7.4/src/codeconv.c @@ -128,10 +128,14 @@ typedef enum void conv_jistoeuc(gchar *outbuf, gint outlen, const gchar *inbuf) { const guchar *in = inbuf; - guchar *out = outbuf; + gchar *out = outbuf; JISState state = JIS_ASCII; - while (*in != '\0') { + /* + * Loop outputs up to 3 bytes in each pass (aux kanji) and we + * need 1 byte to terminate the output + */ + while (*in != '\0' && (out - outbuf) < outlen - 4) { if (*in == ESC) { in++; if (*in == '$') { @@ -192,6 +196,7 @@ void conv_jistoeuc(gchar *outbuf, gint o } *out = '\0'; + return ; } #define JIS_HWDAKUTEN 0x5e @@ -263,10 +268,15 @@ static gint conv_jis_hantozen(guchar *ou void conv_euctojis(gchar *outbuf, gint outlen, const gchar *inbuf) { const guchar *in = inbuf; - guchar *out = outbuf; + gchar *out = outbuf; JISState state = JIS_ASCII; - while (*in != '\0') { + /* + * Loop outputs up to 6 bytes in each pass (aux shift + aux + * kanji) and we need up to 4 bytes to terminate the output + * (ASCII shift + null) + */ + while (*in != '\0' && (out - outbuf) < outlen - 10) { if (isascii(*in)) { K_OUT(); *out++ = *in++; @@ -286,26 +296,32 @@ void conv_euctojis(gchar *outbuf, gint o } } else if (iseuchwkana1(*in)) { if (iseuchwkana2(*(in + 1))) { - guchar jis_ch[2]; - gint len; - - if (iseuchwkana1(*(in + 2)) && - iseuchwkana2(*(in + 3))) - len = conv_jis_hantozen - (jis_ch, - *(in + 1), *(in + 3)); - else - len = conv_jis_hantozen - (jis_ch, - *(in + 1), '\0'); - if (len == 0) - in += 2; - else { - K_IN(); - in += len * 2; - *out++ = jis_ch[0]; - *out++ = jis_ch[1]; - } + if (0) { + HW_IN(); + in++; + *out++ = *in++ & 0x7f; + } else { + guchar jis_ch[2]; + gint len; + + if (iseuchwkana1(*(in + 2)) && + iseuchwkana2(*(in + 3))) + len = conv_jis_hantozen + (jis_ch, + *(in + 1), *(in + 3)); + else + len = conv_jis_hantozen + (jis_ch, + *(in + 1), '\0'); + if (len == 0) + in += 2; + else { + K_IN(); + in += len * 2; + *out++ = jis_ch[0]; + *out++ = jis_ch[1]; + } + } } else { K_OUT(); in++; @@ -340,14 +356,19 @@ void conv_euctojis(gchar *outbuf, gint o K_OUT(); *out = '\0'; + return ; } void conv_sjistoeuc(gchar *outbuf, gint outlen, const gchar *inbuf) { const guchar *in = inbuf; - guchar *out = outbuf; + gchar *out = outbuf; - while (*in != '\0') { + /* + * Loop outputs up to 2 bytes in each pass and we need 1 byte + * to terminate the output + */ + while (*in != '\0' && (out - outbuf) < outlen - 3) { if (isascii(*in)) { *out++ = *in++; } else if (issjiskanji1(*in)) { @@ -386,6 +407,7 @@ void conv_sjistoeuc(gchar *outbuf, gint } *out = '\0'; + return ; } void conv_anytoeuc(gchar *outbuf, gint outlen, const gchar *inbuf)
Attachment:
signature.asc
Description: OpenPGP digital signature