Ben Hutchings 於 2015年12月31日 06:37 寫道:
> On Wed, 2015-12-30 at 20:19 +0800, Ying-Chun Liu (PaulLiu) wrote:
> [...]
>> I've made a patch. As attachment.
>
> I don't think it's a complete fix, as it doesn't check that there's
> enough space for the terminating null (or shift sequence, where
> needed).
>
>> Should I just push it to unstable? Or I need to do some further steps
>> before that?
>
> You should probably coordinate with maintainers of other affected
> packages, e.g. claws-mail. There is an upstream fix for claws-mail,
> although it's not quite right (see my comment on security-tracker).
>
>> I didn't see any bug numbers against macopix package for CVE-2015-8614.
>> What's the best next step?
>
> So far as I know it's not necessary to create a bug report, though
> there's no harm in doing so.
>
> Ben.
>
Hi Ben,
I synced the code from the claws-mail upstream which fixes the bug.
Please see the attachment.
Yours,
Paul
--
PaulLiu (劉穎駿)
E-mail: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Description: Fix CVE-2015-8614
I tried to move the code from latest claws-mail upstream which fixes
the bug already.
Author: Ying-Chun Liu (PaulLiu) <paulliu@debian.org>
Last-Update: 2016-02-14
Index: macopix-1.7.4/src/codeconv.c
===================================================================
--- macopix-1.7.4.orig/src/codeconv.c
+++ macopix-1.7.4/src/codeconv.c
@@ -128,10 +128,14 @@ typedef enum
void conv_jistoeuc(gchar *outbuf, gint outlen, const gchar *inbuf)
{
const guchar *in = inbuf;
- guchar *out = outbuf;
+ gchar *out = outbuf;
JISState state = JIS_ASCII;
- while (*in != '\0') {
+ /*
+ * Loop outputs up to 3 bytes in each pass (aux kanji) and we
+ * need 1 byte to terminate the output
+ */
+ while (*in != '\0' && (out - outbuf) < outlen - 4) {
if (*in == ESC) {
in++;
if (*in == '$') {
@@ -192,6 +196,7 @@ void conv_jistoeuc(gchar *outbuf, gint o
}
*out = '\0';
+ return ;
}
#define JIS_HWDAKUTEN 0x5e
@@ -263,10 +268,15 @@ static gint conv_jis_hantozen(guchar *ou
void conv_euctojis(gchar *outbuf, gint outlen, const gchar *inbuf)
{
const guchar *in = inbuf;
- guchar *out = outbuf;
+ gchar *out = outbuf;
JISState state = JIS_ASCII;
- while (*in != '\0') {
+ /*
+ * Loop outputs up to 6 bytes in each pass (aux shift + aux
+ * kanji) and we need up to 4 bytes to terminate the output
+ * (ASCII shift + null)
+ */
+ while (*in != '\0' && (out - outbuf) < outlen - 10) {
if (isascii(*in)) {
K_OUT();
*out++ = *in++;
@@ -286,26 +296,32 @@ void conv_euctojis(gchar *outbuf, gint o
}
} else if (iseuchwkana1(*in)) {
if (iseuchwkana2(*(in + 1))) {
- guchar jis_ch[2];
- gint len;
-
- if (iseuchwkana1(*(in + 2)) &&
- iseuchwkana2(*(in + 3)))
- len = conv_jis_hantozen
- (jis_ch,
- *(in + 1), *(in + 3));
- else
- len = conv_jis_hantozen
- (jis_ch,
- *(in + 1), '\0');
- if (len == 0)
- in += 2;
- else {
- K_IN();
- in += len * 2;
- *out++ = jis_ch[0];
- *out++ = jis_ch[1];
- }
+ if (0) {
+ HW_IN();
+ in++;
+ *out++ = *in++ & 0x7f;
+ } else {
+ guchar jis_ch[2];
+ gint len;
+
+ if (iseuchwkana1(*(in + 2)) &&
+ iseuchwkana2(*(in + 3)))
+ len = conv_jis_hantozen
+ (jis_ch,
+ *(in + 1), *(in + 3));
+ else
+ len = conv_jis_hantozen
+ (jis_ch,
+ *(in + 1), '\0');
+ if (len == 0)
+ in += 2;
+ else {
+ K_IN();
+ in += len * 2;
+ *out++ = jis_ch[0];
+ *out++ = jis_ch[1];
+ }
+ }
} else {
K_OUT();
in++;
@@ -340,14 +356,19 @@ void conv_euctojis(gchar *outbuf, gint o
K_OUT();
*out = '\0';
+ return ;
}
void conv_sjistoeuc(gchar *outbuf, gint outlen, const gchar *inbuf)
{
const guchar *in = inbuf;
- guchar *out = outbuf;
+ gchar *out = outbuf;
- while (*in != '\0') {
+ /*
+ * Loop outputs up to 2 bytes in each pass and we need 1 byte
+ * to terminate the output
+ */
+ while (*in != '\0' && (out - outbuf) < outlen - 3) {
if (isascii(*in)) {
*out++ = *in++;
} else if (issjiskanji1(*in)) {
@@ -386,6 +407,7 @@ void conv_sjistoeuc(gchar *outbuf, gint
}
*out = '\0';
+ return ;
}
void conv_anytoeuc(gchar *outbuf, gint outlen, const gchar *inbuf)
Attachment:
signature.asc
Description: OpenPGP digital signature