Re: SPU upload of links2 (was Re: Fwd: Bug#668227: links2: security bugs in links)

To: debian-release@lists.debian.org
Subject: Re: SPU upload of links2 (was Re: Fwd: Bug#668227: links2: security bugs in links)
From: Axel Beckert <abe@debian.org>
Date: Tue, 24 Apr 2012 19:06:22 +0200
Message-id: <[🔎] 20120424170622.GM17700@sym.noone.org>
Mail-followup-to: Axel Beckert <abe@debian.org>, debian-release@lists.debian.org
In-reply-to: <[🔎] 20120411114125.GB15747@mraw.org> <[🔎] 20120411110549.GA15747@mraw.org>

Hi,

Cyril Brulebois wrote:
> Axel Beckert <abe@debian.org> (11/04/2012):
> > I'd have sent that anyway, just wanted to ask beforehand. Will let you
> > know when I have the package ready.
> 
> (having look quickly at the bug report now:) please make sure to fix the
> package in unstable beforehands.

Done now, despite not by the patch upstream attached but by their new
upstream release.

Cyril Brulebois wrote:
> Axel Beckert <abe@debian.org> (11/04/2012):
> > Nico Golde wrote:
> > > Please upload these fixes to stable-proposed-updates instead.
> > 
> > I guess that's ok with the SRM.
> 
> We can't tell until we see a debdiff against the package in stable.

Attached. I'm though still waiting for a CVE ID. Pinged the security
team again an hour ago or so.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE
  `-    |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5

diff -Nru links2-2.3~pre1/debian/changelog links2-2.3~pre1/debian/changelog
--- links2-2.3~pre1/debian/changelog	2010-07-09 17:08:57.000000000 +0200
+++ links2-2.3~pre1/debian/changelog	2012-04-24 17:57:23.000000000 +0200
@@ -1,3 +1,9 @@
+links2 (2.3~pre1-1+squeeze1) stable-proposed-updates; urgency=low
+
+  * Fix several security issues reported by upstream (Closes: #668227)
+
+ -- Axel Beckert <abe@debian.org>  Tue, 24 Apr 2012 17:57:12 +0200
+
 links2 (2.3~pre1-1) unstable; urgency=low
 
   [Gürkan Sengün]
diff -Nru links2-2.3~pre1/debian/patches/security-fixes-668227.diff links2-2.3~pre1/debian/patches/security-fixes-668227.diff
--- links2-2.3~pre1/debian/patches/security-fixes-668227.diff	1970-01-01 01:00:00.000000000 +0100
+++ links2-2.3~pre1/debian/patches/security-fixes-668227.diff	2012-04-24 17:46:04.000000000 +0200
@@ -0,0 +1,163 @@
+This patch fixes:
+
+Buffer overflow when pasting too long text from clipboard to dialog boxes
+	(not remotely exploitable)
+A write out of allocated memory in the graphics rendeder (potentionally
+	exploitable)
+An infinite loop when parsing invalid usemap specification in text and
+	graphics mode (can cause browser lockup, but not otherwise exploitable)
+Accesses out of memory in the xbm decoder (potentionally exploitable)
+
+---
+ bfu.c  |    3 ++-
+ dip.c  |    3 ++-
+ html.c |    6 +++++-
+ xbm.c  |   20 ++++++++++----------
+ 4 files changed, 19 insertions(+), 13 deletions(-)
+
+Index: links-2.3pre1/bfu.c
+===================================================================
+--- links-2.3pre1.orig/bfu.c	2012-04-09 23:39:47.000000000 +0200
++++ links-2.3pre1/bfu.c	2012-04-09 23:39:56.000000000 +0200
+@@ -1382,7 +1382,8 @@ void dialog_func(struct window *win, str
+ clipbd_paste:
+ 					clipboard = get_clipboard_text(term);
+ 					if (clipboard) {
+-						if (strlen(di->cdata) < di->item->dlen - strlen(clipboard)) {
++						if (strlen(di->cdata) + strlen(clipboard) < (size_t)di->item->dlen ||
++						    strlen(di->cdata) + strlen(clipboard) < strlen(di->cdata)) {
+ 							memmove(di->cdata + di->cpos + strlen(clipboard), di->cdata + di->cpos, strlen(di->cdata) - di->cpos + 1);
+ 							memcpy(&di->cdata[di->cpos], clipboard, strlen(clipboard));
+ 							di->cpos += strlen(clipboard);
+Index: links-2.3pre1/dip.c
+===================================================================
+--- links-2.3pre1.orig/dip.c	2012-04-09 23:39:47.000000000 +0200
++++ links-2.3pre1/dip.c	2012-04-09 23:39:56.000000000 +0200
+@@ -1901,6 +1901,7 @@ int g_wrap_text(struct wrap_struct *w)
+ 	while (*w->text) {
+ 		int u;
+ 		int s;
++		unsigned char *l_text = w->text;
+ 		if (*w->text == ' ') w->last_wrap = w->text,
+ 				     w->last_wrap_obj = w->obj;
+ 		GET_UTF_8(w->text, u);
+@@ -1913,7 +1914,7 @@ int g_wrap_text(struct wrap_struct *w)
+ 			if (u != 0xad || *w->text == ' ') continue;
+ 			s = g_char_width(w->style, '-');
+ 			if (w->pos + s <= w->width || (!w->last_wrap && !w->last_wrap_obj)) {
+-				w->last_wrap = w->text;
++				w->last_wrap = l_text;
+ 				w->last_wrap_obj = w->obj;
+ 				continue;
+ 			}
+Index: links-2.3pre1/html.c
+===================================================================
+--- links-2.3pre1.orig/html.c	2012-04-09 23:39:47.000000000 +0200
++++ links-2.3pre1/html.c	2012-04-09 23:39:56.000000000 +0200
+@@ -2920,6 +2920,7 @@ int get_image_map(unsigned char *head, u
+ 		lblen = 0;
+ 		se3:
+ 		ss = s;
++		se4:
+ 		while (ss < eof && *ss != '<') ss++;
+ 		if (ss >= eof) {
+ 			mem_free(label);
+@@ -2933,7 +2934,10 @@ int get_image_map(unsigned char *head, u
+ 			s = skip_comment(s, eof);
+ 			goto se3;
+ 		}
+-		if (parse_element(s, eof, NULL, NULL, NULL, &ss)) goto se3;
++		if (parse_element(s, eof, NULL, NULL, NULL, &ss)) {
++			ss = s + 1;
++			goto se4;
++		}
+ 		if (!((namelen == 1 && !casecmp(name, "A", 1)) ||
+ 		      (namelen == 2 && !casecmp(name, "/A", 2)) ||
+ 		      (namelen == 3 && !casecmp(name, "MAP", 3)) ||
+Index: links-2.3pre1/xbm.c
+===================================================================
+--- links-2.3pre1.orig/xbm.c	2012-04-09 23:39:47.000000000 +0200
++++ links-2.3pre1/xbm.c	2012-04-09 23:39:56.000000000 +0200
+@@ -44,7 +44,7 @@ struct xbm_decoder{
+ extern int get_foreground(int rgb);
+ 
+ unsigned char *my_memmem(unsigned char *, int, unsigned char *, int);
+-void xbm_decode(struct cached_image *, unsigned char *, int);
++int xbm_decode(struct cached_image *, unsigned char *, int);
+ 
+ 
+ unsigned char *my_memmem(unsigned char *h, int hl, unsigned char *n, int nl)
+@@ -138,7 +138,7 @@ static inline void put_eight(struct cach
+ 
+ /* opravdovy dekoder xbm, data jsou bez komentaru */
+ /* length is always !=NULL */
+-void xbm_decode(struct cached_image *cimg, unsigned char *data, int length)
++int xbm_decode(struct cached_image *cimg, unsigned char *data, int length)
+ {
+ 	struct xbm_decoder *deco=(struct xbm_decoder *)cimg->decoder;
+ 	/* okurky v decu ;-) */
+@@ -146,13 +146,13 @@ void xbm_decode(struct cached_image *cim
+ 	int must_return=0;
+ 
+ restart_again:
+-	if (must_return&&!length)return;
++	if (must_return&&!length)return 0;
+ 	must_return=0;
+ 	a=min(length,XBM_BUFFER_LEN-deco->buffer_pos);
+ 	memcpy(deco->buffer+deco->buffer_pos,data,a);
+ 	length-=a;
+ 	deco->buffer_pos+=a;
+-	if (!deco->buffer_pos)return; 	/* z toho nic plodnyho nevznikne */
++	if (!deco->buffer_pos)return 0; 	/* z toho nic plodnyho nevznikne */
+ 	data+=a;
+ 	if (!deco->in_data_block&&deco->partnum)
+ 	{
+@@ -220,7 +220,7 @@ restart_again:
+ 			cimg->green_gamma=display_green_gamma;
+ 			cimg->blue_gamma=display_blue_gamma;
+ 			cimg->strip_optimized=0;
+-			if (header_dimensions_known(cimg)) {img_end(cimg);return;}
++			if (header_dimensions_known(cimg)) {img_end(cimg);return 1;}
+ 			
+ 			deco->in_data_block=1;
+ 			p++;
+@@ -239,7 +239,7 @@ restart_again:
+ 		deco->buffer_pos=a;
+ 		if (deco->partnum)must_return=1;
+ 		else put_eight(cimg,(b==16&&d>2)||(b==10&&deco->actual_eight>255)?16:8);
+-		if (deco->image_pos>=deco->pixels) {img_end(cimg);return;}
++		if (deco->image_pos>=deco->pixels) {img_end(cimg);return 1;}
+ 		goto restart_again;
+ 		
+ 	}
+@@ -261,9 +261,9 @@ cycle_again:
+ 			unsigned char *p;
+ 			p=memchr(data,'/',length);
+ 			if (!p){xbm_decode(cimg, data, length);return;}
+-			xbm_decode(cimg, data, p-data);
+-			data=p+1;	/* preskocim lomitko */
++			if (xbm_decode(cimg, data, p-data)) return;
+ 			length-=p-data+1;
++			data=p+1;	/* preskocim lomitko */
+ 			deco->state=1;
+ 			goto cycle_again;
+ 		}
+@@ -271,7 +271,7 @@ cycle_again:
+ 		case 1: /* za 1. lomitkem */
+ 		{
+ 			if (*data=='*'){deco->state=2;data++;length--;goto cycle_again;}	/* zacal komentar */
+-			xbm_decode(cimg, "/", 1);
++			if (xbm_decode(cimg, "/", 1)) return;
+ 			deco->state=0;	/* to nebyl komentar */
+ 			goto cycle_again;
+ 		}
+@@ -281,8 +281,8 @@ cycle_again:
+ 			unsigned char *p;
+ 			p=memchr(data,'*',length);
+ 			if (!p)return;	/* furt komentar */
+-			data=p+1;	/* preskocim hvezdicku */
+ 			length-=p-data+1;
++			data=p+1;	/* preskocim hvezdicku */
+ 			deco->state=3;
+ 			goto cycle_again;
+ 		}
diff -Nru links2-2.3~pre1/debian/patches/series links2-2.3~pre1/debian/patches/series
--- links2-2.3~pre1/debian/patches/series	2010-07-08 18:31:37.000000000 +0200
+++ links2-2.3~pre1/debian/patches/series	2012-04-24 17:51:57.000000000 +0200
@@ -1,3 +1,3 @@
 patches-as-of-link2-2.2-1.diff
 verify-ssl-certs-510417.diff
-
+security-fixes-668227.diff

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: SPU upload of links2 (was Re: Fwd: Bug#668227: links2: security bugs in links)
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Processed: your mail
Next by Date: Bug#670299: nmu: rebuilds for libgdl soname bump
Previous by thread: Re: SPU upload of links2 (was Re: Fwd: Bug#668227: links2: security bugs in links)
Next by thread: Uploading armadillo: soname change
Index(es):
- Date
- Thread