--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: swi-prolog/5.10.4-5
- From: Євгеній Мещеряков <eugen@debian.org>
- Date: Sun, 06 Jan 2013 23:49:15 +0100
- Message-id: <20130106224915.7946.13245.reportbug@localhost>
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package swi-prolog
This version fixes two security issues, CVE-2012-6089 and CVE-2012-6090,
both possible buffer overflows. See also bug #697416.
The full list of changes in this version:
* New patches (taken from RedHat bugzilla, closes: #697416):
- CVE-2012-6089.diff - fix for CVE-2012-6089 - possible buffer overrun in
path canonisation code
- CVE-2012-6090.diff - fix for CVE-2012-6090 - Possible buffer overflows
when expanding file-names with long paths
* Urgency "medium" because of a fix for a security bug
The debdiff against package in testing is attached.
unblock swi-prolog/5.10.4-5
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.7-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=uk_UA.UTF-8, LC_CTYPE=uk_UA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru swi-prolog-5.10.4/debian/changelog swi-prolog-5.10.4/debian/changelog
--- swi-prolog-5.10.4/debian/changelog 2012-10-08 21:55:23.000000000 +0200
+++ swi-prolog-5.10.4/debian/changelog 2013-01-05 03:44:17.000000000 +0100
@@ -1,3 +1,14 @@
+swi-prolog (5.10.4-5) unstable; urgency=medium
+
+ * New patches (taken from RedHat bugzilla, closes: #697416):
+ - CVE-2012-6089.diff - fix for CVE-2012-6089 - possible buffer overrun in
+ path canonisation code
+ - CVE-2012-6090.diff - fix for CVE-2012-6090 - Possible buffer overflows
+ when expanding file-names with long paths
+ * Urgency "medium" because of a fix for a security bug
+
+ -- Євгеній Мещеряков <eugen@debian.org> Sat, 05 Jan 2013 03:43:46 +0100
+
swi-prolog (5.10.4-4) unstable; urgency=medium
* Build-conflict with libncursesw5-dev, so it will not be used during build
diff -Nru swi-prolog-5.10.4/debian/patches/CVE-2012-6089.diff swi-prolog-5.10.4/debian/patches/CVE-2012-6089.diff
--- swi-prolog-5.10.4/debian/patches/CVE-2012-6089.diff 1970-01-01 01:00:00.000000000 +0100
+++ swi-prolog-5.10.4/debian/patches/CVE-2012-6089.diff 2013-01-05 03:44:17.000000000 +0100
@@ -0,0 +1,97 @@
+Author: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Description: Fix for CVE-2012-6089 - Possible buffer overrun in path canonisation code
+ The patch was taken from RedHat bugzilla, file locations were adjusted.
+Origin: vendor, RedHat
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6089
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697416
+---
+From 6149f39ada50f7ebc6b0cb7756490a0fea967bd1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 4 Jan 2013 13:33:11 +0100
+Subject: [PATCH 1/2] Fix CVE-2012-6089
+
+Upstream fix ported to 5.10.2:
+
+From a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Date: Sun, 16 Dec 2012 18:13:17 +0100
+Subject: [PATCH] FIXED: Possible buffer overrun in patch canonisation code.
+
+Pushes pointers on an automatic array without checking for overflow.
+Can be used for DoS attacks. Will be extremely hard to make it execute
+arbitrary code.
+---
+ src/pl-buffer.h | 2 ++
+ src/pl-os.c | 19 +++++++++++--------
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+--- a/src/os/pl-buffer.h
++++ b/src/os/pl-buffer.h
+@@ -83,6 +83,8 @@
+ sizeof((b)->static_buffer))
+ #define emptyBuffer(b) ((b)->top = (b)->base)
+ #define isEmptyBuffer(b) ((b)->top == (b)->base)
++#define popBuffer(b,type) \
++ ((b)->top -= sizeof(type), *(type*)(b)->top)
+
+ #define discardBuffer(b) \
+ do \
+--- a/src/os/pl-os.c
++++ b/src/os/pl-os.c
+@@ -1081,8 +1081,7 @@
+ char *
+ canoniseFileName(char *path)
+ { char *out = path, *in = path, *start = path;
+- char *osave[100];
+- int osavep = 0;
++ tmp_buffer saveb;
+
+ #ifdef O_HASDRIVES /* C: */
+ if ( in[1] == ':' && isLetter(in[0]) )
+@@ -1110,7 +1109,8 @@
+ in += 2;
+ if ( in[0] == '/' )
+ *out++ = '/';
+- osave[osavep++] = out;
++ initBuffer(&saveb);
++ addBuffer(&saveb, out, char*);
+
+ while(*in)
+ { if (*in == '/')
+@@ -1126,15 +1126,15 @@
+ }
+ if ( in[2] == EOS ) /* delete trailing /. */
+ { *out = EOS;
+- return path;
++ goto out;
+ }
+ if ( in[2] == '.' && (in[3] == '/' || in[3] == EOS) )
+- { if ( osavep > 0 ) /* delete /foo/../ */
+- { out = osave[--osavep];
++ { if ( !isEmptyBuffer(&saveb) ) /* delete /foo/../ */
++ { out = popBuffer(&saveb, char*);
+ in += 3;
+ if ( in[0] == EOS && out > start+1 )
+ { out[-1] = EOS; /* delete trailing / */
+- return path;
++ goto out;
+ }
+ goto again;
+ } else if ( start[0] == '/' && out == start+1 )
+@@ -1148,12 +1148,15 @@
+ in++;
+ if ( out > path && out[-1] != '/' )
+ *out++ = '/';
+- osave[osavep++] = out;
++ addBuffer(&saveb, out, char*);
+ } else
+ *out++ = *in++;
+ }
+ *out++ = *in++;
+
++out:
++ discardBuffer(&saveb);
++
+ return path;
+ }
+
diff -Nru swi-prolog-5.10.4/debian/patches/CVE-2012-6090.diff swi-prolog-5.10.4/debian/patches/CVE-2012-6090.diff
--- swi-prolog-5.10.4/debian/patches/CVE-2012-6090.diff 1970-01-01 01:00:00.000000000 +0100
+++ swi-prolog-5.10.4/debian/patches/CVE-2012-6090.diff 2013-01-05 03:44:17.000000000 +0100
@@ -0,0 +1,126 @@
+Author: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Description: Fix for CVE-2012-6090 - Possible buffer overflows when expanding file-names with long paths
+ The patch was taken from RedHat bugzilla, file locations were adjusted.
+Origin: vendor, RedHat
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6090
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697416
+---
+From 212e2fcac834dec25a4fa0f4fd4652bfd19cdeea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 4 Jan 2013 13:35:27 +0100
+Subject: [PATCH 2/2] Fix CVE-2012-6090
+
+Upstream fix ported to 5.10.2:
+
+From b2c88972e7515ada025e97e7d3ce3e34f81cf33e Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Date: Sun, 16 Dec 2012 17:29:37 +0100
+Subject: [PATCH] SECURITY: Possible buffer overflows when expanding
+ file-names with long paths. Affects expand_file_name/2.
+
+Can lead to crashes (DoS attacks) and possibly execution of arbitrary
+code if an attacker can control the names of the files searched for,
+e.g., if expand_file_name/2 is used in a directory to which an attacker
+can upload files for which he can control the name.
+---
+ src/pl-glob.c | 46 ++++++++++++++++++++++++++++------------------
+ 1 file changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/src/pl-glob.c b/src/pl-glob.c
+index 417a69c..1fad6ca 100644
+--- a/src/os/pl-glob.c
++++ b/src/os/pl-glob.c
+@@ -423,6 +423,7 @@ expand(const char *pattern, GlobInfo info)
+ compiled_pattern cbuf;
+ char prefix[MAXPATHLEN]; /* before first pattern */
+ char patbuf[MAXPATHLEN]; /* pattern buffer */
++ size_t prefix_len;
+ int end, dot;
+
+ initBuffer(&info->files);
+@@ -441,20 +442,25 @@ expand(const char *pattern, GlobInfo info)
+ switch( (c=*s++) )
+ { case EOS:
+ if ( s > pat ) /* something left and expanded */
+- { un_escape(prefix, pat, s);
++ { size_t prefix_len;
++
++ un_escape(prefix, pat, s);
++ prefix_len = strlen(prefix);
+
+ end = info->end;
+ for( ; info->start < end; info->start++ )
+ { char path[MAXPATHLEN];
+- size_t plen;
+-
+- strcpy(path, expand_entry(info, info->start));
+- plen = strlen(path);
+- if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
+- path[plen++] = '/';
+- strcpy(&path[plen], prefix);
+- if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
+- add_path(path, info);
++ const char *entry = expand_entry(info, info->start);
++ size_t plen = strlen(entry);
++
++ if ( plen+prefix_len+2 <= MAXPATHLEN )
++ { strcpy(path, entry);
++ if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
++ path[plen++] = '/';
++ strcpy(&path[plen], prefix);
++ if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
++ add_path(path, info);
++ }
+ }
+ }
+ succeed;
+@@ -489,8 +495,9 @@ expand(const char *pattern, GlobInfo info)
+ */
+ un_escape(prefix, pat, head);
+ un_escape(patbuf, head, tail);
++ prefix_len = strlen(prefix);
+
+- if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */
++ if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */
+ fail;
+ dot = (patbuf[0] == '.'); /* do dots as well */
+
+@@ -502,12 +509,16 @@ expand(const char *pattern, GlobInfo info)
+ char path[MAXPATHLEN];
+ char tmp[MAXPATHLEN];
+ const char *current = expand_entry(info, info->start);
++ size_t clen = strlen(current);
++
++ if ( clen+prefix_len+1 > sizeof(path) )
++ continue;
+
+ strcpy(path, current);
+- strcat(path, prefix);
++ strcpy(&path[clen], prefix);
+
+ if ( (d=opendir(path[0] ? OsPath(path, tmp) : ".")) )
+- { size_t plen = strlen(path);
++ { size_t plen = clen+prefix_len;
+
+ if ( plen > 0 && path[plen-1] != '/' )
+ path[plen++] = '/';
+@@ -521,12 +532,11 @@ expand(const char *pattern, GlobInfo info)
+ matchPattern(e->d_name, &cbuf) )
+ { char newp[MAXPATHLEN];
+
+- strcpy(newp, path);
+- strcpy(&newp[plen], e->d_name);
+-/* if ( !tail[0] || ExistsDirectory(newp) )
+- Saves memory, but involves one more file-access
+-*/
++ if ( plen+strlen(e->d_name)+1 < sizeof(newp) )
++ { strcpy(newp, path);
++ strcpy(&newp[plen], e->d_name);
+ add_path(newp, info);
++ }
+ }
+ }
+ closedir(d);
+--
+1.7.11.7
+
diff -Nru swi-prolog-5.10.4/debian/patches/series swi-prolog-5.10.4/debian/patches/series
--- swi-prolog-5.10.4/debian/patches/series 2012-10-08 21:55:23.000000000 +0200
+++ swi-prolog-5.10.4/debian/patches/series 2013-01-05 03:44:17.000000000 +0100
@@ -1 +1,3 @@
swi-prolog-mipsel-FTBFS.diff
+CVE-2012-6089.diff
+CVE-2012-6090.diff
--- End Message ---