[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#697563: pu: package swi-prolog/5.10.1-1+b1

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

The version of swi-prolog in squeeze has two unfixed minor security
vulnerabilities, buffer overflows CVE-2012-6089 and CVE-2012-6090,
bug #697416. The security team decided that there will be no DSA for
those issues. It was proposed to fix those issues via stable updates.

The proposed debdiff is attached. The new version adds two patches
taken from RedHat bugzilla (one refreshed) and changes the Maintainer
field in debian/control.

Regards,
Eugeniy Meshcheryakov

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.7-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=uk_UA.UTF-8, LC_CTYPE=uk_UA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru swi-prolog-5.10.1/debian/changelog swi-prolog-5.10.1/debian/changelog
--- swi-prolog-5.10.1/debian/changelog	2010-08-02 07:01:49.000000000 +0200
+++ swi-prolog-5.10.1/debian/changelog	2013-01-07 00:07:27.000000000 +0100
@@ -1,3 +1,14 @@
+swi-prolog (5.10.1-2) stable; urgency=low
+
+  * Update Maintainer field in debian/control 
+  * New patches (taken from RedHat bugzilla, closes: #697416):
+    - CVE-2012-6089.diff - fix for CVE-2012-6089 - possible buffer overrun in
+      path canonisation code 
+    - CVE-2012-6090.diff - fix for CVE-2012-6090 - Possible buffer overflows
+      when expanding file-names with long paths 
+
+ -- Євгеній Мещеряков <eugen@debian.org>  Mon, 07 Jan 2013 00:02:00 +0100
+
 swi-prolog (5.10.1-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru swi-prolog-5.10.1/debian/control swi-prolog-5.10.1/debian/control
--- swi-prolog-5.10.1/debian/control	2010-08-02 07:01:49.000000000 +0200
+++ swi-prolog-5.10.1/debian/control	2013-01-07 00:07:27.000000000 +0100
@@ -1,7 +1,7 @@
 Source: swi-prolog
 Section: interpreters
 Priority: optional
-Maintainer: Chris Lamb <lamby@debian.org>
+Maintainer: Євгеній Мещеряков <eugen@debian.org>
 Build-Depends: debhelper (>= 5), autoconf, autotools-dev, libncurses5-dev, libreadline-dev, libgmp3-dev, libjpeg-dev, libx11-dev, libxpm-dev, libxt-dev, x11proto-core-dev, chrpath, unixodbc-dev, openjdk-6-jdk [alpha amd64 armel i386 ia64 mips mipsel powerpc s390 sparc], libxft-dev, libxext-dev, libice-dev, libxinerama-dev
 Standards-Version: 3.9.1
 Vcs-Git: git://git.chris-lamb.co.uk/debian/pkg-swi-prolog.git
diff -Nru swi-prolog-5.10.1/debian/patches/CVE-2012-6089.diff swi-prolog-5.10.1/debian/patches/CVE-2012-6089.diff
--- swi-prolog-5.10.1/debian/patches/CVE-2012-6089.diff	1970-01-01 01:00:00.000000000 +0100
+++ swi-prolog-5.10.1/debian/patches/CVE-2012-6089.diff	2013-01-07 00:07:27.000000000 +0100
@@ -0,0 +1,90 @@
+From 6149f39ada50f7ebc6b0cb7756490a0fea967bd1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 4 Jan 2013 13:33:11 +0100
+Subject: [PATCH 1/2] Fix CVE-2012-6089
+
+Upstream fix ported to 5.10.2:
+
+From a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Date: Sun, 16 Dec 2012 18:13:17 +0100
+Subject: [PATCH] FIXED: Possible buffer overrun in patch canonisation code.
+
+Pushes pointers on an automatic array without checking for overflow.
+Can be used for DoS attacks.  Will be extremely hard to make it execute
+arbitrary code.
+---
+ src/pl-buffer.h |  2 ++
+ src/pl-os.c     | 19 +++++++++++--------
+ 2 files changed, 13 insertions(+), 8 deletions(-)
+
+--- a/src/pl-buffer.h
++++ b/src/pl-buffer.h
+@@ -79,6 +79,8 @@
+ 				  sizeof((b)->static_buffer))
+ #define emptyBuffer(b)           ((b)->top  = (b)->base)
+ #define isEmptyBuffer(b)         ((b)->top == (b)->base)
++#define popBuffer(b,type) \
++	((b)->top -= sizeof(type), *(type*)(b)->top)
+ 
+ #define discardBuffer(b) \
+ 	do \
+--- a/src/pl-os.c
++++ b/src/pl-os.c
+@@ -1078,8 +1078,7 @@
+ char *
+ canoniseFileName(char *path)
+ { char *out = path, *in = path, *start = path;
+-  char *osave[100];
+-  int  osavep = 0;
++  tmp_buffer saveb;
+ 
+ #ifdef O_HASDRIVES			/* C: */
+   if ( in[1] == ':' && isLetter(in[0]) )
+@@ -1107,7 +1106,8 @@
+     in += 2;
+   if ( in[0] == '/' )
+     *out++ = '/';
+-  osave[osavep++] = out;
++  initBuffer(&saveb);
++  addBuffer(&saveb, out, char*);
+ 
+   while(*in)
+   { if (*in == '/')
+@@ -1123,15 +1123,15 @@
+ 	  }
+ 	  if ( in[2] == EOS )		/* delete trailing /. */
+ 	  { *out = EOS;
+-	    return path;
++	    goto out;
+ 	  }
+ 	  if ( in[2] == '.' && (in[3] == '/' || in[3] == EOS) )
+-	  { if ( osavep > 0 )		/* delete /foo/../ */
+-	    { out = osave[--osavep];
++	  { if ( !isEmptyBuffer(&saveb) )		/* delete /foo/../ */
++	    { out = popBuffer(&saveb, char*);
+ 	      in += 3;
+ 	      if ( in[0] == EOS && out > start+1 )
+ 	      { out[-1] = EOS;		/* delete trailing / */
+-		return path;
++		goto out;
+ 	      }
+ 	      goto again;
+ 	    } else if (	start[0] == '/' && out == start+1 )
+@@ -1145,12 +1145,15 @@
+ 	in++;
+       if ( out > path && out[-1] != '/' )
+ 	*out++ = '/';
+-      osave[osavep++] = out;
++      addBuffer(&saveb, out, char*);
+     } else
+       *out++ = *in++;
+   }
+   *out++ = *in++;
+ 
++out:
++  discardBuffer(&saveb);
++
+   return path;
+ }
+ 
diff -Nru swi-prolog-5.10.1/debian/patches/CVE-2012-6090.diff swi-prolog-5.10.1/debian/patches/CVE-2012-6090.diff
--- swi-prolog-5.10.1/debian/patches/CVE-2012-6090.diff	1970-01-01 01:00:00.000000000 +0100
+++ swi-prolog-5.10.1/debian/patches/CVE-2012-6090.diff	2013-01-07 00:07:27.000000000 +0100
@@ -0,0 +1,119 @@
+From 212e2fcac834dec25a4fa0f4fd4652bfd19cdeea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 4 Jan 2013 13:35:27 +0100
+Subject: [PATCH 2/2] Fix CVE-2012-6090
+
+Upstream fix ported to 5.10.2:
+
+From b2c88972e7515ada025e97e7d3ce3e34f81cf33e Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
+Date: Sun, 16 Dec 2012 17:29:37 +0100
+Subject: [PATCH] SECURITY: Possible buffer overflows when expanding
+ file-names with long paths.  Affects expand_file_name/2.
+
+Can lead to crashes (DoS attacks) and possibly execution of arbitrary
+code if an attacker can control the names of the files searched for,
+e.g., if expand_file_name/2 is used in a directory to which an attacker
+can upload files for which he can control the name.
+---
+ src/pl-glob.c | 46 ++++++++++++++++++++++++++++------------------
+ 1 file changed, 28 insertions(+), 18 deletions(-)
+
+diff --git a/src/pl-glob.c b/src/pl-glob.c
+index 417a69c..1fad6ca 100644
+--- a/src/pl-glob.c
++++ b/src/pl-glob.c
+@@ -423,6 +423,7 @@ expand(const char *pattern, GlobInfo info)
+   compiled_pattern cbuf;
+   char prefix[MAXPATHLEN];		/* before first pattern */
+   char patbuf[MAXPATHLEN];		/* pattern buffer */
++  size_t prefix_len;
+   int end, dot;
+ 
+   initBuffer(&info->files);
+@@ -441,20 +442,25 @@ expand(const char *pattern, GlobInfo info)
+       switch( (c=*s++) )
+       { case EOS:
+ 	  if ( s > pat )		/* something left and expanded */
+-	  { un_escape(prefix, pat, s);
++	  { size_t prefix_len;
++
++	    un_escape(prefix, pat, s);
++	    prefix_len = strlen(prefix);
+ 
+ 	    end = info->end;
+ 	    for( ; info->start < end; info->start++ )
+ 	    { char path[MAXPATHLEN];
+-	      size_t plen;
+-
+-	      strcpy(path, expand_entry(info, info->start));
+-	      plen = strlen(path);
+-	      if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
+-		path[plen++] = '/';
+-	      strcpy(&path[plen], prefix);
+-	      if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
+-		add_path(path, info);
++	      const char *entry = expand_entry(info, info->start);
++	      size_t plen = strlen(entry);
++
++	      if ( plen+prefix_len+2 <= MAXPATHLEN )
++	      { strcpy(path, entry);
++		if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
++		  path[plen++] = '/';
++		strcpy(&path[plen], prefix);
++		if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
++		  add_path(path, info);
++	      }
+ 	    }
+ 	  }
+ 	  succeed;
+@@ -489,8 +495,9 @@ expand(const char *pattern, GlobInfo info)
+ */
+     un_escape(prefix, pat, head);
+     un_escape(patbuf, head, tail);
++    prefix_len = strlen(prefix);
+ 
+-    if ( !compilePattern(patbuf, &cbuf) )		/* syntax error */
++    if ( !compilePattern(patbuf, &cbuf) )	/* syntax error */
+       fail;
+     dot = (patbuf[0] == '.');			/* do dots as well */
+ 
+@@ -502,12 +509,16 @@ expand(const char *pattern, GlobInfo info)
+       char path[MAXPATHLEN];
+       char tmp[MAXPATHLEN];
+       const char *current = expand_entry(info, info->start);
++      size_t clen = strlen(current);
++
++      if ( clen+prefix_len+1 > sizeof(path) )
++	continue;
+ 
+       strcpy(path, current);
+-      strcat(path, prefix);
++      strcpy(&path[clen], prefix);
+ 
+       if ( (d=opendir(path[0] ? OsPath(path, tmp) : ".")) )
+-      { size_t plen = strlen(path);
++      { size_t plen = clen+prefix_len;
+ 
+ 	if ( plen > 0 && path[plen-1] != '/' )
+ 	  path[plen++] = '/';
+@@ -521,12 +532,11 @@ expand(const char *pattern, GlobInfo info)
+ 	       matchPattern(e->d_name, &cbuf) )
+ 	  { char newp[MAXPATHLEN];
+ 
+-	    strcpy(newp, path);
+-	    strcpy(&newp[plen], e->d_name);
+-/*	    if ( !tail[0] || ExistsDirectory(newp) )
+-	    Saves memory, but involves one more file-access
+-*/
++	    if ( plen+strlen(e->d_name)+1 < sizeof(newp) )
++	    { strcpy(newp, path);
++	      strcpy(&newp[plen], e->d_name);
+ 	      add_path(newp, info);
++	    }
+ 	  }
+ 	}
+ 	closedir(d);
+-- 
+1.7.11.7
+
diff -Nru swi-prolog-5.10.1/debian/patches/series swi-prolog-5.10.1/debian/patches/series
--- swi-prolog-5.10.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ swi-prolog-5.10.1/debian/patches/series	2013-01-07 00:07:27.000000000 +0100
@@ -0,0 +1,2 @@
+CVE-2012-6089.diff
+CVE-2012-6090.diff
Reply to: