[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#773748: marked as done (unblock: unrtf/0.21.5-2)

Your message dated Tue, 23 Dec 2014 15:29:13 +0100
with message-id <20141223142913.GF6957@ugent.be>
and subject line Re: Bug#773748: unblock: unrtf/0.21.5-2
has caused the Debian Bug report #773748,
regarding unblock: unrtf/0.21.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
773748: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773748
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package unrtf

It fixes two security holes reported in #772811, CVE-2014-9274 and
CVE-2014-9275. Additionally, it fixes an access to already freed memory (these
two patches, 0004 and 0005 have to go together).

debdiff attached.

unblock unrtf/0.21.5-2

-- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru unrtf-0.21.5/debian/changelog unrtf-0.21.5/debian/changelog
--- unrtf-0.21.5/debian/changelog	2013-11-30 12:30:28.000000000 +0100
+++ unrtf-0.21.5/debian/changelog	2014-12-22 20:20:50.000000000 +0100
@@ -1,3 +1,14 @@
+unrtf (0.21.5-2) unstable; urgency=medium
+
+  * Security fixes, closes: #772811
+    - Fix CVE-2014-9274: check that accesses to color table stay within bounds
+    - Fix CVE-2014-9275: various crashes
+  * possible security fixes:
+    - Fix Invalid read of size 4 in attr_get_param
+    - attr_get_param(): Silence a warning message again
+
+ -- Willi Mann <willi@debian.org>  Mon, 22 Dec 2014 20:20:33 +0100
+
 unrtf (0.21.5-1) unstable; urgency=low
 
   * Imported Upstream version 0.21.5
diff -Nru unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch
--- unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch	1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch	2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,55 @@
+From: Jean-Francois Dockes <jfd@recoll.org>
+Date: Sun, 21 Dec 2014 10:08:26 +0100
+Subject: check that accesses to color table stay within bounds,
+ esp that the color number is positive. This fixes {\cb-999} crashing
+ unrtf
+
+This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15
+
+Origin: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a/raw/
+Bug-Debian: http://bugs.debian.org/772811
+---
+ src/convert.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/convert.c b/src/convert.c
+index e563473..96bf438 100644
+--- a/src/convert.c
++++ b/src/convert.c
+@@ -868,6 +868,9 @@ process_color_table (Word *w)
+ 	r=g=b=0;
+ 
+ 	while(w) {
++                if (total_colors >= MAX_COLORS) {
++                        break;
++                }
+ 		char *s = word_string (w);
+ 
+ 		if (!strncmp("\\red",s,4)) {
+@@ -921,7 +924,7 @@ static int
+ cmd_cf (Word *w, int align, char has_param, int num) {
+ 	char str[40];
+ 
+-	if (!has_param || num>=total_colors) {
++	if (!has_param || num < 0 || num>=total_colors) {
+ 		warning_handler ("font color change attempted is invalid");
+ 	}
+ 	else
+@@ -948,7 +951,7 @@ static int
+ cmd_cb (Word *w, int align, char has_param, int num) {
+ 	char str[40];
+ 
+-	if (!has_param || num>=total_colors) {
++	if (!has_param || num < 0 || num>=total_colors) {
+ 		warning_handler ("font color change attempted is invalid");
+ 	}
+ 	else
+@@ -1153,7 +1156,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
+ {
+ 	char str[40];
+ 
+-	if (!has_param || num>=total_colors) {
++	if (!has_param || num < 0 || num>=total_colors) {
+ 		warning_handler ("font background color change attempted is invalid");
+ 	}
+ 	else
diff -Nru unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch
--- unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch	1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch	2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,29 @@
+From: Jean-Francois Dockes <jfd@recoll.org>
+Date: Sun, 21 Dec 2014 10:47:03 +0100
+Subject: Need to process word chars as unsigned. Else char with hi bit set
+ can crash program
+
+Partially fixes CVE-2014-9275, according to
+https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html
+
+Origin: https://bitbucket.org/medoc/unrtf-int/commits/1df886f2e65f7c512a6217588ae8d94d4bcbc63d/raw/
+Bug-Debian: http://bugs.debian.org/772811
+---
+ src/hash.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/hash.c b/src/hash.c
+index b886d1e..67c6a25 100644
+--- a/src/hash.c
++++ b/src/hash.c
+@@ -133,8 +133,8 @@ hashitem_new (char *str)
+ 
+ 	hi->str = my_strdup(str);
+ 
+-	i = *str;
+-	if (i=='\\') i=str[1];
++	i = (unsigned char)*str;
++	if (i=='\\') i=(unsigned char)str[1];
+ 	i <<= 24;
+ 	hi->value = i | (hash_value++ & 0xffffff);
+ 	hi->next = NULL;
diff -Nru unrtf-0.21.5/debian/patches/0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch unrtf-0.21.5/debian/patches/0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch
--- unrtf-0.21.5/debian/patches/0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch	1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch	2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,128 @@
+From: Jean-Francois Dockes <jfd@recoll.org>
+Date: Sun, 21 Dec 2014 10:51:47 +0100
+Subject: Fix a number of possible crashes caused by a bad format causing
+ word_string() to return NULL
+
+Second fix for CVE-2014-9275, according to
+https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html
+
+Origin: https://bitbucket.org/medoc/unrtf-int/commits/3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3/raw/
+Bug-Debian: http://bugs.debian.org/772811
+---
+ src/convert.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/src/convert.c b/src/convert.c
+index 96bf438..bd84398 100644
+--- a/src/convert.c
++++ b/src/convert.c
+@@ -278,6 +278,8 @@ word_dump_date (Word *w)
+ 	CHECK_PARAM_NOT_NULL(w);
+ 	while (w) {
+ 	 	char *s = word_string (w);
++                if (!s)
++                        return;
+ 		if (*s == '\\') {
+ 			++s;
+ 			if (!strncmp (s, "yr", 2) && isdigit(s[2])) {
+@@ -524,6 +526,8 @@ process_font_table (Word *w)
+ 
+         if ((w2 = w->child)) {
+             tmp = word_string(w2);
++            if (!tmp)
++                    break;
+             if (!strncmp("\\f", tmp, 2)) {
+                 num = atoi(&tmp[2]);
+                 name[0] = 0;
+@@ -704,7 +708,8 @@ process_info_group (Word *w)
+ 			char *s;
+ 
+ 			s = word_string(child);
+-
++                        if (!s)
++                                return;
+ 			if (!inline_mode) {
+ 				if (!strcmp("\\title", s)) {
+ 					
+@@ -712,11 +717,11 @@ process_info_group (Word *w)
+ 					w2=child->next;
+ 					while (w2) {
+ 						char *s2 = word_string(w2);
+-						if (s2[0] != '\\') 
++						if (s2 && s2[0] != '\\') 
+ 						{
+ 							print_with_special_exprs (s2);
+ 						}
+-						else
++						else if (s2)
+ 						{
+ 							if (s2[1] == '\'')
+ 							{
+@@ -735,7 +740,7 @@ process_info_group (Word *w)
+ 					w2=child->next;
+ 					while (w2) {
+ 						char *s2 = word_string(w2);
+-						if (s2[0] != '\\') 
++						if (s2 && s2[0] != '\\') 
+ 							printf("%s,", s2);
+ 						w2 = w2->next;
+ 					}
+@@ -746,7 +751,7 @@ process_info_group (Word *w)
+ 					w2=child->next;
+ 					while (w2) {
+ 						char *s2 = word_string(w2);
+-						if (s2[0] != '\\') 
++						if (s2 && s2[0] != '\\') 
+ 							printf("%s", s2);
+ 						w2 = w2->next;
+ 					}
+@@ -758,7 +763,7 @@ process_info_group (Word *w)
+ 					w2=child->next;
+ 					while (w2) {
+ 						char *s2 = word_string(w2);
+-						if (s2[0] != '\\') 
++						if (s2 && s2[0] != '\\') 
+ 							printf("%s", s2);
+ 						w2 = w2->next;
+ 					}
+@@ -868,11 +873,10 @@ process_color_table (Word *w)
+ 	r=g=b=0;
+ 
+ 	while(w) {
+-                if (total_colors >= MAX_COLORS) {
++		char *s = word_string (w);
++                if (s == 0 || total_colors >= MAX_COLORS) {
+                         break;
+                 }
+-		char *s = word_string (w);
+-
+ 		if (!strncmp("\\red",s,4)) {
+ 			r = atoi(&s[4]);
+ 			while(r>255) r>>=8;
+@@ -1010,6 +1014,8 @@ cmd_field (Word *w, int align, char has_param, int num) {
+ 			char *s;
+ 
+ 			s = word_string(child);
++                        if (!s)
++                                return FALSE;
+ #if 1 /* daved experimenting with fldrslt */
+ 			if(!strcmp("\\fldrslt", s))
+ 				return FALSE;
+@@ -1033,7 +1039,7 @@ cmd_field (Word *w, int align, char has_param, int num) {
+ 				    if (s && !strcmp(s, "SYMBOL") )
+ 				    {
+ 					w4=w3->next;
+-					while(w4 && !strcmp(word_string(w4), " "))
++					while(w4 && word_string(w4) && !strcmp(word_string(w4), " "))
+ 						w4 = w4->next;
+ 					s4 = word_string(w4);
+ 					if (s4)
+@@ -1061,7 +1067,7 @@ cmd_field (Word *w, int align, char has_param, int num) {
+ 						    Word *w4;
+ 						    char *s4;
+ 						    w4=w3->next;
+-						    while (w4 && !strcmp(" ", word_string(w4)))
++						    while (w4 && word_string(w4) && !strcmp(" ", word_string(w4)))
+ 							    w4=w4->next;
+ 						    if (w4) {
+ 							    s4=word_string(w4);
diff -Nru unrtf-0.21.5/debian/patches/0004-attrstack_drop-Properly-drop-the-last-stack-element.patch unrtf-0.21.5/debian/patches/0004-attrstack_drop-Properly-drop-the-last-stack-element.patch
--- unrtf-0.21.5/debian/patches/0004-attrstack_drop-Properly-drop-the-last-stack-element.patch	1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0004-attrstack_drop-Properly-drop-the-last-stack-element.patch	2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,37 @@
+From: Fabian Keil <fk@fabiankeil.de>
+Date: Thu, 4 Dec 2014 18:15:29 +0100
+Subject: attrstack_drop(): Properly drop the last stack element
+
+Previously stack_of_stacks_top would point to free'd memory,
+resulting in:
+
+==38960== Invalid read of size 4
+==38960==    at 0x402853: attr_get_param (attr.c:355)
+==38960==    by 0x40818A: word_print_core (convert.c:3412)
+==38960==    by 0x406DBC: word_print (convert.c:3451)
+==38960==    by 0x40CA27: main (main.c:267)
+==38960==  Address 0x1e065e0 is 90,000 bytes inside a block of size 90,016 free'd
+==38960==    at 0x1068498: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
+==38960==    by 0x40CBD3: my_free (malloc.c:91)
+==38960==    by 0x402E8C: attrstack_drop (attr.c:582)
+==38960==    by 0x40812F: word_print_core (convert.c:3403)
+==38960==    by 0x406DBC: word_print (convert.c:3451)
+==38960==    by 0x40CA27: main (main.c:267)
+==38960==
+---
+ src/attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index bc19b6c..2c2552b 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -571,7 +571,7 @@ attrstack_drop ()
+ 	while(prev_stack && prev_stack->next && prev_stack->next != stack)
+ 		prev_stack = prev_stack->next;
+ 
+-	if (prev_stack) {
++	if (prev_stack && (prev_stack != stack_of_stacks_top)) {
+ 		stack_of_stacks_top = prev_stack;
+ 		prev_stack->next = NULL;
+ 	} else {
diff -Nru unrtf-0.21.5/debian/patches/0005-attr_get_param-Silence-a-warning-message-again.patch unrtf-0.21.5/debian/patches/0005-attr_get_param-Silence-a-warning-message-again.patch
--- unrtf-0.21.5/debian/patches/0005-attr_get_param-Silence-a-warning-message-again.patch	1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0005-attr_get_param-Silence-a-warning-message-again.patch	2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,32 @@
+From: Fabian Keil <fk@fabiankeil.de>
+Date: Thu, 4 Dec 2014 18:20:12 +0100
+Subject: attr_get_param(): Silence a warning message again
+
+attr_get_param(ATTR_ENCODING) is always called once without a stack
+being available, but previously the use-after-free prevented the
+warning.
+---
+ src/attr.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 2c2552b..0337fd0 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -348,8 +348,14 @@ attr_get_param(int attr)
+ 	int i;
+ 	AttrStack *stack = stack_of_stacks_top;
+ 	if (!stack) {
+-		warning_handler("No stack to get attribute from");
+-		return;
++		if (attr != ATTR_ENCODING) {
++			/*
++			 * attr_get_param(ATTR_ENCODING) is always called
++			 * called once without a stack being available.
++			 */
++			warning_handler("No stack to get attribute from");
++		}
++		return NULL;
+ 	}
+ 
+ 	i=stack->tos;
diff -Nru unrtf-0.21.5/debian/patches/series unrtf-0.21.5/debian/patches/series
--- unrtf-0.21.5/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/series	2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,5 @@
+0001-check-that-accesses-to-color-table-stay-within-bound.patch
+0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch
+0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch
+0004-attrstack_drop-Properly-drop-the-last-stack-element.patch
+0005-attr_get_param-Silence-a-warning-message-again.patch

--- End Message ---
--- Begin Message --- 
Hi,

On Mon, Dec 22, 2014 at 10:43:33PM +0100, Willi Mann wrote:
> Please unblock package unrtf

Unblocked.

Cheers,

Ivo

--- End Message ---
Reply to: