Bug#775311: unblock: libmspack/0.4-3
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal
Coin,
Sorry to bother you again.
This upload fixes nasty programmation mistakes with security
implications (see #774725 and #774726). It only affects wheezy through
this library. These patches are quite small and that's the only changes
(debdiff attached).
Command:
unblock libmspack/0.4-3
Thanks.
--
Marc Dequènes
diff -Nru libmspack-0.4/debian/changelog libmspack-0.4/debian/changelog
--- libmspack-0.4/debian/changelog 2014-12-30 17:44:28.000000000 +0100
+++ libmspack-0.4/debian/changelog 2015-01-13 22:51:42.000000000 +0100
@@ -1,3 +1,14 @@
+libmspack (0.4-3) unstable; urgency=medium
+
+ * Added (slightly modified/split) patches from Jakub Wilk to fix
+ programmation errors causing segfaults and security issues:
+ - fix-division-by-zero.patch
+ - fix-pointer-arithmetic-overflow.patch
+ - fix-name-field-boundaries.patch
+ (Closes: #774725, #774726)
+
+ -- Marc Dequènes (Duck) <Duck@DuckCorp.org> Tue, 13 Jan 2015 22:51:40 +0100
+
libmspack (0.4-2) unstable; urgency=medium
* Added patch 'qtmd-fix-frame_end-overflow.patch' to fix an overflow
diff -Nru libmspack-0.4/debian/patches/fix-division-by-zero.patch libmspack-0.4/debian/patches/fix-division-by-zero.patch
--- libmspack-0.4/debian/patches/fix-division-by-zero.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/fix-division-by-zero.patch 2015-01-13 21:53:19.000000000 +0100
@@ -0,0 +1,13 @@
+Index: libmspack/mspack/chmd.c
+===================================================================
+--- libmspack.orig/mspack/chmd.c
++++ libmspack/mspack/chmd.c
+@@ -1123,7 +1123,7 @@ static int chmd_init_decomp(struct mschm
+ }
+
+ /* validate reset_interval */
+- if (reset_interval % LZX_FRAME_SIZE) {
++ if (!reset_interval || reset_interval % LZX_FRAME_SIZE) {
+ D(("bad controldata reset interval"))
+ return self->error = MSPACK_ERR_DATAFORMAT;
+ }
diff -Nru libmspack-0.4/debian/patches/fix-name-field-boundaries.patch libmspack-0.4/debian/patches/fix-name-field-boundaries.patch
--- libmspack-0.4/debian/patches/fix-name-field-boundaries.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/fix-name-field-boundaries.patch 2015-01-13 21:59:01.000000000 +0100
@@ -0,0 +1,15 @@
+Index: libmspack/mspack/chmd.c
+===================================================================
+--- libmspack.orig/mspack/chmd.c
++++ libmspack/mspack/chmd.c
+@@ -445,7 +445,9 @@ static int chmd_read_headers(struct mspa
+ num_entries = EndGetI16(end);
+
+ while (num_entries--) {
+- READ_ENCINT(name_len); name = p; p += name_len;
++ READ_ENCINT(name_len);
++ if (name_len > end - p) goto chunk_end;
++ name = p; p += name_len;
+ READ_ENCINT(section);
+ READ_ENCINT(offset);
+ READ_ENCINT(length);
diff -Nru libmspack-0.4/debian/patches/fix-pointer-arithmetic-overflow.patch libmspack-0.4/debian/patches/fix-pointer-arithmetic-overflow.patch
--- libmspack-0.4/debian/patches/fix-pointer-arithmetic-overflow.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/fix-pointer-arithmetic-overflow.patch 2015-01-13 21:58:58.000000000 +0100
@@ -0,0 +1,22 @@
+Index: libmspack/mspack/chmd.c
+===================================================================
+--- libmspack.orig/mspack/chmd.c
++++ libmspack/mspack/chmd.c
+@@ -746,7 +746,7 @@ static int search_chunk(struct mschmd_he
+ /* compare filename with entry QR points to */
+ p = &chunk[entries_off + (M ? EndGetI16(start - (M << 1)) : 0)];
+ READ_ENCINT(name_len);
+- if (p + name_len > end) goto chunk_end;
++ if (name_len > end - p) goto chunk_end;
+ cmp = compare(filename, (char *)p, fname_len, name_len);
+
+ if (cmp == 0) break;
+@@ -783,7 +783,7 @@ static int search_chunk(struct mschmd_he
+ *result = NULL;
+ while (num_entries-- > 0) {
+ READ_ENCINT(name_len);
+- if (p + name_len > end) goto chunk_end;
++ if (name_len > end - p) goto chunk_end;
+ cmp = compare(filename, (char *)p, fname_len, name_len);
+ p += name_len;
+
diff -Nru libmspack-0.4/debian/patches/series libmspack-0.4/debian/patches/series
--- libmspack-0.4/debian/patches/series 2014-12-30 17:10:37.000000000 +0100
+++ libmspack-0.4/debian/patches/series 2015-01-13 21:58:41.000000000 +0100
@@ -1 +1,4 @@
qtmd-fix-frame_end-overflow.patch
+fix-division-by-zero.patch
+fix-pointer-arithmetic-overflow.patch
+fix-name-field-boundaries.patch
Reply to: