[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#775311: marked as done (unblock: libmspack/0.4-3)

Your message dated Wed, 14 Jan 2015 00:26:58 +0100
with message-id <20150113232658.GH6099@ugent.be>
and subject line Re: Bug#775311: unblock: libmspack/0.4-3
has caused the Debian Bug report #775311,
regarding unblock: libmspack/0.4-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
775311: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=775311
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal


Coin,

Sorry to bother you again.
This upload fixes nasty programmation mistakes with security implications (see #774725 and #774726). It only affects wheezy through this library. These patches are quite small and that's the only changes (debdiff attached). 

Command:
  unblock libmspack/0.4-3

Thanks.
--
Marc Dequènes
diff -Nru libmspack-0.4/debian/changelog libmspack-0.4/debian/changelog
--- libmspack-0.4/debian/changelog	2014-12-30 17:44:28.000000000 +0100
+++ libmspack-0.4/debian/changelog	2015-01-13 22:51:42.000000000 +0100
@@ -1,3 +1,14 @@
+libmspack (0.4-3) unstable; urgency=medium
+
+  * Added (slightly modified/split) patches from Jakub Wilk to fix
+    programmation errors causing segfaults and security issues:
+    - fix-division-by-zero.patch
+    - fix-pointer-arithmetic-overflow.patch
+    - fix-name-field-boundaries.patch
+    (Closes: #774725, #774726)
+
+ -- Marc Dequènes (Duck) <Duck@DuckCorp.org>  Tue, 13 Jan 2015 22:51:40 +0100
+
 libmspack (0.4-2) unstable; urgency=medium
 
   * Added patch 'qtmd-fix-frame_end-overflow.patch' to fix an overflow
diff -Nru libmspack-0.4/debian/patches/fix-division-by-zero.patch libmspack-0.4/debian/patches/fix-division-by-zero.patch
--- libmspack-0.4/debian/patches/fix-division-by-zero.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/fix-division-by-zero.patch	2015-01-13 21:53:19.000000000 +0100
@@ -0,0 +1,13 @@
+Index: libmspack/mspack/chmd.c
+===================================================================
+--- libmspack.orig/mspack/chmd.c
++++ libmspack/mspack/chmd.c
+@@ -1123,7 +1123,7 @@ static int chmd_init_decomp(struct mschm
+   }
+ 
+   /* validate reset_interval */
+-  if (reset_interval % LZX_FRAME_SIZE) {
++  if (!reset_interval || reset_interval % LZX_FRAME_SIZE) {
+     D(("bad controldata reset interval"))
+     return self->error = MSPACK_ERR_DATAFORMAT;
+   }
diff -Nru libmspack-0.4/debian/patches/fix-name-field-boundaries.patch libmspack-0.4/debian/patches/fix-name-field-boundaries.patch
--- libmspack-0.4/debian/patches/fix-name-field-boundaries.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/fix-name-field-boundaries.patch	2015-01-13 21:59:01.000000000 +0100
@@ -0,0 +1,15 @@
+Index: libmspack/mspack/chmd.c
+===================================================================
+--- libmspack.orig/mspack/chmd.c
++++ libmspack/mspack/chmd.c
+@@ -445,7 +445,9 @@ static int chmd_read_headers(struct mspa
+     num_entries = EndGetI16(end);
+ 
+     while (num_entries--) {
+-      READ_ENCINT(name_len); name = p; p += name_len;
++      READ_ENCINT(name_len);
++      if (name_len > end - p) goto chunk_end;
++      name = p; p += name_len;
+       READ_ENCINT(section);
+       READ_ENCINT(offset);
+       READ_ENCINT(length);
diff -Nru libmspack-0.4/debian/patches/fix-pointer-arithmetic-overflow.patch libmspack-0.4/debian/patches/fix-pointer-arithmetic-overflow.patch
--- libmspack-0.4/debian/patches/fix-pointer-arithmetic-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.4/debian/patches/fix-pointer-arithmetic-overflow.patch	2015-01-13 21:58:58.000000000 +0100
@@ -0,0 +1,22 @@
+Index: libmspack/mspack/chmd.c
+===================================================================
+--- libmspack.orig/mspack/chmd.c
++++ libmspack/mspack/chmd.c
+@@ -746,7 +746,7 @@ static int search_chunk(struct mschmd_he
+ 	    /* compare filename with entry QR points to */
+ 	    p = &chunk[entries_off + (M ? EndGetI16(start - (M << 1)) : 0)];
+ 	    READ_ENCINT(name_len);
+-	    if (p + name_len > end) goto chunk_end;
++	    if (name_len > end - p) goto chunk_end;
+ 	    cmp = compare(filename, (char *)p, fname_len, name_len);
+ 
+ 	    if (cmp == 0) break;
+@@ -783,7 +783,7 @@ static int search_chunk(struct mschmd_he
+     *result = NULL;
+     while (num_entries-- > 0) {
+ 	READ_ENCINT(name_len);
+-	if (p + name_len > end) goto chunk_end;
++	if (name_len > end - p) goto chunk_end;
+ 	cmp = compare(filename, (char *)p, fname_len, name_len);
+ 	p += name_len;
+ 
diff -Nru libmspack-0.4/debian/patches/series libmspack-0.4/debian/patches/series
--- libmspack-0.4/debian/patches/series	2014-12-30 17:10:37.000000000 +0100
+++ libmspack-0.4/debian/patches/series	2015-01-13 21:58:41.000000000 +0100
@@ -1 +1,4 @@
 qtmd-fix-frame_end-overflow.patch
+fix-division-by-zero.patch
+fix-pointer-arithmetic-overflow.patch
+fix-name-field-boundaries.patch

--- End Message ---
--- Begin Message --- 
Hi,

On Wed, Jan 14, 2015 at 12:05:33AM +0100, Marc Dequènes wrote:
>   unblock libmspack/0.4-3

Unblocked.

Cheers,

Ivo

--- End Message ---
Reply to: