Bug#779236: unblock: unace/1.2b-12

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#779236: unblock: unace/1.2b-12
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 25 Feb 2015 19:59:34 +0100
Message-id: <[🔎] 20150225185934.3752.56069.reportbug@pisco.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 779236@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock unace. It fixes CVE-2015-2063.

unblock unace/1.2b-12

Cheers,
        Moritz

debdiff:

diff -Nru unace-1.2b/debian/changelog unace-1.2b/debian/changelog
--- unace-1.2b/debian/changelog	2014-05-11 07:30:11.000000000 +0200
+++ unace-1.2b/debian/changelog	2015-02-24 11:55:37.000000000 +0100
@@ -1,3 +1,10 @@
+unace (1.2b-12) unstable; urgency=high
+
+  * Fix buffer overflow when reading ace files with file headers smaller
+    than expected. Fixes CVE-2015-2063. (Closes: #775003)
+
+ -- Guillem Jover <guillem@debian.org>  Tue, 24 Feb 2015 10:47:45 +0100
+
 unace (1.2b-11) unstable; urgency=medium
 
   * Now using Standards-Version 3.9.5 (no changes needed).
diff -Nru unace-1.2b/debian/patches/006_security-afl.patch unace-1.2b/debian/patches/006_security-afl.patch
--- unace-1.2b/debian/patches/006_security-afl.patch	1970-01-01 01:00:00.000000000 +0100
+++ unace-1.2b/debian/patches/006_security-afl.patch	2015-02-24 11:55:37.000000000 +0100
@@ -0,0 +1,88 @@
+Description: Fixes a buffer overflow when reading bogus file headers
+ The header parser was not checking if it had read enough data when trying
+ to parse the header from memory, causing it to accept files with headers
+ smaller than expected.
+ .
+ Fixes CVE-2015-2063.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/775003
+Forwarded: no
+Last-Update: 2015-02-24
+
+---
+ unace.c |   25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/unace.c
++++ b/unace.c
+@@ -113,6 +113,7 @@ INT  read_header(INT print_err)
+ {
+    USHORT rd,
+         head_size,
++        need_size,
+         crc_ok;
+    LONG crc;
+    UCHAR *tp=readbuf;
+@@ -128,6 +129,9 @@ INT  read_header(INT print_err)
+ #endif
+                                         // read size_headrdb bytes into 
+    head_size = head.HEAD_SIZE;          // header structure 
++   need_size = 3;
++   if (need_size > head.HEAD_SIZE)
++      return 0;
+    rd = (head_size > size_headrdb) ? size_headrdb : head_size;
+    if (read(archan, readbuf, rd) < rd)
+       return 0;
+@@ -147,7 +151,12 @@ INT  read_header(INT print_err)
+    head.HEAD_FLAGS=BUFP2WORD(tp);
+ 
+    if (head.HEAD_FLAGS & ACE_ADDSIZE)
++   {
++      need_size += 4;
++      if (need_size > head.HEAD_SIZE)
++         return 0;
+       skipsize = head.ADDSIZE = BUF2LONG(tp);   // get ADDSIZE
++   }
+    else
+       skipsize = 0;
+ 
+@@ -158,6 +167,9 @@ INT  read_header(INT print_err)
+    switch (head.HEAD_TYPE)              // specific buffer to head conversion
+    {
+       case MAIN_BLK:
++         need_size += 24;
++         if (need_size > head.HEAD_SIZE)
++            return 0;
+          memcpy(mhead.ACESIGN, tp, acesign_len); tp+=acesign_len;
+          mhead.VER_MOD=*tp++;
+          mhead.VER_CR =*tp++;
+@@ -168,9 +180,15 @@ INT  read_header(INT print_err)
+          mhead.RES2   =BUFP2WORD(tp);
+          mhead.RES    =BUFP2LONG(tp);
+          mhead.AV_SIZE=*tp++;
+-         memcpy(mhead.AV, tp, rd-(USHORT)(tp-readbuf));
++         if (mhead.AV_SIZE > sizeof(mhead.AV) ||
++             mhead.AV_SIZE + need_size > head.HEAD_SIZE)
++            return 0;
++         memcpy(mhead.AV, tp, mhead.AV_SIZE);
+          break;
+       case FILE_BLK:
++         need_size += 28;
++         if (need_size > head.HEAD_SIZE)
++            return 0;
+          fhead.PSIZE     =BUFP2LONG(tp);
+          fhead.SIZE      =BUFP2LONG(tp);
+          fhead.FTIME     =BUFP2LONG(tp);
+@@ -181,7 +199,10 @@ INT  read_header(INT print_err)
+          fhead.TECH.PARM =BUFP2WORD(tp);
+          fhead.RESERVED  =BUFP2WORD(tp);
+          fhead.FNAME_SIZE=BUFP2WORD(tp);
+-         memcpy(fhead.FNAME, tp, rd-(USHORT)(tp-readbuf));
++         if (fhead.FNAME_SIZE > sizeof(fhead.FNAME) ||
++             fhead.FNAME_SIZE + need_size > head.HEAD_SIZE)
++            return 0;
++         memcpy(fhead.FNAME, tp, fhead.FNAME_SIZE);
+          break;
+ //    default: (REC_BLK and future things): 
+ //              do nothing 'cause isn't needed for extraction
diff -Nru unace-1.2b/debian/patches/series unace-1.2b/debian/patches/series
--- unace-1.2b/debian/patches/series	2012-04-27 03:32:38.000000000 +0200
+++ unace-1.2b/debian/patches/series	2015-02-24 11:55:37.000000000 +0100
@@ -3,3 +3,4 @@
 003_security.patch
 004_64_bit_clean.patch
 005_format-security.patch
+006_security-afl.patch



-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply to:

Follow-Ups:
- Bug#779236: marked as done (unblock: unace/1.2b-12)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#779234: unblock: iceweasel/31.5.0esr-1
Next by Date: Bug#779236: marked as done (unblock: unace/1.2b-12)
Previous by thread: Bug#779234: marked as done (unblock: iceweasel/31.5.0esr-1)
Next by thread: Bug#779236: marked as done (unblock: unace/1.2b-12)
Index(es):
- Date
- Thread