[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779236: marked as done (unblock: unace/1.2b-12)

Your message dated Wed, 25 Feb 2015 19:10:38 +0000
with message-id <1424891438.20407.5.camel@adam-barratt.org.uk>
and subject line Re: Bug#779236: unblock: unace/1.2b-12
has caused the Debian Bug report #779236,
regarding unblock: unace/1.2b-12
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
779236: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779236
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock unace. It fixes CVE-2015-2063.

unblock unace/1.2b-12

Cheers,
        Moritz

debdiff:

diff -Nru unace-1.2b/debian/changelog unace-1.2b/debian/changelog
--- unace-1.2b/debian/changelog	2014-05-11 07:30:11.000000000 +0200
+++ unace-1.2b/debian/changelog	2015-02-24 11:55:37.000000000 +0100
@@ -1,3 +1,10 @@
+unace (1.2b-12) unstable; urgency=high
+
+  * Fix buffer overflow when reading ace files with file headers smaller
+    than expected. Fixes CVE-2015-2063. (Closes: #775003)
+
+ -- Guillem Jover <guillem@debian.org>  Tue, 24 Feb 2015 10:47:45 +0100
+
 unace (1.2b-11) unstable; urgency=medium
 
   * Now using Standards-Version 3.9.5 (no changes needed).
diff -Nru unace-1.2b/debian/patches/006_security-afl.patch unace-1.2b/debian/patches/006_security-afl.patch
--- unace-1.2b/debian/patches/006_security-afl.patch	1970-01-01 01:00:00.000000000 +0100
+++ unace-1.2b/debian/patches/006_security-afl.patch	2015-02-24 11:55:37.000000000 +0100
@@ -0,0 +1,88 @@
+Description: Fixes a buffer overflow when reading bogus file headers
+ The header parser was not checking if it had read enough data when trying
+ to parse the header from memory, causing it to accept files with headers
+ smaller than expected.
+ .
+ Fixes CVE-2015-2063.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/775003
+Forwarded: no
+Last-Update: 2015-02-24
+
+---
+ unace.c |   25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/unace.c
++++ b/unace.c
+@@ -113,6 +113,7 @@ INT  read_header(INT print_err)
+ {
+    USHORT rd,
+         head_size,
++        need_size,
+         crc_ok;
+    LONG crc;
+    UCHAR *tp=readbuf;
+@@ -128,6 +129,9 @@ INT  read_header(INT print_err)
+ #endif
+                                         // read size_headrdb bytes into 
+    head_size = head.HEAD_SIZE;          // header structure 
++   need_size = 3;
++   if (need_size > head.HEAD_SIZE)
++      return 0;
+    rd = (head_size > size_headrdb) ? size_headrdb : head_size;
+    if (read(archan, readbuf, rd) < rd)
+       return 0;
+@@ -147,7 +151,12 @@ INT  read_header(INT print_err)
+    head.HEAD_FLAGS=BUFP2WORD(tp);
+ 
+    if (head.HEAD_FLAGS & ACE_ADDSIZE)
++   {
++      need_size += 4;
++      if (need_size > head.HEAD_SIZE)
++         return 0;
+       skipsize = head.ADDSIZE = BUF2LONG(tp);   // get ADDSIZE
++   }
+    else
+       skipsize = 0;
+ 
+@@ -158,6 +167,9 @@ INT  read_header(INT print_err)
+    switch (head.HEAD_TYPE)              // specific buffer to head conversion
+    {
+       case MAIN_BLK:
++         need_size += 24;
++         if (need_size > head.HEAD_SIZE)
++            return 0;
+          memcpy(mhead.ACESIGN, tp, acesign_len); tp+=acesign_len;
+          mhead.VER_MOD=*tp++;
+          mhead.VER_CR =*tp++;
+@@ -168,9 +180,15 @@ INT  read_header(INT print_err)
+          mhead.RES2   =BUFP2WORD(tp);
+          mhead.RES    =BUFP2LONG(tp);
+          mhead.AV_SIZE=*tp++;
+-         memcpy(mhead.AV, tp, rd-(USHORT)(tp-readbuf));
++         if (mhead.AV_SIZE > sizeof(mhead.AV) ||
++             mhead.AV_SIZE + need_size > head.HEAD_SIZE)
++            return 0;
++         memcpy(mhead.AV, tp, mhead.AV_SIZE);
+          break;
+       case FILE_BLK:
++         need_size += 28;
++         if (need_size > head.HEAD_SIZE)
++            return 0;
+          fhead.PSIZE     =BUFP2LONG(tp);
+          fhead.SIZE      =BUFP2LONG(tp);
+          fhead.FTIME     =BUFP2LONG(tp);
+@@ -181,7 +199,10 @@ INT  read_header(INT print_err)
+          fhead.TECH.PARM =BUFP2WORD(tp);
+          fhead.RESERVED  =BUFP2WORD(tp);
+          fhead.FNAME_SIZE=BUFP2WORD(tp);
+-         memcpy(fhead.FNAME, tp, rd-(USHORT)(tp-readbuf));
++         if (fhead.FNAME_SIZE > sizeof(fhead.FNAME) ||
++             fhead.FNAME_SIZE + need_size > head.HEAD_SIZE)
++            return 0;
++         memcpy(fhead.FNAME, tp, fhead.FNAME_SIZE);
+          break;
+ //    default: (REC_BLK and future things): 
+ //              do nothing 'cause isn't needed for extraction
diff -Nru unace-1.2b/debian/patches/series unace-1.2b/debian/patches/series
--- unace-1.2b/debian/patches/series	2012-04-27 03:32:38.000000000 +0200
+++ unace-1.2b/debian/patches/series	2015-02-24 11:55:37.000000000 +0100
@@ -3,3 +3,4 @@
 003_security.patch
 004_64_bit_clean.patch
 005_format-security.patch
+006_security-afl.patch



-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
On Wed, 2015-02-25 at 19:59 +0100, Moritz Muehlenhoff wrote:
> Please unblock unace. It fixes CVE-2015-2063.

Unblocked.

Regards,

Adam

--- End Message ---
Reply to: