--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock unace. It fixes CVE-2015-2063.
unblock unace/1.2b-12
Cheers,
Moritz
debdiff:
diff -Nru unace-1.2b/debian/changelog unace-1.2b/debian/changelog
--- unace-1.2b/debian/changelog 2014-05-11 07:30:11.000000000 +0200
+++ unace-1.2b/debian/changelog 2015-02-24 11:55:37.000000000 +0100
@@ -1,3 +1,10 @@
+unace (1.2b-12) unstable; urgency=high
+
+ * Fix buffer overflow when reading ace files with file headers smaller
+ than expected. Fixes CVE-2015-2063. (Closes: #775003)
+
+ -- Guillem Jover <guillem@debian.org> Tue, 24 Feb 2015 10:47:45 +0100
+
unace (1.2b-11) unstable; urgency=medium
* Now using Standards-Version 3.9.5 (no changes needed).
diff -Nru unace-1.2b/debian/patches/006_security-afl.patch unace-1.2b/debian/patches/006_security-afl.patch
--- unace-1.2b/debian/patches/006_security-afl.patch 1970-01-01 01:00:00.000000000 +0100
+++ unace-1.2b/debian/patches/006_security-afl.patch 2015-02-24 11:55:37.000000000 +0100
@@ -0,0 +1,88 @@
+Description: Fixes a buffer overflow when reading bogus file headers
+ The header parser was not checking if it had read enough data when trying
+ to parse the header from memory, causing it to accept files with headers
+ smaller than expected.
+ .
+ Fixes CVE-2015-2063.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/775003
+Forwarded: no
+Last-Update: 2015-02-24
+
+---
+ unace.c | 25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/unace.c
++++ b/unace.c
+@@ -113,6 +113,7 @@ INT read_header(INT print_err)
+ {
+ USHORT rd,
+ head_size,
++ need_size,
+ crc_ok;
+ LONG crc;
+ UCHAR *tp=readbuf;
+@@ -128,6 +129,9 @@ INT read_header(INT print_err)
+ #endif
+ // read size_headrdb bytes into
+ head_size = head.HEAD_SIZE; // header structure
++ need_size = 3;
++ if (need_size > head.HEAD_SIZE)
++ return 0;
+ rd = (head_size > size_headrdb) ? size_headrdb : head_size;
+ if (read(archan, readbuf, rd) < rd)
+ return 0;
+@@ -147,7 +151,12 @@ INT read_header(INT print_err)
+ head.HEAD_FLAGS=BUFP2WORD(tp);
+
+ if (head.HEAD_FLAGS & ACE_ADDSIZE)
++ {
++ need_size += 4;
++ if (need_size > head.HEAD_SIZE)
++ return 0;
+ skipsize = head.ADDSIZE = BUF2LONG(tp); // get ADDSIZE
++ }
+ else
+ skipsize = 0;
+
+@@ -158,6 +167,9 @@ INT read_header(INT print_err)
+ switch (head.HEAD_TYPE) // specific buffer to head conversion
+ {
+ case MAIN_BLK:
++ need_size += 24;
++ if (need_size > head.HEAD_SIZE)
++ return 0;
+ memcpy(mhead.ACESIGN, tp, acesign_len); tp+=acesign_len;
+ mhead.VER_MOD=*tp++;
+ mhead.VER_CR =*tp++;
+@@ -168,9 +180,15 @@ INT read_header(INT print_err)
+ mhead.RES2 =BUFP2WORD(tp);
+ mhead.RES =BUFP2LONG(tp);
+ mhead.AV_SIZE=*tp++;
+- memcpy(mhead.AV, tp, rd-(USHORT)(tp-readbuf));
++ if (mhead.AV_SIZE > sizeof(mhead.AV) ||
++ mhead.AV_SIZE + need_size > head.HEAD_SIZE)
++ return 0;
++ memcpy(mhead.AV, tp, mhead.AV_SIZE);
+ break;
+ case FILE_BLK:
++ need_size += 28;
++ if (need_size > head.HEAD_SIZE)
++ return 0;
+ fhead.PSIZE =BUFP2LONG(tp);
+ fhead.SIZE =BUFP2LONG(tp);
+ fhead.FTIME =BUFP2LONG(tp);
+@@ -181,7 +199,10 @@ INT read_header(INT print_err)
+ fhead.TECH.PARM =BUFP2WORD(tp);
+ fhead.RESERVED =BUFP2WORD(tp);
+ fhead.FNAME_SIZE=BUFP2WORD(tp);
+- memcpy(fhead.FNAME, tp, rd-(USHORT)(tp-readbuf));
++ if (fhead.FNAME_SIZE > sizeof(fhead.FNAME) ||
++ fhead.FNAME_SIZE + need_size > head.HEAD_SIZE)
++ return 0;
++ memcpy(fhead.FNAME, tp, fhead.FNAME_SIZE);
+ break;
+ // default: (REC_BLK and future things):
+ // do nothing 'cause isn't needed for extraction
diff -Nru unace-1.2b/debian/patches/series unace-1.2b/debian/patches/series
--- unace-1.2b/debian/patches/series 2012-04-27 03:32:38.000000000 +0200
+++ unace-1.2b/debian/patches/series 2015-02-24 11:55:37.000000000 +0100
@@ -3,3 +3,4 @@
003_security.patch
004_64_bit_clean.patch
005_format-security.patch
+006_security-afl.patch
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---