Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1

To: Petter Reinholdtsen <pere@hungry.com>, 827160@bugs.debian.org
Subject: Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
From: Andreas Bombe <aeb@debian.org>
Date: Fri, 17 Jun 2016 05:00:18 +0200
Message-id: <[🔎] 20160617030018.GA4628@amos.fritz.box>
Reply-to: Andreas Bombe <aeb@debian.org>, 827160@bugs.debian.org
In-reply-to: <[🔎] 2flh9cxtupv.fsf@diskless.uio.no>
References: <[🔎] 2flh9cxtupv.fsf@diskless.uio.no>

On Mon, Jun 13, 2016 at 09:26:52AM +0200, Petter Reinholdtsen wrote:
> 
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-CC: Andreas Bombe <aeb@debian.org>
> 
> On my Debian Jessie machine, I would like to fix the two security issues
> in dosfstools that show up in the debsecan report:
> <URL: https://security-tracker.debian.org/tracker/CVE-2016-4804 >
> <URL: https://security-tracker.debian.org/tracker/CVE-2016-4804 >.
> 
> The issues were fixed in Wheezy by the LTS team (DLA-474-1) and is also
> fixed in unstable.  I would like to get it fixed in stable too, to get
> it out of my debsecan list.
> 
> The attached patch is based on the patches in wheezy, and should solve
> the problems.
> 
> Is it OK to upload the fix for stable?

Yes, please go ahead after taking into account the remark below. Thank
you.

> I plan to push the changes to a debian/jessie branch on collab-maint
> once I know the changes are acceptable for a stable update.



> --- /dev/null
> +++ b/debian/patches/CVE-2015-8872.diff
> @@ -0,0 +1,22 @@
> +https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7
> +
> +Index: dosfstools-collab/src/fat.c
> +===================================================================
> +--- dosfstools-collab.orig/src/fat.c	2016-06-13 08:07:44.669688617 +0200
> ++++ dosfstools-collab/src/fat.c	2016-06-13 08:07:44.665688587 +0200
> +@@ -197,10 +197,12 @@
> + 	    data[1] = new >> 4;
> + 	} else {
> + 	    FAT_ENTRY subseqEntry;
> +-	    get_fat(&subseqEntry, fs->fat, cluster + 1, fs);
> ++	    if (cluster != fs->clusters - 1)
> ++	        get_fat(&subseqEntry, fs->fat, cluster + 1, fs);
> ++	    else
> ++	        subseqEntry.value = 0;
> + 	    data[0] = new & 0xff;
> +-	    data[1] = (new >> 8) | (cluster == fs->clusters - 1 ? 0 :
> +-				    (0xff & subseqEntry.value) << 4);
> ++	    data[1] = (new >> 8) | ((0xff & subseqEntry.value) << 4);
> + 	}
> + 	size = 2;
> + 	break;

This is commit 39ce90fe7 [*] which fixed a possible read access one byte
beyond the end of an array, pretty harmless since the value wouldn't be
used when the read shouldn't have happened. The following commit
079081248 is the meatier of the fixes and the one actually fixing the
CVE (and the one referenced in the URL above). It needs to be integrated
here.

[*] https://github.com/dosfstools/dosfstools/commit/39ce90fe75661ed8842551cd44ea7fec278a60a1

Reply to:

Follow-Ups:
- Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
  - From: Petter Reinholdtsen <pere@hungry.com>

References:
- Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Further perl-related candidates for stable-updates
Next by Date: Re: [Stretch] Status for architecture qualification
Previous by thread: Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
Next by thread: Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
Index(es):
- Date
- Thread