Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1

To: Andreas Bombe <aeb@debian.org>, 827160@bugs.debian.org
Cc: Petter Reinholdtsen <pere@hungry.com>
Subject: Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Fri, 17 Jun 2016 06:37:03 +0100
Message-id: <[🔎] 1466141823.3864.19.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 827160@bugs.debian.org
In-reply-to: <[🔎] 20160617030018.GA4628@amos.fritz.box>
References: <[🔎] 2flh9cxtupv.fsf@diskless.uio.no> <[🔎] 20160617030018.GA4628@amos.fritz.box>

On Fri, 2016-06-17 at 05:00 +0200, Andreas Bombe wrote:
> On Mon, Jun 13, 2016 at 09:26:52AM +0200, Petter Reinholdtsen wrote:
[...]
> > <URL: https://security-tracker.debian.org/tracker/CVE-2016-4804 >
> > <URL: https://security-tracker.debian.org/tracker/CVE-2016-4804 >.
> > 
> > The issues were fixed in Wheezy by the LTS team (DLA-474-1) and is also
> > fixed in unstable.  I would like to get it fixed in stable too, to get
> > it out of my debsecan list.
> > 
> > The attached patch is based on the patches in wheezy, and should solve
> > the problems.
> > 
> > Is it OK to upload the fix for stable?
> 
> Yes, please go ahead after taking into account the remark below. Thank
> you.

Note that Andreas is not a member of the release team.

> > I plan to push the changes to a debian/jessie branch on collab-maint
> > once I know the changes are acceptable for a stable update.
> 
> 
> 
> > --- /dev/null
> > +++ b/debian/patches/CVE-2015-8872.diff
> > @@ -0,0 +1,22 @@
> > +https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7
> > +
> > +Index: dosfstools-collab/src/fat.c
> > +===================================================================
> > +--- dosfstools-collab.orig/src/fat.c	2016-06-13 08:07:44.669688617 +0200
> > ++++ dosfstools-collab/src/fat.c	2016-06-13 08:07:44.665688587 +0200
> > +@@ -197,10 +197,12 @@
> > + 	    data[1] = new >> 4;
> > + 	} else {
> > + 	    FAT_ENTRY subseqEntry;
> > +-	    get_fat(&subseqEntry, fs->fat, cluster + 1, fs);
> > ++	    if (cluster != fs->clusters - 1)
> > ++	        get_fat(&subseqEntry, fs->fat, cluster + 1, fs);
> > ++	    else
> > ++	        subseqEntry.value = 0;
> > + 	    data[0] = new & 0xff;
> > +-	    data[1] = (new >> 8) | (cluster == fs->clusters - 1 ? 0 :
> > +-				    (0xff & subseqEntry.value) << 4);
> > ++	    data[1] = (new >> 8) | ((0xff & subseqEntry.value) << 4);
> > + 	}
> > + 	size = 2;
> > + 	break;
> 
> This is commit 39ce90fe7 [*] which fixed a possible read access one byte
> beyond the end of an array, pretty harmless since the value wouldn't be
> used when the read shouldn't have happened. The following commit
> 079081248 is the meatier of the fixes and the one actually fixing the
> CVE (and the one referenced in the URL above). It needs to be integrated
> here.
> 
> [*] https://github.com/dosfstools/dosfstools/commit/39ce90fe75661ed8842551cd44ea7fec278a60a1

If this is accurate, please can we have a new debdiff.

Regards,

Adam

Reply to:

Follow-Ups:
- Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
  - From: Andreas Bombe <aeb@debian.org>

References:
- Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
  - From: Petter Reinholdtsen <pere@hungry.com>
- Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
  - From: Andreas Bombe <aeb@debian.org>

Prev by Date: Re: [Stretch] Status for architecture qualification
Next by Date: Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
Previous by thread: Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
Next by thread: Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
Index(es):
- Date
- Thread