Bug#827160: jessie-pu: package dosfstools/3.0.27-1+deb8u1
[Petter Reinholdtsen]
> I will. But the comment below seem to indicate that the update in
> Wheezy was incomplete?
Looking at the code, I am quite sure the Wheezy fix missed the change in
<URL: https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7 >.
Who should be notified about this?
> I'll prepare a new patch and package. OK to push it to the collab-maint
> git repo before upload, or should I wait until it is accepted?
Attached is a new patch with -1 changed to +1 as instructed by the above
commit.
--
Happy hacking
Petter Reinholdtsen
diff --git a/debian/changelog b/debian/changelog
index 4f1e009..db765aa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+dosfstools (3.0.27-1+deb8u1) unstable; urgency=medium
+
+ * Non-maintainer upload to fix security issue.
+ * Added d/gbp.conf to document git branch used for Jessie updates.
+ * [CVE-2015-8872] Invalid memory read in fsck.vfat
+ * [CVE-2016-4804] Heap overflow in function read_fat()
+
+ -- Petter Reinholdtsen <pere@debian.org> Mon, 13 Jun 2016 08:17:24 +0200
+
dosfstools (3.0.27-1) unstable; urgency=medium
* New upstream version 3.0.27
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..3926a07
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,3 @@
+[DEFAULT]
+debian-branch = debian/jessie
+pristine-tar = True
diff --git a/debian/patches/CVE-2015-8872.diff b/debian/patches/CVE-2015-8872.diff
new file mode 100644
index 0000000..8709cc4
--- /dev/null
+++ b/debian/patches/CVE-2015-8872.diff
@@ -0,0 +1,33 @@
+Description: Fix CVE-2015-8872 using patches from upstream.
+
+ The patch is based on file used to update the CVE in Wheezy. It
+ contained the fix in
+ https://github.com/dosfstools/dosfstools/commit/39ce90fe75661ed8842551cd44ea7fec278a60a1
+ Then the dosfstools maintainer noticed the patch in
+ https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7
+ was missing. It is included here (off by one error, fixed by using
+ +1 instead of -1.
+
+ See also https://bugs.debian.org/827160 .
+
+Index: dosfstools-collab/src/fat.c
+===================================================================
+--- dosfstools-collab.orig/src/fat.c 2016-06-13 08:07:44.669688617 +0200
++++ dosfstools-collab/src/fat.c 2016-06-13 08:07:44.665688587 +0200
+@@ -197,10 +197,12 @@
+ data[1] = new >> 4;
+ } else {
+ FAT_ENTRY subseqEntry;
+- get_fat(&subseqEntry, fs->fat, cluster + 1, fs);
++ if (cluster != fs->clusters + 1)
++ get_fat(&subseqEntry, fs->fat, cluster + 1, fs);
++ else
++ subseqEntry.value = 0;
+ data[0] = new & 0xff;
+- data[1] = (new >> 8) | (cluster == fs->clusters - 1 ? 0 :
+- (0xff & subseqEntry.value) << 4);
++ data[1] = (new >> 8) | ((0xff & subseqEntry.value) << 4);
+ }
+ size = 2;
+ break;
+
diff --git a/debian/patches/CVE-2016-4804.diff b/debian/patches/CVE-2016-4804.diff
new file mode 100644
index 0000000..d28174c
--- /dev/null
+++ b/debian/patches/CVE-2016-4804.diff
@@ -0,0 +1,64 @@
+https://github.com/dosfstools/dosfstools/commit/e8eff147e9da1185f9afd5b25948153a3b97cf52
+
+Index: dosfstools-collab/src/boot.c
+===================================================================
+--- dosfstools-collab.orig/src/boot.c 2016-06-13 07:59:10.337694024 +0200
++++ dosfstools-collab/src/boot.c 2016-06-13 08:00:46.290436480 +0200
+@@ -101,8 +101,8 @@
+ (unsigned long long)fs->fat_start,
+ (unsigned long long)fs->fat_start / lss);
+ printf("%10d FATs, %d bit entries\n", b->fats, fs->fat_bits);
+- printf("%10d bytes per FAT (= %u sectors)\n", fs->fat_size,
+- fs->fat_size / lss);
++ printf("%10lld bytes per FAT (= %llu sectors)\n", (long long)fs->fat_size,
++ (long long)fs->fat_size / lss);
+ if (!fs->root_cluster) {
+ printf("Root directory starts at byte %llu (sector %llu)\n",
+ (unsigned long long)fs->root_start,
+@@ -326,7 +326,7 @@
+ struct boot_sector b;
+ unsigned total_sectors;
+ unsigned short logical_sector_size, sectors;
+- unsigned fat_length;
++ off_t fat_length;
+ loff_t data_size;
+
+ fs_read(0, sizeof(b), &b);
+@@ -354,8 +354,12 @@
+ /* Can't access last odd sector anyway, so round down */
+ fs_test((loff_t) ((total_sectors & ~1) - 1) * (loff_t) logical_sector_size,
+ logical_sector_size);
++
+ fat_length = le16toh(b.fat_length) ?
+ le16toh(b.fat_length) : le32toh(b.fat32_length);
++ if (!fat_length)
++ die("FAT size is zero.");
++
+ fs->fat_start = (loff_t) le16toh(b.reserved) * logical_sector_size;
+ fs->root_start = ((loff_t) le16toh(b.reserved) + b.fats * fat_length) *
+ logical_sector_size;
+@@ -363,7 +367,11 @@
+ fs->data_start = fs->root_start + ROUND_TO_MULTIPLE(fs->root_entries <<
+ MSDOS_DIR_BITS,
+ logical_sector_size);
++
+ data_size = (loff_t) total_sectors *logical_sector_size - fs->data_start;
++ if (data_size < fs->cluster_size)
++ die("Filesystem has no space for any data clusters");
++
+ fs->clusters = data_size / fs->cluster_size;
+ fs->root_cluster = 0; /* indicates standard, pre-FAT32 root dir */
+ fs->fsinfo_start = 0; /* no FSINFO structure */
+diff --git a/src/fsck.fat.h b/src/fsck.fat.h
+index e5ade5b..639b569 100644
+--- a/src/fsck.fat.h
++++ b/src/fsck.fat.h
+@@ -158,7 +158,7 @@ typedef struct {
+ typedef struct {
+ int nfats;
+ loff_t fat_start;
+- unsigned int fat_size; /* unit is bytes */
++ off_t fat_size; /* unit is bytes */
+ unsigned int fat_bits; /* size of a FAT entry */
+ unsigned int eff_fat_bits; /* # of used bits in a FAT entry */
+ uint32_t root_cluster; /* 0 for old-style root dir */
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..014ae4e
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2016-4804.diff
+CVE-2015-8872.diff
Reply to: