Bug#842938: jessie-pu: package libwmf/0.2.8.4-10.3+deb8u2
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
The Security Team suggested fixing the CVE-2016-9011 [1] security
issue through a point release.
The issue is a memory allocation failure in wmf_malloc (api.c).
Please see the debdiff attached.
I have uploaded an NMU [2] to DELAYED/10 with the same fix for unstable.
Cheers,
Balint
[1] https://security-tracker.debian.org/tracker/CVE-2016-9011
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842090#17
diff -Nru libwmf-0.2.8.4/debian/changelog libwmf-0.2.8.4/debian/changelog
--- libwmf-0.2.8.4/debian/changelog 2015-07-05 20:06:43.000000000 +0200
+++ libwmf-0.2.8.4/debian/changelog 2016-11-02 12:57:00.000000000 +0100
@@ -1,3 +1,10 @@
+libwmf (0.2.8.4-10.3+deb8u2) stable; urgency=medium
+
+ * LTS Team upload.
+ * Fix allocating huge block of memory (CVE-2016-9011) (Closes: #842090)
+
+ -- Balint Reczey <balint@balintreczey.hu> Wed, 02 Nov 2016 12:56:21 +0100
+
libwmf (0.2.8.4-10.3+deb8u1) jessie-security; urgency=medium
* CVE-2015-0848 CVE-2015-4588 CVE-2015-4695 CVE-2015-4696
diff -Nru libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch
--- libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch 1970-01-01 01:00:00.000000000 +0100
+++ libwmf-0.2.8.4/debian/patches/CVE-2016-9011.patch 2016-11-02 12:55:07.000000000 +0100
@@ -0,0 +1,34 @@
+--- ./src/player.c.orig 2016-10-27 23:17:53.076604344 +0200
++++ ./src/player.c 2016-10-27 23:20:15.271078052 +0200
+@@ -140,7 +140,30 @@
+ return (API->err);
+ }
+
+- P->Parameters = (unsigned char*) wmf_malloc (API,(MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char));
++ U32 nMaxRecordSize = (MAX_REC_SIZE(API) ) * 2 * sizeof (unsigned char);
++ if (nMaxRecordSize)
++ {
++ //before allocating memory do a sanity check on size by seeking
++ //to claimed end to see if its possible. We're constrained here
++ //by the api and existing implementations to not simply seeking
++ //to SEEK_END. So use what we have to skip to the last byte and
++ //try and read it.
++ const long nPos = WMF_TELL (API);
++ WMF_SEEK (API, nPos + nMaxRecordSize - 1);
++ if (ERR (API))
++ { WMF_DEBUG (API,"bailing...");
++ return (API->err);
++ }
++ int byte = WMF_READ (API);
++ if (byte == (-1))
++ { WMF_ERROR (API,"Unexpected EOF!");
++ API->err = wmf_E_EOF;
++ return (API->err);
++ }
++ WMF_SEEK (API, nPos);
++ }
++
++ P->Parameters = (unsigned char*) wmf_malloc (API, nMaxRecordSize);
+
+ if (ERR (API))
+ { WMF_DEBUG (API,"bailing...");
diff -Nru libwmf-0.2.8.4/debian/patches/series libwmf-0.2.8.4/debian/patches/series
--- libwmf-0.2.8.4/debian/patches/series 2015-07-05 20:07:13.000000000 +0200
+++ libwmf-0.2.8.4/debian/patches/series 2016-11-02 12:55:07.000000000 +0100
@@ -4,3 +4,4 @@
04_gd-gd_clip.c-use-after-free-cve-2009-1364.patch
05_gdk-pixbuf-loader-dir.patch
CVE-2015-0848_CVE-2015-4588_CVE-2015-4695_CVE-2015-4696.patch
+CVE-2016-9011.patch
Reply to: