Bug#861449: unblock: radare2/1.1.0+dfsg-5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi
Please unblock package radare2
The upload to unstable fixes CVE-2017-7946, #860962. The changelog
reads as:
>radare2 (1.1.0+dfsg-5) unstable; urgency=high
>
> * Add upstream patch to fix security bug
> - CVE-2017-7946 (Closes: #860962)
> The get_relocs_64 function in libr/bin/format/mach0/mach0.c in
> radare2 1.3.0 allows remote attackers to cause a denial of service
> (use-after-free and application crash) via a crafted Mach0 file.
>
> -- Sebastian Reichel <sre@debian.org> Sun, 23 Apr 2017 23:20:16 +0200
and I'm attaching the full debdiff against the version in testing.
unblock radare2/1.1.0+dfsg-5
Regards,
Salvatore
diff -Nru radare2-1.1.0+dfsg/debian/changelog radare2-1.1.0+dfsg/debian/changelog
--- radare2-1.1.0+dfsg/debian/changelog 2017-04-11 15:34:39.000000000 +0200
+++ radare2-1.1.0+dfsg/debian/changelog 2017-04-23 23:20:16.000000000 +0200
@@ -1,3 +1,13 @@
+radare2 (1.1.0+dfsg-5) unstable; urgency=high
+
+ * Add upstream patch to fix security bug
+ - CVE-2017-7946 (Closes: #860962)
+ The get_relocs_64 function in libr/bin/format/mach0/mach0.c in
+ radare2 1.3.0 allows remote attackers to cause a denial of service
+ (use-after-free and application crash) via a crafted Mach0 file.
+
+ -- Sebastian Reichel <sre@debian.org> Sun, 23 Apr 2017 23:20:16 +0200
+
radare2 (1.1.0+dfsg-4) unstable; urgency=high
* Add upstream patches to fix security bugs
diff -Nru radare2-1.1.0+dfsg/debian/patches/0008-fix-CVE-2017-7946.patch radare2-1.1.0+dfsg/debian/patches/0008-fix-CVE-2017-7946.patch
--- radare2-1.1.0+dfsg/debian/patches/0008-fix-CVE-2017-7946.patch 1970-01-01 01:00:00.000000000 +0100
+++ radare2-1.1.0+dfsg/debian/patches/0008-fix-CVE-2017-7946.patch 2017-04-23 23:20:16.000000000 +0200
@@ -0,0 +1,175 @@
+From d1e8ac62c6d978d4662f69116e30230d43033c92 Mon Sep 17 00:00:00 2001
+From: pancake <pancake@nopcode.org>
+Date: Tue, 18 Apr 2017 13:37:33 +0200
+Subject: [PATCH] Fix null deref and uaf in mach0 parser
+
+---
+ libr/bin/format/mach0/mach0.c | 92 ++++++++++++++++++++++++-------------------
+ 1 file changed, 51 insertions(+), 41 deletions(-)
+
+diff --git a/libr/bin/format/mach0/mach0.c b/libr/bin/format/mach0/mach0.c
+index 206ab11..398a44b 100644
+--- a/libr/bin/format/mach0/mach0.c
++++ b/libr/bin/format/mach0/mach0.c
+@@ -1119,7 +1119,7 @@ static int init_items(struct MACH0_(obj_t)* bin) {
+ case LC_LOAD_WEAK_DYLIB:
+ sdb_set (bin->kv, sdb_fmt (0, "mach0_cmd_%d.cmd", i), "load_dylib", 0);
+ bin->nlibs++;
+- if (!parse_dylib(bin, off)){
++ if (!parse_dylib (bin, off)){
+ eprintf ("Cannot parse dylib\n");
+ bin->nlibs--;
+ return false;
+@@ -1130,30 +1130,31 @@ static int init_items(struct MACH0_(obj_t)* bin) {
+ {
+ ut8 dyldi[sizeof (struct dyld_info_command)] = {0};
+ sdb_set (bin->kv, sdb_fmt (0, "mach0_cmd_%d.cmd", i), "dyld_info", 0);
+- bin->dyld_info = malloc (sizeof(struct dyld_info_command));
+-
+- if (off + sizeof (struct dyld_info_command) > bin->size){
+- eprintf ("Cannot parse dyldinfo\n");
+- free (bin->dyld_info);
+- return false;
+- }
+- if (r_buf_read_at (bin->b, off, dyldi, sizeof (struct dyld_info_command)) == -1) {
+- free (bin->dyld_info);
+- bin->dyld_info = NULL;
+- eprintf ("Error: read (LC_DYLD_INFO) at 0x%08"PFMT64x"\n", off);
+- } else {
+- bin->dyld_info->cmd = r_read_ble32 (&dyldi[0], bin->big_endian);
+- bin->dyld_info->cmdsize = r_read_ble32 (&dyldi[4], bin->big_endian);
+- bin->dyld_info->rebase_off = r_read_ble32 (&dyldi[8], bin->big_endian);
+- bin->dyld_info->rebase_size = r_read_ble32 (&dyldi[12], bin->big_endian);
+- bin->dyld_info->bind_off = r_read_ble32 (&dyldi[16], bin->big_endian);
+- bin->dyld_info->bind_size = r_read_ble32 (&dyldi[20], bin->big_endian);
+- bin->dyld_info->weak_bind_off = r_read_ble32 (&dyldi[24], bin->big_endian);
+- bin->dyld_info->weak_bind_size = r_read_ble32 (&dyldi[28], bin->big_endian);
+- bin->dyld_info->lazy_bind_off = r_read_ble32 (&dyldi[32], bin->big_endian);
+- bin->dyld_info->lazy_bind_size = r_read_ble32 (&dyldi[36], bin->big_endian);
+- bin->dyld_info->export_off = r_read_ble32 (&dyldi[40], bin->big_endian);
+- bin->dyld_info->export_size = r_read_ble32 (&dyldi[44], bin->big_endian);
++ bin->dyld_info = calloc (1, sizeof (struct dyld_info_command));
++ if (bin->dyld_info) {
++ if (off + sizeof (struct dyld_info_command) > bin->size){
++ eprintf ("Cannot parse dyldinfo\n");
++ R_FREE (bin->dyld_info);
++ return false;
++ }
++ if (r_buf_read_at (bin->b, off, dyldi, sizeof (struct dyld_info_command)) == -1) {
++ free (bin->dyld_info);
++ bin->dyld_info = NULL;
++ eprintf ("Error: read (LC_DYLD_INFO) at 0x%08"PFMT64x"\n", off);
++ } else {
++ bin->dyld_info->cmd = r_read_ble32 (&dyldi[0], bin->big_endian);
++ bin->dyld_info->cmdsize = r_read_ble32 (&dyldi[4], bin->big_endian);
++ bin->dyld_info->rebase_off = r_read_ble32 (&dyldi[8], bin->big_endian);
++ bin->dyld_info->rebase_size = r_read_ble32 (&dyldi[12], bin->big_endian);
++ bin->dyld_info->bind_off = r_read_ble32 (&dyldi[16], bin->big_endian);
++ bin->dyld_info->bind_size = r_read_ble32 (&dyldi[20], bin->big_endian);
++ bin->dyld_info->weak_bind_off = r_read_ble32 (&dyldi[24], bin->big_endian);
++ bin->dyld_info->weak_bind_size = r_read_ble32 (&dyldi[28], bin->big_endian);
++ bin->dyld_info->lazy_bind_off = r_read_ble32 (&dyldi[32], bin->big_endian);
++ bin->dyld_info->lazy_bind_size = r_read_ble32 (&dyldi[36], bin->big_endian);
++ bin->dyld_info->export_off = r_read_ble32 (&dyldi[40], bin->big_endian);
++ bin->dyld_info->export_size = r_read_ble32 (&dyldi[44], bin->big_endian);
++ }
+ }
+ }
+ break;
+@@ -1747,17 +1748,20 @@ struct reloc_t* MACH0_(get_relocs)(struct MACH0_(obj_t)* bin) {
+ if ((bind_size + lazy_size)<1) {
+ return NULL;
+ }
+- if (bin->dyld_info->bind_off > bin->size || bin->dyld_info->bind_off + bind_size > bin->size)
++ if (bin->dyld_info->bind_off > bin->size || bin->dyld_info->bind_off + bind_size > bin->size) {
+ return NULL;
++ }
+ if (bin->dyld_info->lazy_bind_off > bin->size || \
+- bin->dyld_info->lazy_bind_off + lazy_size > bin->size)
++ bin->dyld_info->lazy_bind_off + lazy_size > bin->size) {
+ return NULL;
+- if (bin->dyld_info->bind_off+bind_size+lazy_size > bin->size)
++ }
++ if (bin->dyld_info->bind_off+bind_size+lazy_size > bin->size) {
+ return NULL;
++ }
+ // NOTE(eddyb) it's a waste of memory, but we don't know the actual number of relocs.
+- if (!(relocs = calloc (1, (1 + bind_size + lazy_size) * sizeof (struct reloc_t))))
++ if (!(relocs = calloc (1, (1 + bind_size + lazy_size) * sizeof (struct reloc_t)))) {
+ return NULL;
+-
++ }
+ opcodes = calloc (1, bind_size + lazy_size + 1);
+ if (!opcodes) {
+ free (relocs);
+@@ -1905,12 +1909,14 @@ relocs[i++].last = 0;\
+ free (opcodes);
+ } else {
+ int j;
+- if (!bin->symtab || !bin->symstr || !bin->sects || !bin->indirectsyms)
++ if (!bin->symtab || !bin->symstr || !bin->sects || !bin->indirectsyms) {
+ return NULL;
+- if (!(relocs = malloc ((bin->dysymtab.nundefsym + 1) * sizeof(struct reloc_t))))
++ }
++ if (!(relocs = malloc ((bin->dysymtab.nundefsym + 1) * sizeof(struct reloc_t)))) {
+ return NULL;
++ }
+ for (j = 0; j < bin->dysymtab.nundefsym; j++) {
+- if (parse_import_ptr(bin, &relocs[i], bin->dysymtab.iundefsym + j)) {
++ if (parse_import_ptr (bin, &relocs[i], bin->dysymtab.iundefsym + j)) {
+ relocs[i].ord = j;
+ relocs[i++].last = 0;
+ }
+@@ -1954,7 +1960,6 @@ struct addr_t* MACH0_(get_entrypoint)(struct MACH0_(obj_t)* bin) {
+ }
+ bin->entry = entry->addr;
+ }
+-
+ return entry;
+ }
+
+@@ -1962,10 +1967,12 @@ struct lib_t* MACH0_(get_libs)(struct MACH0_(obj_t)* bin) {
+ struct lib_t *libs;
+ int i;
+
+- if (!bin->nlibs)
++ if (!bin->nlibs) {
+ return NULL;
+- if (!(libs = calloc ((bin->nlibs + 1), sizeof(struct lib_t))))
++ }
++ if (!(libs = calloc ((bin->nlibs + 1), sizeof(struct lib_t)))) {
+ return NULL;
++ }
+ for (i = 0; i < bin->nlibs; i++) {
+ strncpy (libs[i].name, bin->libs[i], R_BIN_MACH0_STRING_LENGTH);
+ libs[i].name[R_BIN_MACH0_STRING_LENGTH-1] = '\0';
+@@ -1978,12 +1985,14 @@ struct lib_t* MACH0_(get_libs)(struct MACH0_(obj_t)* bin) {
+ ut64 MACH0_(get_baddr)(struct MACH0_(obj_t)* bin) {
+ int i;
+
+- if (bin->hdr.filetype != MH_EXECUTE && bin->hdr.filetype != MH_DYLINKER)
++ if (bin->hdr.filetype != MH_EXECUTE && bin->hdr.filetype != MH_DYLINKER) {
+ return 0;
+-
+- for (i = 0; i < bin->nsegs; ++i)
+- if (bin->segs[i].fileoff == 0 && bin->segs[i].filesize != 0)
++ }
++ for (i = 0; i < bin->nsegs; ++i) {
++ if (bin->segs[i].fileoff == 0 && bin->segs[i].filesize != 0) {
+ return bin->segs[i].vmaddr;
++ }
++ }
+ return 0;
+ }
+
+@@ -2309,8 +2318,9 @@ ut64 MACH0_(get_main)(struct MACH0_(obj_t)* bin) {
+ ut8 b[128];
+ ut64 entry = addr_to_offset(bin, bin->entry);
+ // XXX: X86 only and hacky!
+- if (entry > bin->size || entry + sizeof (b) > bin->size)
++ if (entry > bin->size || entry + sizeof (b) > bin->size) {
+ return 0;
++ }
+ i = r_buf_read_at (bin->b, entry, b, sizeof (b));
+ if (i < 1) {
+ return 0;
diff -Nru radare2-1.1.0+dfsg/debian/patches/series radare2-1.1.0+dfsg/debian/patches/series
--- radare2-1.1.0+dfsg/debian/patches/series 2017-04-11 15:34:39.000000000 +0200
+++ radare2-1.1.0+dfsg/debian/patches/series 2017-04-23 23:20:13.000000000 +0200
@@ -5,3 +5,4 @@
0005-fix-FTBFS-for-as-needed.patch
0006-fix-CVE-2017-6194.patch
0007-fix-CVE-2017-6448.patch
+0008-fix-CVE-2017-7946.patch
Reply to: