Control: tag -1 confirmed
Hi Felix,
Felix Geyer <fgeyer@debian.org> (2017-06-29):
> I'd like to fix CVE-2012-6706 in stretch, see #865461 for details.
> debdiff is attached.
This looks good to me, feel free to upload; thanks.
(Unimportant comment below.)
> diff -Nru unrar-nonfree-5.3.2/debian/changelog unrar-nonfree-5.3.2/debian/changelog
> --- unrar-nonfree-5.3.2/debian/changelog 2015-08-10 14:58:20.000000000 +0200
> +++ unrar-nonfree-5.3.2/debian/changelog 2017-06-28 00:10:20.000000000 +0200
> @@ -1,3 +1,12 @@
> +unrar-nonfree (1:5.3.2-1+deb9u1) stretch; urgency=medium
> +
> + * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters.
> + - Backported from 5.5.5
> + - CVE-2012-6706
> + - Closes #865461
> +
> + -- Felix Geyer <fgeyer@debian.org> Wed, 28 Jun 2017 00:10:20 +0200
> +
> unrar-nonfree (1:5.3.2-1) unstable; urgency=medium
>
> * New upstream release (Closes: #759586)
> diff -Nru unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706 unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706
> --- unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706 1970-01-01 01:00:00.000000000 +0100
> +++ unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706 2017-06-22 20:25:06.000000000 +0200
> @@ -0,0 +1,44 @@
> +--- unrar-nonfree-5.3.2.org/rarvm.cpp
> ++++ unrar-nonfree-5.3.2/rarvm.cpp
> +@@ -965,7 +965,7 @@
> + {
> + int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2;
> + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
> +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
> ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>MAX3_UNPACK_CHANNELS || Channels==0)
> + break;
> +
> + // Bytes from same channels are grouped to continual data blocks,
> +@@ -984,7 +984,7 @@
> + byte *SrcData=Mem,*DestData=SrcData+DataSize;
> + const int Channels=3;
> + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
> +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0)
> ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0 || DataSize<3 || Width>DataSize || PosR>2)
> + break;
> + for (int CurChannel=0;CurChannel<Channels;CurChannel++)
> + {
> +@@ -1029,7 +1029,7 @@
> + int DataSize=R[4],Channels=R[0];
> + byte *SrcData=Mem,*DestData=SrcData+DataSize;
> + SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
> +- if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
> ++ if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>128 || Channels==0)
> + break;
> + for (int CurChannel=0;CurChannel<Channels;CurChannel++)
> + {
> +--- unrar-nonfree-5.3.2.orig/unpack.hpp
> ++++ unrar-nonfree-5.3.2/unpack.hpp
> +@@ -13,6 +13,12 @@
> + // from two data blocks.
> + #define MAX3_UNPACK_FILTERS 8192
> +
> ++// Limit maximum number of channels in RAR3 delta filter to some reasonable
> ++// value to prevent too slow processing of corrupt archives with invalid
> ++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS.
> ++// No need to provide it for RAR5, which uses only 5 bits to store channels.
> ++#define MAX3_UNPACK_CHANNELS 1024
> ++
> + // Write data in 4 MB or smaller blocks. Must not exceed PACK_MAX_WRITE,
> + // so we keep number of buffered filter in unpacker reasonable.
> + #define UNPACK_MAX_WRITE 0x400000
(Funny to see a new definition for MAX3_UNPACK_CHANNELS but not for the
hardcoded 128. But I suppose this might be an artefact of backporting
the fix from a new upstream. Not a huge deal anyway.)
> diff -Nru unrar-nonfree-5.3.2/debian/patches/series unrar-nonfree-5.3.2/debian/patches/series
> --- unrar-nonfree-5.3.2/debian/patches/series 2013-08-15 16:56:10.000000000 +0200
> +++ unrar-nonfree-5.3.2/debian/patches/series 2017-06-22 20:20:22.000000000 +0200
> @@ -1 +1,2 @@
> fix-buildflags
> +CVE-2012-6706
KiBi.
Attachment:
signature.asc
Description: Digital signature