Bug#866517: marked as done (jessie-pu: package unrar-nonfree/1:5.2.7-0.1+deb8u1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#866517: marked as done (jessie-pu: package unrar-nonfree/1:5.2.7-0.1+deb8u1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 22 Jul 2017 12:23:07 +0000
Message-id: <[🔎] handler.866517.D866517.150072595325746.ackdone@bugs.debian.org>
Reply-to: 866517@bugs.debian.org
References: <1500725936.14212.4.camel@adam-barratt.org.uk> <149876206519.24076.4374748247348495852.reportbug@callisto>

Your message dated Sat, 22 Jul 2017 13:18:56 +0100
with message-id <1500725936.14212.4.camel@adam-barratt.org.uk>
and subject line Closing bugs for 8.9 fixes
has caused the Debian Bug report #866517,
regarding jessie-pu: package unrar-nonfree/1:5.2.7-0.1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
866517: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866517
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jessie-pu: package unrar-nonfree/5.2.7-0.1+deb8u1
From: Felix Geyer <fgeyer@debian.org>
Date: Thu, 29 Jun 2017 20:47:45 +0200
Message-id: <149876206519.24076.4374748247348495852.reportbug@callisto>

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

I'd like to fix CVE-2012-6706 in jessie, see #865461 for details.
debdiff is attached.

The same request for stretch is at #866516

Cheers,
Felix

diff -Nru unrar-nonfree-5.2.7/debian/changelog unrar-nonfree-5.2.7/debian/changelog
--- unrar-nonfree-5.2.7/debian/changelog	2015-03-27 22:54:31.000000000 +0100
+++ unrar-nonfree-5.2.7/debian/changelog	2017-06-22 20:47:18.000000000 +0200
@@ -1,3 +1,12 @@
+unrar-nonfree (1:5.2.7-0.1+deb8u1) jessie; urgency=medium
+
+  * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters.
+    - Backported from 5.5.5
+    - CVE-2012-6706
+    - Closes #865461
+
+ -- Felix Geyer <fgeyer@debian.org>  Thu, 22 Jun 2017 20:47:18 +0200
+
 unrar-nonfree (1:5.2.7-0.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706
--- unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706	1970-01-01 01:00:00.000000000 +0100
+++ unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706	2017-06-22 20:46:24.000000000 +0200
@@ -0,0 +1,44 @@
+--- unrar-nonfree-5.3.2.org/rarvm.cpp
++++ unrar-nonfree-5.3.2/rarvm.cpp
+@@ -965,7 +965,7 @@
+       {
+         int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>MAX3_UNPACK_CHANNELS || Channels==0)
+           break;
+ 
+         // Bytes from same channels are grouped to continual data blocks,
+@@ -984,7 +984,7 @@
+         byte *SrcData=Mem,*DestData=SrcData+DataSize;
+         const int Channels=3;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0 || DataSize<3 || Width>DataSize || PosR>2)
+           break;
+         for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+         {
+@@ -1029,7 +1029,7 @@
+         int DataSize=R[4],Channels=R[0];
+         byte *SrcData=Mem,*DestData=SrcData+DataSize;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>128 || Channels==0)
+           break;
+         for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+         {
+--- unrar-nonfree-5.3.2.orig/unpack.hpp
++++ unrar-nonfree-5.3.2/unpack.hpp
+@@ -7,6 +7,12 @@
+ // Maximum number of filters per entire data block.
+ #define MAX_UNPACK_FILTERS       8192
+ 
++// Limit maximum number of channels in RAR3 delta filter to some reasonable
++// value to prevent too slow processing of corrupt archives with invalid
++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS.
++// No need to provide it for RAR5, which uses only 5 bits to store channels.
++#define MAX3_UNPACK_CHANNELS      1024
++
+ // Maximum number of filters per entire data block for RAR3 unpack.
+ #define MAX3_FILTERS             1024
+ 
diff -Nru unrar-nonfree-5.2.7/debian/patches/series unrar-nonfree-5.2.7/debian/patches/series
--- unrar-nonfree-5.2.7/debian/patches/series	2013-08-15 16:56:10.000000000 +0200
+++ unrar-nonfree-5.2.7/debian/patches/series	2017-06-22 20:46:33.000000000 +0200
@@ -1 +1,2 @@
 fix-buildflags
+CVE-2012-6706

--- End Message ---

--- Begin Message ---

To: 843701-done@bugs.debian.org, 850440-done@bugs.debian.org, 858310-done@bugs.debian.org, 858846-done@bugs.debian.org, 861926-done@bugs.debian.org, 862167-done@bugs.debian.org, 862169-done@bugs.debian.org, 862173-done@bugs.debian.org, 862327-done@bugs.debian.org, 862353-done@bugs.debian.org, 862438-done@bugs.debian.org, 862456-done@bugs.debian.org, 862481-done@bugs.debian.org, 862498-done@bugs.debian.org, 862891-done@bugs.debian.org, 862960-done@bugs.debian.org, 862964-done@bugs.debian.org, 862976-done@bugs.debian.org, 862983-done@bugs.debian.org, 862986-done@bugs.debian.org, 862997-done@bugs.debian.org, 863049-done@bugs.debian.org, 863562-done@bugs.debian.org, 863682-done@bugs.debian.org, 863953-done@bugs.debian.org, 863970-done@bugs.debian.org, 864267-done@bugs.debian.org, 864745-done@bugs.debian.org, 864770-done@bugs.debian.org, 864910-done@bugs.debian.org, 864986-done@bugs.debian.org, 865102-done@bugs.debian.org, 865483-done@bugs.debian.org, 865763-done@bugs.debian.org, 866333-done@bugs.debian.org, 866517-done@bugs.debian.org, 866643-done@bugs.debian.org, 866967-done@bugs.debian.org, 867119-done@bugs.debian.org, 867328-done@bugs.debian.org, 867562-done@bugs.debian.org, 868106-done@bugs.debian.org, 868210-done@bugs.debian.org, 868211-done@bugs.debian.org, 868230-done@bugs.debian.org, 868241-done@bugs.debian.org, 868243-done@bugs.debian.org, 868567-done@bugs.debian.org

Subject: Closing bugs for 8.9 fixes

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 22 Jul 2017 13:18:56 +0100

Message-id: <1500725936.14212.4.camel@adam-barratt.org.uk>
Version: 8.9

Hi,

These bugs all relate for updates which were included in today's jessie
point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Bug#866679: marked as done (stretch-pu: package dovecot/1:2.2.27-3+deb9u1)
Next by Date: Bug#866759: marked as done (stretch-pu: package protozero/1.5.1-1+deb9u1)
Previous by thread: Bug#866679: marked as done (stretch-pu: package dovecot/1:2.2.27-3+deb9u1)
Next by thread: Bug#866643: marked as done (jessie-pu: package init-select/1.20140921+deb8u1)
Index(es):
- Date
- Thread