[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#867248: marked as done (stretch-pu: package libclamunrar/0.99-3+deb9u1)

Your message dated Sat, 22 Jul 2017 13:17:18 +0100
with message-id <1500725838.14212.3.camel@adam-barratt.org.uk>
and subject line Closing bugs for 9.1 p-u fixes
has caused the Debian Bug report #867248,
regarding stretch-pu: package libclamunrar/0.99-3+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
867248: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867248
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

This is an update to Stretch with a patch from git which fixes
CVE-2012-6706. The final clamav release is planned for the end of July,
this is the only commit in the libclamunrar part so far.

Sebastian

diff -Nru libclamunrar-0.99/debian/changelog libclamunrar-0.99/debian/changelog
--- libclamunrar-0.99/debian/changelog	2016-12-17 22:00:03.000000000 +0100
+++ libclamunrar-0.99/debian/changelog	2017-07-05 08:30:54.000000000 +0200
@@ -1,3 +1,10 @@
+libclamunrar (0.99-3+deb9u1) stable; urgency=medium
+
+  * Cherry pick fix for arbitrary memory write. CVE-2012-6706
+    (Closes: #867223).
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Wed, 05 Jul 2017 08:30:54 +0200
+
 libclamunrar (0.99-3) unstable; urgency=medium
 
   * Add a fixup for bb11601.
diff -Nru libclamunrar-0.99/debian/.git-dpm libclamunrar-0.99/debian/.git-dpm
--- libclamunrar-0.99/debian/.git-dpm	2016-12-16 21:56:07.000000000 +0100
+++ libclamunrar-0.99/debian/.git-dpm	2017-07-05 08:27:35.000000000 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-0b977ab3aaecd1e2e434474f30288eea3c029fe0
-0b977ab3aaecd1e2e434474f30288eea3c029fe0
+890a88f7d593eb6f3a13200103c6e49313eca3f1
+890a88f7d593eb6f3a13200103c6e49313eca3f1
 87f93791ab6959fd522bdf0b1211ff0480cff4c7
 87f93791ab6959fd522bdf0b1211ff0480cff4c7
 libclamunrar_0.99.orig.tar.xz
diff -Nru libclamunrar-0.99/debian/patches/series libclamunrar-0.99/debian/patches/series
--- libclamunrar-0.99/debian/patches/series	2016-12-16 21:56:07.000000000 +0100
+++ libclamunrar-0.99/debian/patches/series	2017-07-05 08:27:35.000000000 +0200
@@ -3,3 +3,4 @@
 bb11601.patch
 drop_openssl_check.patch
 bb11601_pt2.patch
+unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch
diff -Nru libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch
--- libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch	1970-01-01 01:00:00.000000000 +0100
+++ libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch	2017-07-05 08:27:35.000000000 +0200
@@ -0,0 +1,173 @@
+From 890a88f7d593eb6f3a13200103c6e49313eca3f1 Mon Sep 17 00:00:00 2001
+From: Mickey Sola <msola@sourcefire.com>
+Date: Thu, 29 Jun 2017 14:02:03 -0400
+Subject: unrar - adding proposed changes to fix RAR VMSF_DELTA Filter
+ Signedness error
+
+CVE: CVE-2012-6706: arbitrary memory write
+BTS: #867223
+Patch-Name: unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch
+---
+ libclamunrar/unrarvm.c | 55 ++++++++++++++++++++++++++------------------------
+ 1 file changed, 29 insertions(+), 26 deletions(-)
+
+diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c
+index 102fe2ebf044..b21e242fa72b 100644
+--- a/libclamunrar/unrarvm.c
++++ b/libclamunrar/unrarvm.c
+@@ -213,9 +213,9 @@ void rarvm_addbits(rarvm_input_t *rarvm_input, int bits)
+ 
+ unsigned int rarvm_getbits(rarvm_input_t *rarvm_input)
+ {
+-	unsigned int bit_field = 0;
++        unsigned int bit_field = 0;
+ 
+-	if (rarvm_input->in_addr < rarvm_input->buf_size) {
++        if (rarvm_input->in_addr < rarvm_input->buf_size) {
+             bit_field = (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr] << 16;
+             if (rarvm_input->in_addr+1 < rarvm_input->buf_size) {
+                 bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8;
+@@ -314,10 +314,10 @@ static unsigned int *rarvm_get_operand(rarvm_data_t *rarvm_data,
+ 	}
+ }
+ 
+-static unsigned int filter_itanium_getbits(unsigned char *data, int bit_pos, int bit_count)
++static unsigned int filter_itanium_getbits(unsigned char *data, unsigned int bit_pos, unsigned int bit_count)
+ {
+-	int in_addr=bit_pos/8;
+-	int in_bit=bit_pos&7;
++	unsigned int in_addr=bit_pos/8;
++	unsigned int in_bit=bit_pos&7;
+ 	unsigned int bit_field=(unsigned int)data[in_addr++];
+ 	bit_field|=(unsigned int)data[in_addr++] << 8;
+ 	bit_field|=(unsigned int)data[in_addr++] << 16;
+@@ -326,10 +326,10 @@ static unsigned int filter_itanium_getbits(unsigned char *data, int bit_pos, int
+ 	return(bit_field & (0xffffffff>>(32-bit_count)));
+ }
+ 
+-static void filter_itanium_setbits(unsigned char *data, unsigned int bit_field, int bit_pos, int bit_count)
++static void filter_itanium_setbits(unsigned char *data, unsigned int bit_field, unsigned int bit_pos, unsigned int bit_count)
+ {
+-	int i, in_addr=bit_pos/8;
+-	int in_bit=bit_pos&7;
++	unsigned int i, in_addr=bit_pos/8;
++	unsigned int in_bit=bit_pos&7;
+ 	unsigned int and_mask=0xffffffff>>(32-bit_count);
+ 	and_mask=~(and_mask<<in_bit);
+ 
+@@ -346,11 +346,12 @@ static void filter_itanium_setbits(unsigned char *data, unsigned int bit_field,
+ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_filters_t filter_type)
+ {
+ 	unsigned char *data, cmp_byte2, cur_byte, *src_data, *dest_data;
+-	int i, j, data_size, channels, src_pos, dest_pos, border, width, PosR;
+-	int op_type, cur_channel, byte_count, start_pos, pa, pb, pc;
++	unsigned int i, j, data_size, channels, src_pos, dest_pos, border, width, PosR;
++	unsigned int op_type, cur_channel, byte_count, start_pos;
++	int pa, pb, pc;
+ 	unsigned int file_offset, cur_pos, predicted;
+-	int32_t offset, addr;
+-	const int file_size=0x1000000;
++	uint32_t offset, addr;
++	const unsigned int file_size=0x1000000;
+ 
+ 	switch(filter_type) {
+ 	case VMSF_E8:
+@@ -359,7 +360,7 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		data_size = rarvm_data->R[4];
+ 		file_offset = rarvm_data->R[6];
+ 
+-		if (((unsigned int)data_size >= VM_GLOBALMEMADDR) || (data_size < 4)) {
++		if ((data_size > VM_GLOBALMEMADDR) || (data_size < 4)) {
+ 			break;
+ 		}
+ 
+@@ -370,12 +371,14 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 			if (cur_byte==0xe8 || cur_byte==cmp_byte2) {
+ 				offset = cur_pos+file_offset;
+ 				addr = GET_VALUE(FALSE, data);
+-				if (addr < 0) {
+-					if (addr+offset >=0 ) {
++				// We check 0x80000000 bit instead of '< 0' comparison
++				// not assuming int32 presence or uint size and endianness.
++				if ((addr & 0x80000000)!=0) {              // addr<0
++					if (((addr+offset) & 0x80000000)==0) {   // addr+offset>=0
+ 						SET_VALUE(FALSE, data, addr+file_size);
+ 					}
+ 				} else {
+-					if (addr<file_size) {
++					if (((addr-file_size) & 0x80000000)!=0) { // addr<file_size
+ 						SET_VALUE(FALSE, data, addr-offset);
+ 					}
+ 				}
+@@ -389,7 +392,7 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		data_size = rarvm_data->R[4];
+ 		file_offset = rarvm_data->R[6];
+ 		
+-		if (((unsigned int)data_size >= VM_GLOBALMEMADDR) || (data_size < 21)) {
++		if ((data_size > VM_GLOBALMEMADDR) || (data_size < 21)) {
+ 			break;
+ 		}
+ 		
+@@ -432,7 +435,7 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		border = data_size*2;
+ 		
+ 		SET_VALUE(FALSE, &rarvm_data->mem[VM_GLOBALMEMADDR+0x20], data_size);
+-		if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2) {
++		if (data_size > VM_GLOBALMEMADDR/2 || channels > 1024 || channels == 0) {
+ 			break;
+ 		}
+ 		for (cur_channel=0 ; cur_channel < channels ; cur_channel++) {
+@@ -443,7 +446,7 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		}
+ 		break;
+ 	case VMSF_RGB: {
+-		const int channels=3;
++		const unsigned int channels=3;
+ 		data_size = rarvm_data->R[4];
+ 		width = rarvm_data->R[0] - 3;
+ 		PosR = rarvm_data->R[1];
+@@ -451,15 +454,14 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		dest_data = src_data + data_size;
+ 		
+ 		SET_VALUE(FALSE, &rarvm_data->mem[VM_GLOBALMEMADDR+0x20], data_size);
+-		if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2) {
++		if (data_size > VM_GLOBALMEMADDR/2 || data_size < 3 || width > data_size || PosR > 2) {
+ 			break;
+ 		}
+ 		for (cur_channel=0 ; cur_channel < channels; cur_channel++) {
+ 			unsigned int prev_byte = 0;
+ 			for (i=cur_channel ; i<data_size ; i+=channels) {
+-				int upper_pos=i-width;
+-				if (upper_pos >= 3) {
+-					unsigned char *upper_data = dest_data+upper_pos;
++				if (i >= width+3) {
++					unsigned char *upper_data = dest_data+i-width;
+ 					unsigned int upper_byte = *upper_data;
+ 					unsigned int upper_left_byte = *(upper_data-3);
+ 					predicted = prev_byte+upper_byte-upper_left_byte;
+@@ -489,13 +491,14 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		break;
+ 	}
+ 	case VMSF_AUDIO: {
+-		int channels=rarvm_data->R[0];
++		unsigned int channels=rarvm_data->R[0];
+ 		data_size = rarvm_data->R[4];
+ 		src_data = rarvm_data->mem;
+ 		dest_data = src_data + data_size;
+ 		
+ 		SET_VALUE(FALSE, &rarvm_data->mem[VM_GLOBALMEMADDR+0x20], data_size);
+-		if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2) {
++		// In fact, audio channels never exceed 4.
++		if (data_size > VM_GLOBALMEMADDR/2 || channels > 128 || channels == 0) {
+ 			break;
+ 		}
+ 		for (cur_channel=0 ; cur_channel < channels ; cur_channel++) {
+@@ -556,7 +559,7 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		data_size = rarvm_data->R[4];
+ 		src_pos = 0;
+ 		dest_pos = data_size;
+-		if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2) {
++		if (data_size > VM_GLOBALMEMADDR/2) {
+ 			break;
+ 		}
+ 		while (src_pos < data_size) {

--- End Message ---
--- Begin Message --- 
Version: 9.1

Hi,

These bugs all relate to updates which were included in today's stretch
point release.

Regards,

Adam

--- End Message ---
Reply to: