--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package liblouis/2.5.3-3
- From: Samuel Thibault <sthibault@debian.org>
- Date: Fri, 3 Nov 2017 01:54:32 +0100
- Message-id: <20171103005432.2jmadtmn7mbyoldr@var.youpi.perso.aquilenet.fr>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
Bug#880621 reports that Jessie is affected by CVE-2014-8184. I'm
proposing to upload there the RedHat fix plus a fix for that fix (it
didn't actually take care of issues in the strncpy call). Debdiff is
attached.
Samuel
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru liblouis-2.5.3/debian/changelog liblouis-2.5.3/debian/changelog
--- liblouis-2.5.3/debian/changelog 2014-06-24 23:33:27.000000000 +0200
+++ liblouis-2.5.3/debian/changelog 2017-11-03 01:14:02.000000000 +0100
@@ -1,3 +1,10 @@
+liblouis (2.5.3-3+deb8u1) jessie; urgency=medium
+
+ * Apply RedHat's patch to fix CVE-2014-8184 (Closes: Bug#880621).
+ * Fix RedHat's patch.
+
+ -- Samuel Thibault <sthibault@debian.org> Fri, 03 Nov 2017 01:14:02 +0100
+
liblouis (2.5.3-3) unstable; urgency=low
[ Samuel Thibault ]
diff -Nru liblouis-2.5.3/debian/patches/CVE-2014-8184 liblouis-2.5.3/debian/patches/CVE-2014-8184
--- liblouis-2.5.3/debian/patches/CVE-2014-8184 1970-01-01 01:00:00.000000000 +0100
+++ liblouis-2.5.3/debian/patches/CVE-2014-8184 2017-11-03 01:14:02.000000000 +0100
@@ -0,0 +1,99 @@
+https://github.com/liblouis/liblouis/issues/425
+https://bugzilla.redhat.com/show_bug.cgi?id=1492701
+https://access.redhat.com/errata/RHSA-2017:3111
+
+From 2fe2b279994e3ed70bae461e284702cc1c7d4665 Mon Sep 17 00:00:00 2001
+From: Raphael Sanchez Prudencio <rsprudencio@redhat.com>
+Date: Mon, 18 Sep 2017 18:44:31 +0200
+Subject: [PATCH 5/7] Fix multiple stack-based buffer overflows in findTable().
+
+Fixes CVE-2014-8184.
+---
+ liblouis/compileTranslationTable.c | 35 +++++++++++------------------------
+ 1 file changed, 11 insertions(+), 24 deletions(-)
+
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index ec4963f0..25c0208f 100644
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -4502,8 +4502,7 @@ findTable (const char *tableName)
+ char trialPath[MAXSTRING];
+ if (tableName == NULL || tableName[0] == 0)
+ return NULL;
+- strcpy (trialPath, tablePath);
+- strcat (trialPath, tableName);
++ snprintf (trialPath, MAXSTRING-1, "%s%s", tablePath, tableName);
+ if ((tableFile = fopen (trialPath, "rb")))
+ return tableFile;
+ pathEnd[0] = DIR_SEP;
+@@ -4522,18 +4521,15 @@ findTable (const char *tableName)
+ break;
+ if (k == listLength || k == 0)
+ { /* Only one file */
+- strcpy (trialPath, pathList);
+- strcat (trialPath, pathEnd);
+- strcat (trialPath, tableName);
++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", pathList, pathEnd, tableName);
+ if ((tableFile = fopen (trialPath, "rb")))
+ break;
+ }
+ else
+ { /* Compile a list of files */
+- strncpy (trialPath, pathList, k);
+- trialPath[k] = 0;
+- strcat (trialPath, pathEnd);
+- strcat (trialPath, tableName);
++ char path[MAXSTRING];
++ strncpy (path, pathList, k);
++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName);
+ currentListPos = k + 1;
+ if ((tableFile = fopen (trialPath, "rb")))
+ break;
+@@ -4542,11 +4538,8 @@ findTable (const char *tableName)
+ for (k = currentListPos; k < listLength; k++)
+ if (pathList[k] == ',')
+ break;
+- strncpy (trialPath,
+- &pathList[currentListPos], k - currentListPos);
+- trialPath[k - currentListPos] = 0;
+- strcat (trialPath, pathEnd);
+- strcat (trialPath, tableName);
++ strncpy (path, &pathList[currentListPos], k - currentListPos);
++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName);
+ if ((tableFile = fopen (trialPath, "rb")))
+ currentListPos = k + 1;
+ break;
+@@ -4564,26 +4557,20 @@ findTable (const char *tableName)
+ pathList = lou_getDataPath ();
+ if (pathList)
+ {
+- strcpy (trialPath, pathList);
+- strcat (trialPath, pathEnd);
+ #ifdef _WIN32
+- strcat (trialPath, "liblouis\\tables\\");
++ snprintf (trialPath, MAXSTRING-1, "%s%sliblouis\\tables\\%s", pathList, pathEnd, tableName);
+ #else
+- strcat (trialPath, "liblouis/tables/");
++ snprintf (trialPath, MAXSTRING-1, "%s%sliblouis/tables/%s", pathList, pathEnd, tableName);
+ #endif
+- strcat (trialPath, tableName);
+ if ((tableFile = fopen (trialPath, "rb")))
+ return tableFile;
+ }
+ /* See if table on installed or program path. */
+ #ifdef _WIN32
+- strcpy (trialPath, lou_getProgramPath ());
+- strcat (trialPath, "\\share\\liblouss\\tables\\");
++ snprintf (trialPath, MAXSTRING-1, "%s\\share\\liblouss\\tables\\%s", lou_getProgramPath(), tableName);
+ #else
+- strcpy (trialPath, TABLESDIR);
+- strcat (trialPath, pathEnd);
++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", TABLESDIR, pathEnd, tableName);
+ #endif
+- strcat (trialPath, tableName);
+ if ((tableFile = fopen (trialPath, "rb")))
+ return tableFile;
+ return NULL;
+--
+2.13.5
+
diff -Nru liblouis-2.5.3/debian/patches/CVE-2014-8184-fix liblouis-2.5.3/debian/patches/CVE-2014-8184-fix
--- liblouis-2.5.3/debian/patches/CVE-2014-8184-fix 1970-01-01 01:00:00.000000000 +0100
+++ liblouis-2.5.3/debian/patches/CVE-2014-8184-fix 2017-11-03 01:14:02.000000000 +0100
@@ -0,0 +1,33 @@
+The RedHat CVE-2014-8184 patch did not fix the potential buffer overruns
+and missing trailing \0 from the strncpy call.
+---
+ liblouis/compileTranslationTable.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -4534,6 +4534,8 @@ findTable (const char *tableName)
+ int listLength;
+ int currentListPos = 0;
+ listLength = strlen (pathList);
++ if (listLength >= MAXSTRING)
++ listLength = MAXSTRING-1;
+ for (k = 0; k < listLength; k++)
+ if (pathList[k] == ',')
+ break;
+@@ -4547,6 +4549,7 @@ findTable (const char *tableName)
+ { /* Compile a list of files */
+ char path[MAXSTRING];
+ strncpy (path, pathList, k);
++ path[k] = 0;
+ snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName);
+ currentListPos = k + 1;
+ if ((tableFile = fopen (trialPath, "rb")))
+@@ -4557,6 +4560,7 @@ findTable (const char *tableName)
+ if (pathList[k] == ',')
+ break;
+ strncpy (path, &pathList[currentListPos], k - currentListPos);
++ path[k - currentListPos] = 0;
+ snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName);
+ if ((tableFile = fopen (trialPath, "rb")))
+ currentListPos = k + 1;
diff -Nru liblouis-2.5.3/debian/patches/series liblouis-2.5.3/debian/patches/series
--- liblouis-2.5.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ liblouis-2.5.3/debian/patches/series 2017-11-03 01:14:02.000000000 +0100
@@ -0,0 +1,2 @@
+CVE-2014-8184
+CVE-2014-8184-fix
--- End Message ---