[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#843411: marked as done (jessie-pu: package musl/1.1.5-2)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #843411,
regarding jessie-pu: package musl/1.1.5-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
843411: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843411
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

musl in jessie is affected by CVE-2016-8859.
The attached patch cherry-picks the upstream commit,
which fixes this issue.
The security team marked it as no-dsa, so I'm requesting
it to be included in the next jessie update.

Kind regards,
  Reiner

diff -Nru musl-1.1.5/debian/changelog musl-1.1.5/debian/changelog
--- musl-1.1.5/debian/changelog	2015-03-31 23:12:02.000000000 +0200
+++ musl-1.1.5/debian/changelog	2016-10-26 19:39:31.000000000 +0200
@@ -1,3 +1,10 @@
+musl (1.1.5-2+deb8u1) jessie-security; urgency=high
+
+  * Cherry-pick upstream fix for regex integer overflow in buffer size
+    computations; CVE-2016-8859 (Closes: #842171)
+
+ -- Reiner Herrmann <reiner@reiner-h.de>  Wed, 26 Oct 2016 19:39:31 +0200
+
 musl (1.1.5-2) unstable; urgency=low
 
   * Fixes possible stack-based buffer overflow CVE-2015-1817 (Closes: #781497)
diff -Nru musl-1.1.5/debian/patches/cve-2016-8859.diff musl-1.1.5/debian/patches/cve-2016-8859.diff
--- musl-1.1.5/debian/patches/cve-2016-8859.diff	1970-01-01 01:00:00.000000000 +0100
+++ musl-1.1.5/debian/patches/cve-2016-8859.diff	2016-10-26 19:39:31.000000000 +0200
@@ -0,0 +1,71 @@
+From: Rich Felker <dalias@aerifal.cx>
+Subject: fix missing integer overflow checks in regexec buffer size
+ computations
+
+most of the possible overflows were already ruled out in practice by
+regcomp having already succeeded performing larger allocations.
+however at least the num_states*num_tags multiplication can clearly
+overflow in practice. for safety, check them all, and use the proper
+type, size_t, rather than int.
+
+also improve comments, use calloc in place of malloc+memset, and
+remove bogus casts.
+
+Origin: upstream, http://git.musl-libc.org/cgit/musl/commit/?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7
+Bug-Debian: https://bugs.debian.org/842171
+---
+ src/regex/regexec.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/src/regex/regexec.c b/src/regex/regexec.c
+index 16c5d0a..dd52319 100644
+--- a/src/regex/regexec.c
++++ b/src/regex/regexec.c
+@@ -34,6 +34,7 @@
+ #include <wchar.h>
+ #include <wctype.h>
+ #include <limits.h>
++#include <stdint.h>
+ 
+ #include <regex.h>
+ 
+@@ -206,11 +207,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
+ 
+   /* Allocate memory for temporary data required for matching.	This needs to
+      be done for every matching operation to be thread safe.  This allocates
+-     everything in a single large block from the stack frame using alloca()
+-     or with malloc() if alloca is unavailable. */
++     everything in a single large block with calloc(). */
+   {
+-    int tbytes, rbytes, pbytes, xbytes, total_bytes;
++    size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
+     char *tmp_buf;
++
++    /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
++     * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
++    if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
++      goto error_exit;
++
++    /* Likewise check rbytes. */
++    if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
++      goto error_exit;
++
++    /* Likewise check pbytes. */
++    if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
++      goto error_exit;
++
+     /* Compute the length of the block we need. */
+     tbytes = sizeof(*tmp_tags) * num_tags;
+     rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
+@@ -221,10 +235,9 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
+       + (rbytes + xbytes * tnfa->num_states) * 2 + tbytes + pbytes;
+ 
+     /* Allocate the memory. */
+-    buf = xmalloc((unsigned)total_bytes);
++    buf = calloc(total_bytes, 1);
+     if (buf == NULL)
+       return REG_ESPACE;
+-    memset(buf, 0, (size_t)total_bytes);
+ 
+     /* Get the various pointers within tmp_buf (properly aligned). */
+     tmp_tags = (void *)buf;
diff -Nru musl-1.1.5/debian/patches/series musl-1.1.5/debian/patches/series
--- musl-1.1.5/debian/patches/series	2015-03-31 23:11:32.000000000 +0200
+++ musl-1.1.5/debian/patches/series	2016-10-26 19:39:31.000000000 +0200
@@ -1 +1,2 @@
 cve-2015-1817.diff
+cve-2016-8859.diff

--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: