[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#849869: marked as done (jessie-pu: package unrtf/0.21.5-3)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #849869,
regarding jessie-pu: package unrtf/0.21.5-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
849869: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849869
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

As per request of the security team, I intend to upload a security fix 
(CVE-2016-10091) of the unrtf package for the next jessie point release.

The changelog is:
unrtf (0.21.5-3+deb8u1) stable; urgency=medium

  * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
    cmd_ functions) closes: 849705

 -- Willi Mann <willi@debian.org>  Sun, 01 Jan 2017 19:50:41 +0100

debdiff attached.

Let me know whether this intended upload is fine with you.

Willi

-- System Information:
Debian Release: 8.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru unrtf-0.21.5/debian/changelog unrtf-0.21.5/debian/changelog
--- unrtf-0.21.5/debian/changelog	2015-01-27 20:50:01.000000000 +0100
+++ unrtf-0.21.5/debian/changelog	2017-01-01 19:51:52.000000000 +0100
@@ -1,3 +1,10 @@
+unrtf (0.21.5-3+deb8u1) stable; urgency=medium
+
+  * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
+    cmd_ functions) closes: 849705
+
+ -- Willi Mann <willi@debian.org>  Sun, 01 Jan 2017 19:50:41 +0100
+
 unrtf (0.21.5-3) unstable; urgency=medium
 
   [ Salvatore Bonaccorso ]
diff -Nru unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch
--- unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch	1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch	2017-01-01 19:49:05.000000000 +0100
@@ -0,0 +1,179 @@
+From: Jean-Francois Dockes <jf@dockes.org>
+Date: Sat, 31 Dec 2016 20:25:19 +0100
+Subject: Replace all instances of sprintf with snprintf and adjust size of
+ integer field in some cases
+
+This fixes CVE-2016-10091
+
+Bug-Debian: https://bugs.debian.org/849705
+---
+ src/attr.c    |  4 ++--
+ src/convert.c | 28 ++++++++++++++--------------
+ src/output.c  |  4 ++--
+ 3 files changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 0337fd0..aea2a69 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -743,7 +743,7 @@ char *
+ assemble_string(char *string, int nr)
+ {
+ 
+-	char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */
++	char *s, tmp[20];
+ 	int i = 0, j = 0;
+ 
+ 	if (string == NULL)
+@@ -759,7 +759,7 @@ assemble_string(char *string, int nr)
+ 		}
+ 
+ 		if (string[i] != '\0') {
+-			sprintf(tmp, "%d", nr);
++			snprintf(tmp, 20, "%d", nr);
+ 			strcpy(&s[j], tmp);
+ 			j = j + strlen(tmp);
+ 		}
+diff --git a/src/convert.c b/src/convert.c
+index d22a2f9..62355be 100644
+--- a/src/convert.c
++++ b/src/convert.c
+@@ -448,7 +448,7 @@ static const int fcharsetparmtocp(int parm)
+ }
+ 
+ // Translate code page to encoding name hopefully suitable as iconv input
+-static char *cptoencoding(parm)
++static char *cptoencoding(int parm)
+ {
+     // Note that CP0 is supposed to mean current system default, which does
+     // not make any sense as a stored value, we don't handle it.
+@@ -935,7 +935,7 @@ cmd_cf (Word *w, int align, char has_param, int num) {
+ 	}
+ 	else
+ 	{
+-		sprintf(str,"#%02x%02x%02x",
++		snprintf(str, 40, "#%02x%02x%02x",
+ 			color_table[num].r,
+ 			color_table[num].g,
+ 			color_table[num].b);
+@@ -962,7 +962,7 @@ cmd_cb (Word *w, int align, char has_param, int num) {
+ 	}
+ 	else
+ 	{
+-		sprintf(str,"#%02x%02x%02x",
++		snprintf(str, 40, "#%02x%02x%02x",
+ 			color_table[num].r,
+ 			color_table[num].g,
+ 			color_table[num].b);
+@@ -987,7 +987,7 @@ cmd_fs (Word *w, int align, char has_param, int points) {
+ 	/* Note, fs20 means 10pt */
+ 	points /= 2;
+ 
+-	sprintf(str,"%d",points);
++	snprintf(str, 20, "%d", points);
+ 	attr_push(ATTR_FONTSIZE,str);
+ 
+ 	return FALSE;
+@@ -1118,7 +1118,7 @@ cmd_f (Word *w, int align, char has_param, int num)
+         {
+             // TOBEDONE: WHAT'S THIS ???
+             name = my_malloc(12);
+-            sprintf(name, "%d", num);
++			snprintf(name, 12, "%d", num);
+         }
+ 
+         /* we are going to output entities, so should not output font */
+@@ -1169,7 +1169,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
+ 	}
+ 	else
+ 	{
+-		sprintf(str,"#%02x%02x%02x",
++		snprintf(str, 40, "#%02x%02x%02x",
+ 			color_table[num].r,
+ 			color_table[num].g,
+ 			color_table[num].b);
+@@ -1324,9 +1324,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
+ 
+ static int 
+ cmd_expand (Word *w, int align, char has_param, int param) {
+-	char str[10];
++	char str[20];
+ 	if (has_param) {
+-		sprintf(str, "%d", param/4);
++		snprintf(str, 20, "%d", param / 4);
+ 		if (!param) 
+ 			attr_pop(ATTR_EXPAND);
+ 		else 
+@@ -1345,7 +1345,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
+ 
+ static int 
+ cmd_emboss (Word *w, int align, char has_param, int param) {
+-	char str[10];
++	char str[20];
+ 	if (has_param && !param)
+ #ifdef SUPPORT_UNNESTED
+ 		attr_find_pop(ATTR_EMBOSS);
+@@ -1354,7 +1354,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
+ #endif
+ 	else
+ 	{
+-		sprintf(str, "%d", param);
++		snprintf(str, 20, "%d", param);
+ 		attr_push(ATTR_EMBOSS, str);
+ 	}
+ 	return FALSE;
+@@ -1370,12 +1370,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
+ 
+ static int 
+ cmd_engrave (Word *w, int align, char has_param, int param) {
+-	char str[10];
++	char str[20];
+ 	if (has_param && !param) 
+ 		attr_pop(ATTR_ENGRAVE);
+ 	else
+ 	{
+-		sprintf(str, "%d", param);
++		snprintf(str, 20, "%d", param);
+ 		attr_push(ATTR_ENGRAVE, str);
+ 	}
+ 	return FALSE;
+@@ -1919,7 +1919,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
+ 
+ 	short	done=0;
+ 	long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */
+-	char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
++	char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
+ 	char *alias;
+ #define DEBUG 0
+ #if DEBUG
+@@ -1949,7 +1949,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
+                             /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */
+ 				unicode_number += 65536;
+ 			}
+-			sprintf(tmp, "%ld", unicode_number);
++			snprintf(tmp, 20, "%ld", unicode_number);
+ 
+ 			if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print");
+ 			done++;
+diff --git a/src/output.c b/src/output.c
+index 2584e06..4342bfe 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size)
+ 	if (!found_std_expr) {
+ 		if (op->fontsize_begin) {
+ 			char expr[16];
+-			sprintf (expr, "%d", size);
++			snprintf(expr, 16, "%d", size);
+ 			if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin");
+ 		} else {
+ 			/* If we cannot write out a change for the exact
+@@ -449,7 +449,7 @@ op_end_std_fontsize (OutputPersonality *op, int size)
+ 	if (!found_std_expr) {
+ 		if (op->fontsize_end) {
+ 			char expr[16];
+-			sprintf (expr, "%d", size);
++			snprintf(expr, 16, "%d", size);
+ 			if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end");
+ 		} else {
+ 			/* If we cannot write out a change for the exact
diff -Nru unrtf-0.21.5/debian/patches/series unrtf-0.21.5/debian/patches/series
--- unrtf-0.21.5/debian/patches/series	2015-01-27 20:12:28.000000000 +0100
+++ unrtf-0.21.5/debian/patches/series	2017-01-01 19:49:05.000000000 +0100
@@ -6,3 +6,4 @@
 0006-Limit-depth-of-group-embedding.patch
 0007-Improved-image-file-handling.patch
 0008-Better-processing-of-pict-including-addition-of-EMF-type.patch
+0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch

--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: