--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
As per request of the security team, I intend to upload a security fix
(CVE-2016-10091) of the unrtf package for the next jessie point release.
The changelog is:
unrtf (0.21.5-3+deb8u1) stable; urgency=medium
* Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
cmd_ functions) closes: 849705
-- Willi Mann <willi@debian.org> Sun, 01 Jan 2017 19:50:41 +0100
debdiff attached.
Let me know whether this intended upload is fine with you.
Willi
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.7.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru unrtf-0.21.5/debian/changelog unrtf-0.21.5/debian/changelog
--- unrtf-0.21.5/debian/changelog 2015-01-27 20:50:01.000000000 +0100
+++ unrtf-0.21.5/debian/changelog 2017-01-01 19:51:52.000000000 +0100
@@ -1,3 +1,10 @@
+unrtf (0.21.5-3+deb8u1) stable; urgency=medium
+
+ * Add patch from upstream to fix CVE-2016-10091 (buffer overflow in various
+ cmd_ functions) closes: 849705
+
+ -- Willi Mann <willi@debian.org> Sun, 01 Jan 2017 19:50:41 +0100
+
unrtf (0.21.5-3) unstable; urgency=medium
[ Salvatore Bonaccorso ]
diff -Nru unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch
--- unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch 1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch 2017-01-01 19:49:05.000000000 +0100
@@ -0,0 +1,179 @@
+From: Jean-Francois Dockes <jf@dockes.org>
+Date: Sat, 31 Dec 2016 20:25:19 +0100
+Subject: Replace all instances of sprintf with snprintf and adjust size of
+ integer field in some cases
+
+This fixes CVE-2016-10091
+
+Bug-Debian: https://bugs.debian.org/849705
+---
+ src/attr.c | 4 ++--
+ src/convert.c | 28 ++++++++++++++--------------
+ src/output.c | 4 ++--
+ 3 files changed, 18 insertions(+), 18 deletions(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 0337fd0..aea2a69 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -743,7 +743,7 @@ char *
+ assemble_string(char *string, int nr)
+ {
+
+- char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */
++ char *s, tmp[20];
+ int i = 0, j = 0;
+
+ if (string == NULL)
+@@ -759,7 +759,7 @@ assemble_string(char *string, int nr)
+ }
+
+ if (string[i] != '\0') {
+- sprintf(tmp, "%d", nr);
++ snprintf(tmp, 20, "%d", nr);
+ strcpy(&s[j], tmp);
+ j = j + strlen(tmp);
+ }
+diff --git a/src/convert.c b/src/convert.c
+index d22a2f9..62355be 100644
+--- a/src/convert.c
++++ b/src/convert.c
+@@ -448,7 +448,7 @@ static const int fcharsetparmtocp(int parm)
+ }
+
+ // Translate code page to encoding name hopefully suitable as iconv input
+-static char *cptoencoding(parm)
++static char *cptoencoding(int parm)
+ {
+ // Note that CP0 is supposed to mean current system default, which does
+ // not make any sense as a stored value, we don't handle it.
+@@ -935,7 +935,7 @@ cmd_cf (Word *w, int align, char has_param, int num) {
+ }
+ else
+ {
+- sprintf(str,"#%02x%02x%02x",
++ snprintf(str, 40, "#%02x%02x%02x",
+ color_table[num].r,
+ color_table[num].g,
+ color_table[num].b);
+@@ -962,7 +962,7 @@ cmd_cb (Word *w, int align, char has_param, int num) {
+ }
+ else
+ {
+- sprintf(str,"#%02x%02x%02x",
++ snprintf(str, 40, "#%02x%02x%02x",
+ color_table[num].r,
+ color_table[num].g,
+ color_table[num].b);
+@@ -987,7 +987,7 @@ cmd_fs (Word *w, int align, char has_param, int points) {
+ /* Note, fs20 means 10pt */
+ points /= 2;
+
+- sprintf(str,"%d",points);
++ snprintf(str, 20, "%d", points);
+ attr_push(ATTR_FONTSIZE,str);
+
+ return FALSE;
+@@ -1118,7 +1118,7 @@ cmd_f (Word *w, int align, char has_param, int num)
+ {
+ // TOBEDONE: WHAT'S THIS ???
+ name = my_malloc(12);
+- sprintf(name, "%d", num);
++ snprintf(name, 12, "%d", num);
+ }
+
+ /* we are going to output entities, so should not output font */
+@@ -1169,7 +1169,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
+ }
+ else
+ {
+- sprintf(str,"#%02x%02x%02x",
++ snprintf(str, 40, "#%02x%02x%02x",
+ color_table[num].r,
+ color_table[num].g,
+ color_table[num].b);
+@@ -1324,9 +1324,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
+
+ static int
+ cmd_expand (Word *w, int align, char has_param, int param) {
+- char str[10];
++ char str[20];
+ if (has_param) {
+- sprintf(str, "%d", param/4);
++ snprintf(str, 20, "%d", param / 4);
+ if (!param)
+ attr_pop(ATTR_EXPAND);
+ else
+@@ -1345,7 +1345,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
+
+ static int
+ cmd_emboss (Word *w, int align, char has_param, int param) {
+- char str[10];
++ char str[20];
+ if (has_param && !param)
+ #ifdef SUPPORT_UNNESTED
+ attr_find_pop(ATTR_EMBOSS);
+@@ -1354,7 +1354,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
+ #endif
+ else
+ {
+- sprintf(str, "%d", param);
++ snprintf(str, 20, "%d", param);
+ attr_push(ATTR_EMBOSS, str);
+ }
+ return FALSE;
+@@ -1370,12 +1370,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
+
+ static int
+ cmd_engrave (Word *w, int align, char has_param, int param) {
+- char str[10];
++ char str[20];
+ if (has_param && !param)
+ attr_pop(ATTR_ENGRAVE);
+ else
+ {
+- sprintf(str, "%d", param);
++ snprintf(str, 20, "%d", param);
+ attr_push(ATTR_ENGRAVE, str);
+ }
+ return FALSE;
+@@ -1919,7 +1919,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
+
+ short done=0;
+ long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */
+- char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
++ char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
+ char *alias;
+ #define DEBUG 0
+ #if DEBUG
+@@ -1949,7 +1949,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
+ /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */
+ unicode_number += 65536;
+ }
+- sprintf(tmp, "%ld", unicode_number);
++ snprintf(tmp, 20, "%ld", unicode_number);
+
+ if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print");
+ done++;
+diff --git a/src/output.c b/src/output.c
+index 2584e06..4342bfe 100644
+--- a/src/output.c
++++ b/src/output.c
+@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size)
+ if (!found_std_expr) {
+ if (op->fontsize_begin) {
+ char expr[16];
+- sprintf (expr, "%d", size);
++ snprintf(expr, 16, "%d", size);
+ if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin");
+ } else {
+ /* If we cannot write out a change for the exact
+@@ -449,7 +449,7 @@ op_end_std_fontsize (OutputPersonality *op, int size)
+ if (!found_std_expr) {
+ if (op->fontsize_end) {
+ char expr[16];
+- sprintf (expr, "%d", size);
++ snprintf(expr, 16, "%d", size);
+ if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end");
+ } else {
+ /* If we cannot write out a change for the exact
diff -Nru unrtf-0.21.5/debian/patches/series unrtf-0.21.5/debian/patches/series
--- unrtf-0.21.5/debian/patches/series 2015-01-27 20:12:28.000000000 +0100
+++ unrtf-0.21.5/debian/patches/series 2017-01-01 19:49:05.000000000 +0100
@@ -6,3 +6,4 @@
0006-Limit-depth-of-group-embedding.patch
0007-Improved-image-file-handling.patch
0008-Better-processing-of-pict-including-addition-of-EMF-type.patch
+0009-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch
--- End Message ---