[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#876706: marked as done (stretch-pu: package liblouis/3.0.0-3)

Your message dated Sat, 09 Dec 2017 10:46:36 +0000
with message-id <1512816396.1994.30.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #876706,
regarding stretch-pu: package liblouis/3.0.0-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
876706: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876706
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

Several CVEs have been reported against liblouis in Bug#874302. The
upstream fixes have been tested for 6 days in Debian unstable then 5
days in Debian testing.

I propose to upload them to stable too, as attached debdiff shows.

Samuel

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru liblouis-3.0.0/debian/changelog liblouis-3.0.0/debian/changelog
--- liblouis-3.0.0/debian/changelog	2016-09-14 00:46:35.000000000 +0200
+++ liblouis-3.0.0/debian/changelog	2017-09-25 01:16:30.000000000 +0200
@@ -1,3 +1,14 @@
+liblouis (3.0.0-3+deb9u1) stretch; urgency=medium
+
+  * debian/patches/CVE-2017-13738-and-2017-13744.patch: New patch.
+  * debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch: New
+    patch
+  * debian/patches/CVE-2017-13741.patch: New patch.
+  * debian/patches/CVE-2017-13741-2.patch: New patch.
+  * debian/patches/CVE-2017-13743.patch: New patch.
+
+ -- Samuel Thibault <sthibault@debian.org>  Mon, 25 Sep 2017 01:16:30 +0200
+
 liblouis (3.0.0-3) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch	1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch	2017-09-25 01:14:10.000000000 +0200
@@ -0,0 +1,19 @@
+From edf8ee00197e5a9b062554bdca00fe1617d257a4 Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Tue, 29 Aug 2017 16:55:29 -0500
+Subject: [PATCH] Fix possible out-of-bounds write from a \ followed by
+ multiple newlines
+
+Fixes CVE-2017-13738 and CVE-2017-13744.
+Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
+===================================================================
+--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
++++ liblouis-3.0.0/liblouis/compileTranslationTable.c
+@@ -573,6 +573,7 @@ getALine (FileInfo * nested)
+       if (pch == '\\' && ch == 10)
+ 	{
+ 	  nested->linelen--;
++	  pch = ch;
+ 	  continue;
+ 	}
+       if (ch == 10 || nested->linelen >= MAXSTRING)
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch	1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch	2017-09-25 01:14:10.000000000 +0200
@@ -0,0 +1,28 @@
+From d8cfdf1ab64a4c9c6685efe45bc735f68dac618c Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Wed, 30 Aug 2017 12:53:02 -0500
+Subject: [PATCH] resolveSubtable: Fix buffer overflow parsing a malformed
+ table
+
+The subtable's name can theoretically be up to MAXSTRING characters long.
+The base name is then copied into a buffer, and the subtable's name is
+appended, so we should allocate more than MAXSTRING bytes for the buffer.
+
+Fixes CVE-2017-13739, CVE-2017-13740, and CVE-2017-13742.
+---
+ liblouis/compileTranslationTable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
+===================================================================
+--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
++++ liblouis-3.0.0/liblouis/compileTranslationTable.c
+@@ -4899,7 +4899,7 @@ resolveSubtable (const char *table, cons
+ 
+   if (table == NULL || table[0] == '\0')
+     return NULL;
+-  tableFile = (char *) malloc (MAXSTRING * sizeof(char));
++  tableFile = (char *) malloc (MAXSTRING * sizeof(char) * 2);
+   
+   //
+   // First try to resolve against base
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch	1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch	2017-09-25 01:14:10.000000000 +0200
@@ -0,0 +1,26 @@
+commit 1e36af516478e6c07fbc919541df226aac911fd7
+Author: Christian Egli <christian.egli@sbs.ch>
+Date:   Thu Aug 31 13:41:23 2017 +0200
+
+    Fix a tiny problem in the CVE patches
+
+---
+ liblouis/compileTranslationTable.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -3814,11 +3814,11 @@ doOpcode:
+     case CTO_Locale:
+       break;
+     case CTO_Undefined:
++      tmp_offset = table->undefined;
+       ok =
+-	tmp_offset = table->undefined;
+ 	compileBrailleIndicator (nested, "undefined character opcode",
+ 				 CTO_Undefined, &tmp_offset);
+-	table->undefined = tmp_offset;
++      table->undefined = tmp_offset;
+       break;
+ 
+ 		case CTO_Match:
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13741.patch liblouis-3.0.0/debian/patches/CVE-2017-13741.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13741.patch	1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/CVE-2017-13741.patch	2017-09-25 01:14:10.000000000 +0200
@@ -0,0 +1,269 @@
+commit af5791ea792acc0a9707738001aa1df3daff7a66
+Author: Mike Gorse <mgorse@suse.com>
+Date:   Wed Aug 30 15:13:09 2017 -0500
+
+    Fix possible use after free when calling compileBrailleIndicator
+    
+    CompileBrailleIndicator calls addRule, which may realloc the table header,
+    so it is unsafe to pass an out parameter under the assumption that the
+    value of table will not change.
+    
+    Fixes CVE-2017-13741.
+
+---
+ liblouis/compileTranslationTable.c |   89 +++++++++++++++++++++++++++----------
+ 1 file changed, 67 insertions(+), 22 deletions(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -3782,6 +3782,7 @@ compileRule (FileInfo * nested)
+   int k, i;
+ 
+   noback = nofor = 0;
++  TranslationTableOffset tmp_offset;
+ doOpcode:
+   if (!getToken (nested, &token, NULL))
+     return 1;			/*blank line */
+@@ -3814,8 +3815,10 @@ doOpcode:
+       break;
+     case CTO_Undefined:
+       ok =
++	tmp_offset = table->undefined;
+ 	compileBrailleIndicator (nested, "undefined character opcode",
+-				 CTO_Undefined, &table->undefined);
++				 CTO_Undefined, &tmp_offset);
++	table->undefined = tmp_offset;
+       break;
+ 
+ 		case CTO_Match:
+@@ -3933,9 +3936,11 @@ doOpcode:
+ 		}
+ 
+     case CTO_BegCapsPhrase:
++	tmp_offset = table->emphRules[capsRule][begPhraseOffset];
+       ok =
+ 	compileBrailleIndicator (nested, "first word capital sign",
+-				 CTO_BegCapsPhraseRule, &table->emphRules[capsRule][begPhraseOffset]);
++				 CTO_BegCapsPhraseRule, &tmp_offset);
++	table->emphRules[capsRule][begPhraseOffset] = tmp_offset;
+       break;
+     case CTO_EndCapsPhrase:
+ 		switch (compileBeforeAfter(nested)) {
+@@ -3945,9 +3950,11 @@ doOpcode:
+ 					ok = 0;
+ 					break;
+ 				}
++	tmp_offset = table->emphRules[capsRule][endPhraseBeforeOffset];
+ 				ok =
+ 					compileBrailleIndicator (nested, "capital sign before last word",
+-						CTO_EndCapsPhraseBeforeRule, &table->emphRules[capsRule][endPhraseBeforeOffset]);
++						CTO_EndCapsPhraseBeforeRule, &tmp_offset);
++	table->emphRules[capsRule][endPhraseBeforeOffset] = tmp_offset;
+ 				break;
+ 			case 2: // after
+ 				if (table->emphRules[capsRule][endPhraseBeforeOffset]) {
+@@ -3955,9 +3962,11 @@ doOpcode:
+ 					ok = 0;
+ 					break;
+ 				}
++	tmp_offset = table->emphRules[capsRule][endPhraseAfterOffset];
+ 				ok =
+ 					compileBrailleIndicator (nested, "capital sign after last word",
+-						CTO_EndCapsPhraseAfterRule, &table->emphRules[capsRule][endPhraseAfterOffset]);
++						CTO_EndCapsPhraseAfterRule, &tmp_offset);
++	table->emphRules[capsRule][endPhraseAfterOffset] = tmp_offset;
+ 				break;
+ 			default: // error
+ 				compileError (nested, "Invalid lastword indicator location.");
+@@ -3966,28 +3975,38 @@ doOpcode:
+ 		}
+       break;
+ 	  case CTO_BegCaps:
++	tmp_offset = table->emphRules[capsRule][begOffset];
+       ok =
+ 	compileBrailleIndicator (nested, "first letter capital sign",
+-				 CTO_BegCapsRule, &table->emphRules[capsRule][begOffset]);
++				 CTO_BegCapsRule, &tmp_offset);
++	table->emphRules[capsRule][begOffset] = tmp_offset;
+ 		break;
+ 	  case CTO_EndCaps:
++	tmp_offset = table->emphRules[capsRule][endOffset];
+       ok =
+ 	compileBrailleIndicator (nested, "last letter capital sign",
+-				 CTO_EndCapsRule, &table->emphRules[capsRule][endOffset]);
++				 CTO_EndCapsRule, &tmp_offset);
++	table->emphRules[capsRule][endOffset] = tmp_offset;
+       break;
+ 	  case CTO_CapsLetter:
++	tmp_offset = table->emphRules[capsRule][letterOffset];
+       ok =
+ 	compileBrailleIndicator (nested, "single letter capital sign",
+-				 CTO_CapsLetterRule, &table->emphRules[capsRule][letterOffset]);
++				 CTO_CapsLetterRule, &tmp_offset);
++	table->emphRules[capsRule][letterOffset] = tmp_offset;
+       break;
+     case CTO_BegCapsWord:
++	tmp_offset = table->emphRules[capsRule][begWordOffset];
+       ok =
+ 	compileBrailleIndicator (nested, "capital word", CTO_BegCapsWordRule,
+-				 &table->emphRules[capsRule][begWordOffset]);
++				 &tmp_offset);
++	table->emphRules[capsRule][begWordOffset] = tmp_offset;
+       break;
+ 	case CTO_EndCapsWord:
++	tmp_offset = table->emphRules[capsRule][endWordOffset];
+ 		ok = compileBrailleIndicator(nested, "capital word stop",
+-				 CTO_EndCapsWordRule, &table->emphRules[capsRule][endWordOffset]);
++				 CTO_EndCapsWordRule, &tmp_offset);
++	table->emphRules[capsRule][endWordOffset] = tmp_offset;
+       break;
+     case CTO_LenCapsPhrase:
+       ok = table->emphRules[capsRule][lenPhraseOffset] = compileNumber (nested);
+@@ -4112,19 +4131,25 @@ doOpcode:
+ 	      }
+ 		i++; // in table->emphRules the first index is used for caps
+ 		if (opcode == CTO_EmphLetter) {
++			tmp_offset = table->emphRules[i][letterOffset];
+ 			ok = compileBrailleIndicator (nested, "single letter",
+ 				CTO_Emph1LetterRule + letterOffset + (8 * i),
+-				&table->emphRules[i][letterOffset]);
++				&tmp_offset);
++			table->emphRules[i][letterOffset] = tmp_offset;
+ 		}
+ 		else if (opcode == CTO_BegEmphWord) {
++			tmp_offset = table->emphRules[i][begWordOffset];
+ 			ok = compileBrailleIndicator (nested, "word",
+ 				CTO_Emph1LetterRule + begWordOffset + (8 * i),
+-				&table->emphRules[i][begWordOffset]);
++				&tmp_offset);
++			table->emphRules[i][begWordOffset] = tmp_offset;
+ 		}
+ 		else if (opcode == CTO_EndEmphWord) {
++			tmp_offset = table->emphRules[i][endWordOffset];
+ 			ok = compileBrailleIndicator(nested, "word stop",
+ 				CTO_Emph1LetterRule + endWordOffset + (8 * i),
+-				&table->emphRules[i][endWordOffset]);
++				&tmp_offset);
++			table->emphRules[i][endWordOffset] = tmp_offset;
+ 		}
+ 		else if (opcode == CTO_BegEmph) {
+ 		  /* fail if both begemph and any of begemphphrase or begemphword are defined */
+@@ -4133,9 +4158,11 @@ doOpcode:
+ 		    ok = 0;
+ 		    break;
+ 		  }
++			tmp_offset = table->emphRules[i][begOffset];
+ 			ok = compileBrailleIndicator (nested, "first letter",
+ 				CTO_Emph1LetterRule + begOffset + (8 * i),
+-				&table->emphRules[i][begOffset]);
++				&tmp_offset);
++			table->emphRules[i][begOffset] = tmp_offset;
+ 		}
+ 		else if (opcode == CTO_EndEmph) {
+ 		  if (table->emphRules[i][endWordOffset] || table->emphRules[i][endPhraseBeforeOffset] || table->emphRules[i][endPhraseAfterOffset]) {
+@@ -4143,14 +4170,18 @@ doOpcode:
+ 		    ok = 0;
+ 		    break;
+ 		  }
++			tmp_offset = table->emphRules[i][endOffset];
+ 			ok = compileBrailleIndicator (nested, "last letter",
+ 				CTO_Emph1LetterRule + endOffset + (8 * i),
+-				&table->emphRules[i][endOffset]);
++				&tmp_offset);
++			table->emphRules[i][endOffset] = tmp_offset;
+ 		}
+ 		else if (opcode == CTO_BegEmphPhrase) {
++			tmp_offset = table->emphRules[i][begPhraseOffset];
+ 			ok = compileBrailleIndicator (nested, "first word",
+ 				CTO_Emph1LetterRule + begPhraseOffset + (8 * i),
+-				&table->emphRules[i][begPhraseOffset]);
++				&tmp_offset);
++			table->emphRules[i][begPhraseOffset] = tmp_offset;
+ 		}
+ 		else if (opcode == CTO_EndEmphPhrase)
+ 			switch (compileBeforeAfter(nested)) {
+@@ -4160,9 +4191,11 @@ doOpcode:
+ 						ok = 0;
+ 						break;
+ 					}
++					tmp_offset = table->emphRules[i][endPhraseBeforeOffset];
+ 					ok = compileBrailleIndicator (nested, "last word before",
+ 						CTO_Emph1LetterRule + endPhraseBeforeOffset + (8 * i),
+-						&table->emphRules[i][endPhraseBeforeOffset]);
++						&tmp_offset);
++					table->emphRules[i][endPhraseBeforeOffset] = tmp_offset;
+ 					break;
+ 				case 2: // after
+ 					if (table->emphRules[i][endPhraseBeforeOffset]) {
+@@ -4170,9 +4203,11 @@ doOpcode:
+ 						ok = 0;
+ 						break;
+ 					}
++					tmp_offset = table->emphRules[i][endPhraseAfterOffset];
+ 					ok = compileBrailleIndicator (nested, "last word after",
+ 						CTO_Emph1LetterRule + endPhraseAfterOffset + (8 * i),
+-						&table->emphRules[i][endPhraseAfterOffset]);
++						&tmp_offset);
++					table->emphRules[i][endPhraseAfterOffset] = tmp_offset;
+ 					break;
+ 				default: // error
+ 					compileError (nested, "Invalid lastword indicator location.");
+@@ -4186,9 +4221,11 @@ doOpcode:
+ 	break;
+ 
+     case CTO_LetterSign:
++      tmp_offset = table->letterSign;
+       ok =
+ 	compileBrailleIndicator (nested, "letter sign", CTO_LetterRule,
+-				 &table->letterSign);
++				 &tmp_offset);
++       table->letterSign = tmp_offset;
+       break;
+     case CTO_NoLetsignBefore:
+       if (getRuleCharsText (nested, &ruleChars))
+@@ -4232,9 +4269,11 @@ doOpcode:
+ 	}
+       break;
+     case CTO_NumberSign:
++      tmp_offset = table->numberSign;
+       ok =
+ 	compileBrailleIndicator (nested, "number sign", CTO_NumberRule,
+-				 &table->numberSign);
++				 &tmp_offset);
++      table->numberSign = tmp_offset;
+       break;
+ 
+ 	case CTO_Attribute:
+@@ -4330,8 +4369,10 @@ doOpcode:
+ 		
+ 	case CTO_NoContractSign:
+ 	
++      tmp_offset = table->noContractSign;
+ 		ok = compileBrailleIndicator
+-			(nested, "no contractions sign", CTO_NoContractRule, &table->noContractSign);
++			(nested, "no contractions sign", CTO_NoContractRule, &tmp_offset);
++      table->noContractSign = tmp_offset;
+ 		break;
+ 	  
+ 	case CTO_SeqDelimiter:
+@@ -4446,14 +4487,18 @@ doOpcode:
+ 		break;
+ 	
+     case CTO_BegComp:
++      tmp_offset = table->begComp;
+       ok =
+ 	compileBrailleIndicator (nested, "begin computer braille",
+-				 CTO_BegCompRule, &table->begComp);
++				 CTO_BegCompRule, &tmp_offset);
++      table->begComp = tmp_offset;
+       break;
+     case CTO_EndComp:
++      tmp_offset = table->endComp;
+       ok =
+ 	compileBrailleIndicator (nested, "end computer braslle",
+-				 CTO_EndCompRule, &table->endComp);
++				 CTO_EndCompRule, &tmp_offset);
++      table->endComp = tmp_offset;
+       break;
+     case CTO_Syllable:
+       table->syllables = 1;
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13743.patch liblouis-3.0.0/debian/patches/CVE-2017-13743.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13743.patch	1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/CVE-2017-13743.patch	2017-09-25 01:14:10.000000000 +0200
@@ -0,0 +1,46 @@
+commit 98eebd7564595b2403a8573c0725a38519546445
+Author: Christian Egli <christian.egli@sbs.ch>
+Date:   Fri Sep 1 15:12:30 2017 +0200
+
+    Guard against buffer overflow in _lou_showString
+    
+    I believe this fixes #397 and hence CVE-2017-13743
+
+---
+ liblouis/compileTranslationTable.c |   18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -351,7 +351,7 @@ showString (widechar const *chars, int l
+   int charPos;
+   int bufPos = 0;
+   scratchBuf[bufPos++] = '\'';
+-  for (charPos = 0; charPos < length; charPos++)
++  for (charPos = 0; charPos < length && bufPos < (MAXSTRING-2); charPos++)
+     {
+       if (chars[charPos] >= 32 && chars[charPos] < 127)
+ 	scratchBuf[bufPos++] = (char) chars[charPos];
+@@ -388,14 +388,14 @@ showString (widechar const *chars, int l
+ 	      leadingZeros = 0;
+ 	      break;
+ 	    }
+-	  if ((bufPos + leadingZeros + hexLength + 4) >= sizeof (scratchBuf))
+-	    break;
+-	  scratchBuf[bufPos++] = '\\';
+-	  scratchBuf[bufPos++] = escapeLetter;
+-	  for (hexPos = 0; hexPos < leadingZeros; hexPos++)
+-	    scratchBuf[bufPos++] = '0';
+-	  for (hexPos = 0; hexPos < hexLength; hexPos++)
+-	    scratchBuf[bufPos++] = hexbuf[hexPos];
++	  if ((bufPos + leadingZeros + hexLength + 4) < (MAXSTRING-2)) {
++	    scratchBuf[bufPos++] = '\\';
++	    scratchBuf[bufPos++] = escapeLetter;
++	    for (hexPos = 0; hexPos < leadingZeros; hexPos++)
++	      scratchBuf[bufPos++] = '0';
++	    for (hexPos = 0; hexPos < hexLength; hexPos++)
++	      scratchBuf[bufPos++] = hexbuf[hexPos];
++	  }
+ 	}
+     }
+   scratchBuf[bufPos++] = '\'';
diff -Nru liblouis-3.0.0/debian/patches/series liblouis-3.0.0/debian/patches/series
--- liblouis-3.0.0/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/series	2017-09-25 01:14:10.000000000 +0200
@@ -0,0 +1,5 @@
+CVE-2017-13738-and-2017-13744.patch
+CVE-2017-13739-and-2017-13740-and-2017-13742.patch
+CVE-2017-13743.patch
+CVE-2017-13741.patch
+CVE-2017-13741-2.patch

--- End Message ---
--- Begin Message --- 
Version: 9.3

Hi,

Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: