Bug#912159: stretch-pu: package libmspack/0.5-1+deb9u3
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear stable release managers,
there are two open CVEs for libmspack in Stretch:
* CVE-2018-18584
* CVE-2018-18585
As the security team does not rate them as appropriate for an own DSA, but
want to see an update in Stretch, I would like to ask for an update via PU.
Thanks!
Thorsten
-- System Information:
Debian Release: 10
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.14.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru libmspack-0.5/debian/changelog libmspack-0.5/debian/changelog
--- libmspack-0.5/debian/changelog 2018-08-02 19:18:37.000000000 +0200
+++ libmspack-0.5/debian/changelog 2018-10-26 19:03:02.000000000 +0200
@@ -1,3 +1,15 @@
+libmspack (0.5-1+deb9u3) stretch; urgency=high
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2018-18584 (Closes: #911640)
+ Fixing the size of the CAB block input buffer, which is too small
+ for the maximal Quantum block, prevents an out-of-bounds write.
+ * CVE-2018-18585 (Closes: #911637)
+ Blank filenames (having length zero or their 1st or 2nd byte is
+ null) should be rejected.
+
+ -- Thorsten Alteholz <debian@alteholz.de> Fri, 26 Oct 2018 19:03:02 +0200
+
libmspack (0.5-1+deb9u2) stretch-security; urgency=high
* Non-maintainer upload.
diff -Nru libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch
--- libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.5/debian/patches/0007-CVE-2018-18584.patch 2018-10-26 19:03:02.000000000 +0200
@@ -0,0 +1,35 @@
+Index: libmspack-0.5/mspack/cab.h
+===================================================================
+--- libmspack-0.5.orig/mspack/cab.h 2018-10-26 14:11:57.146094291 +0200
++++ libmspack-0.5/mspack/cab.h 2018-10-26 14:11:57.114094292 +0200
+@@ -1,5 +1,5 @@
+ /* This file is part of libmspack.
+- * (C) 2003-2004 Stuart Caie.
++ * (C) 2003-2018 Stuart Caie.
+ *
+ * libmspack is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU Lesser General Public License (LGPL) version 2.1
+@@ -70,6 +70,14 @@
+ #define CAB_BLOCKMAX (32768)
+ #define CAB_INPUTMAX (CAB_BLOCKMAX+6144)
+
++/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block
++ * plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment.
++ *
++ * When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be
++ * up to 65535 bytes, so max input buffer size needed is 65535 + 1
++ */
++#define CAB_INPUTBUF (65535 + 1)
++
+ /* There are no more than 65535 data blocks per folder, so a folder cannot
+ * be more than 32768*65535 bytes in length. As files cannot span more than
+ * one folder, this is also their max offset, length and offset+length limit.
+@@ -100,7 +108,7 @@
+ struct mspack_file *infh; /* input file handle */
+ struct mspack_file *outfh; /* output file handle */
+ unsigned char *i_ptr, *i_end; /* input data consumed, end */
+- unsigned char input[CAB_INPUTMAX]; /* one input block of data */
++ unsigned char input[CAB_INPUTBUF]; /* one input block of data */
+ };
+
+ struct mscab_decompressor_p {
diff -Nru libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch
--- libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch 1970-01-01 01:00:00.000000000 +0100
+++ libmspack-0.5/debian/patches/0008-CVE-2018-18585.patch 2018-10-26 19:03:02.000000000 +0200
@@ -0,0 +1,22 @@
+Index: libmspack-0.5/mspack/chmd.c
+===================================================================
+--- libmspack-0.5.orig/mspack/chmd.c 2018-10-26 14:12:19.494093621 +0200
++++ libmspack-0.5/mspack/chmd.c 2018-10-26 14:12:19.482093622 +0200
+@@ -447,14 +447,14 @@
+ while (num_entries--) {
+ READ_ENCINT(name_len);
+ if (name_len > (unsigned int) (end - p)) goto chunk_end;
+- /* consider blank filenames to be an error */
+- if (name_len == 0) goto chunk_end;
+ name = p; p += name_len;
+-
+ READ_ENCINT(section);
+ READ_ENCINT(offset);
+ READ_ENCINT(length);
+
++ /* ignore blank or one-char (e.g. "/") filenames we'd return as blank */
++ if (name_len < 2 || !name[0] || !name[1]) continue;
++
+ /* empty files and directory names are stored as a file entry at
+ * offset 0 with length 0. We want to keep empty files, but not
+ * directory names, which end with a "/" */
diff -Nru libmspack-0.5/debian/patches/series libmspack-0.5/debian/patches/series
--- libmspack-0.5/debian/patches/series 2018-07-21 16:46:08.000000000 +0200
+++ libmspack-0.5/debian/patches/series 2018-10-26 19:03:02.000000000 +0200
@@ -4,3 +4,6 @@
0004-kwaj_read_headers-fix-handling-of-non-terminated-str.patch
0005-Fix-off-by-one-error-in-chmd-TOLOWER-fallback.patch
0006-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch
+
+0007-CVE-2018-18584.patch
+0008-CVE-2018-18585.patch
Reply to: