Bug#885617: stretch-pu: package libextractor/1:1.3-4
Le 10/02/2018 à 11:13, Julien Cristau a écrit :
> Control: tag -1 moreinfo
>
> On Thu, Dec 28, 2017 at 17:11:02 +0100, Bertrand Marc wrote:
>
>> diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch libextractor-1.3/debian/patches/CVE-2017-15600.patch
>> --- libextractor-1.3/debian/patches/CVE-2017-15600.patch 1970-01-01 01:00:00.000000000 +0100
>> +++ libextractor-1.3/debian/patches/CVE-2017-15600.patch 2017-12-28 11:39:33.000000000 +0100
>> @@ -0,0 +1,29 @@
>> +From: Bertrand Marc <bmarc@debian.org>, Markus Koschany <apo@debian.org>
>> +Subject: CVE-2017-15600
>> +
>> +Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
>> +Origin: https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7
>> +--- a/src/plugins/nsf_extractor.c
>> ++++ b/src/plugins/nsf_extractor.c
>> +@@ -152,13 +152,17 @@
>> + char nsfversion[32];
>> + const struct header *head;
>> + void *data;
>> ++ ssize_t ds;
>> +
>> +- if (sizeof (struct header) >
>> +- ec->read (ec->cls,
>> +- &data,
>> +- sizeof (struct header)))
>> ++ ds = ec->read (ec->cls,
>> ++ &data,
>> ++ sizeof (struct header));
>> ++ if ( (-1 == ds) ||
>> ++ (sizeof (struct header) > ds) )
>> + return;
>> + head = data;
>> ++ if (NULL == head)
>> ++ return 0;
>> +
> Curious how that works. 3 lines above is plain "return", and here
> "return 0". What's the type of that function and how did the compiler
> not flag this?
>
> Cheers,
> Julien
Indeed, sorry. The type of the function was changed from void (in wheezy) to int (in jessie). I updated the patch attached accordingly.
Cheers,
Bertrand
diff -Nru libextractor-1.3/debian/changelog libextractor-1.3/debian/changelog
--- libextractor-1.3/debian/changelog 2016-04-26 22:58:56.000000000 +0200
+++ libextractor-1.3/debian/changelog 2017-12-28 11:39:33.000000000 +0100
@@ -1,3 +1,14 @@
+libextractor (1:1.3-4+deb9u1) stretch; urgency=medium
+
+ * Fix CVE-2017-15266, CVE-2017-15267, CVE-2017-15600, CVE-2017-15601,
+ CVE-2017-15602, CVE-2017-15922 and CVE-2017-17440. Leon Zhao discovered
+ several security vulnerabilities, NULL Pointer Dereferences, heap-based
+ buffer overflows, integer signedness errors and out-of-bounds read that
+ may lead to a denial-of-service (application crash) or have other
+ unspecified impact.
+
+ -- Bertrand Marc <bmarc@debian.org> Thu, 28 Dec 2017 11:39:33 +0100
+
libextractor (1:1.3-4) unstable; urgency=medium
* Update debian/patches/ffmpeg2.9.patch with a new commit taken from upstream
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15266.patch libextractor-1.3/debian/patches/CVE-2017-15266.patch
--- libextractor-1.3/debian/patches/CVE-2017-15266.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15266.patch 2017-12-28 11:39:33.000000000 +0100
@@ -0,0 +1,17 @@
+From: Bertrand Marc <bmarc@debian.org>
+Subject: CVE-2017-15266
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00002.html
+Bug-Debian: https://bugs.debian.org/878314
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=b577d5452c5c4ee9d552da62a24b95f461551fe2
+--- a/src/plugins/wav_extractor.c
++++ b/src/plugins/wav_extractor.c
+@@ -109,6 +109,8 @@
+ return; /* invalid sample size found in wav file */
+ if (0 == channels)
+ return; /* invalid channels value -- avoid division by 0! */
++ if (0 == sample_rate)
++ return; /* invalid sample_rate */
+ samples = data_len / (channels * (sample_size >> 3));
+
+ snprintf (scratch,
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15267.patch libextractor-1.3/debian/patches/CVE-2017-15267.patch
--- libextractor-1.3/debian/patches/CVE-2017-15267.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15267.patch 2017-12-28 11:39:33.000000000 +0100
@@ -0,0 +1,22 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 4 Dec 2017 00:00:15 +0100
+Subject: CVE-2017-15267
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00003.html
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878314
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=6095d7132b57fc7368fc7a40bab2a71b735724d2
+---
+ src/plugins/flac_extractor.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/src/plugins/flac_extractor.c
++++ b/src/plugins/flac_extractor.c
+@@ -339,6 +339,8 @@
+ {
+ entry = &vc->comments[count];
+ eq = (const char*) entry->entry;
++ if (NULL == eq)
++ break;
+ len = entry->length;
+ ilen = 0;
+ while ( ('=' != *eq) && ('\0' != *eq) &&
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch libextractor-1.3/debian/patches/CVE-2017-15600.patch
--- libextractor-1.3/debian/patches/CVE-2017-15600.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15600.patch 2017-12-28 11:39:33.000000000 +0100
@@ -0,0 +1,29 @@
+From: Bertrand Marc <bmarc@debian.org>, Markus Koschany <apo@debian.org>
+Subject: CVE-2017-15600
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7
+--- a/src/plugins/nsf_extractor.c
++++ b/src/plugins/nsf_extractor.c
+@@ -152,13 +152,17 @@
+ char nsfversion[32];
+ const struct header *head;
+ void *data;
++ ssize_t ds;
+
+- if (sizeof (struct header) >
+- ec->read (ec->cls,
+- &data,
+- sizeof (struct header)))
++ ds = ec->read (ec->cls,
++ &data,
++ sizeof (struct header));
++ if ( (-1 == ds) ||
++ (sizeof (struct header) > ds) )
+ return;
+ head = data;
++ if (NULL == head)
++ return;
+
+ /* Check "magic" id bytes */
+ if (memcmp (head->magicid, "NESM\x1a", 5))
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15601.patch libextractor-1.3/debian/patches/CVE-2017-15601.patch
--- libextractor-1.3/debian/patches/CVE-2017-15601.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15601.patch 2017-12-28 11:39:33.000000000 +0100
@@ -0,0 +1,25 @@
+From: Bertrand Marc <bmarc@debian.org>
+Subject: CVE-2017-15601
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00006.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=f813535dad4ad860b989952a46266a1469801091
+--- a/src/plugins/png_extractor.c
++++ b/src/plugins/png_extractor.c
+@@ -47,6 +47,8 @@
+ {
+ char *tmp;
+
++ if (n + 1 < n)
++ return NULL;
+ if (NULL == (tmp = malloc (n + 1)))
+ return NULL;
+ tmp[n] = '\0';
+@@ -221,6 +223,8 @@
+ compressed = data[pos++];
+ if (compressed && (0 != data[pos++]))
+ return 0; /* bad compression method */
++ if (pos > length)
++ return 0;
+ language = (char *) &data[pos];
+ ret = 0;
+ if ( (stnlen (language, length - pos) > 0) &&
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15602.patch libextractor-1.3/debian/patches/CVE-2017-15602.patch
--- libextractor-1.3/debian/patches/CVE-2017-15602.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15602.patch 2017-12-28 11:39:33.000000000 +0100
@@ -0,0 +1,18 @@
+From: Bertrand Marc <bmarc@debian.org>
+Subject: CVE-2017-15602
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=ffab889c1710c7646af9ed360c796a2a0a619efc
+--- a/src/plugins/nsfe_extractor.c
++++ b/src/plugins/nsfe_extractor.c
+@@ -374,7 +374,9 @@
+ 8))
+ break;
+ chunksize = nsfeuint (data);
+- off += 8 + chunksize;
++ if (off + chunksize + 8LLU <= off)
++ break; /* protect against looping */
++ off += 8LLU + chunksize;
+ if (0 == memcmp (data + 4, "INFO", 4))
+ ret = info_extract (ec, chunksize);
+ else if (0 == memcmp (data + 4, "auth", 4))
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15922.patch libextractor-1.3/debian/patches/CVE-2017-15922.patch
--- libextractor-1.3/debian/patches/CVE-2017-15922.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15922.patch 2017-12-26 19:25:34.000000000 +0100
@@ -0,0 +1,45 @@
+From: Bertrand Marc <bmarc@debian.org>
+Subject: CVE-2017-15922
+
+Bug-Debian: https://bugs.debian.org/880016
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=d4d488b0e5ab13dda241d688d87a07816368f117
+---
+ src/plugins/dvi_extractor.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/dvi_extractor.c b/src/plugins/dvi_extractor.c
+index e4cfa3a..2c9eaa2 100644
+--- a/src/plugins/dvi_extractor.c
++++ b/src/plugins/dvi_extractor.c
+@@ -207,7 +210,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
+ goto CLEANUP;
+ opos = pos;
+ pos = getIntAt (&data[opos + 1]);
+- if (pos + 25 > size)
++ if ( (pos + 25 > size) ||
++ (pos + 25 < pos) )
+ goto CLEANUP;
+ /* assert pos at 'post' command */
+ if (data[pos] != 248)
+@@ -219,7 +223,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
+ {
+ if (UINT32_MAX == pos)
+ break;
+- if (pos + 45 > size)
++ if ( (pos + 45 > size) ||
++ (pos + 45 < pos) )
+ goto CLEANUP;
+ if (data[pos] != 139) /* expect 'bop' */
+ goto CLEANUP;
+@@ -268,7 +273,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
+ }
+ /* try to find PDF/ps special */
+ pos = opos;
+- while (pos < size - 100)
++ while ( (size >= 100) &&
++ (pos < size - 100) )
+ {
+ switch (data[pos])
+ {
+
diff -Nru libextractor-1.3/debian/patches/CVE-2017-17440.patch libextractor-1.3/debian/patches/CVE-2017-17440.patch
--- libextractor-1.3/debian/patches/CVE-2017-17440.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-17440.patch 2017-12-28 11:39:33.000000000 +0100
@@ -0,0 +1,98 @@
+From: Bertrand Marc <bmarc@debian.org>
+Subject: CVE-2017-17440
+
+Bug-Debian: https://bugs.debian.org/883528
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e
+--- a/src/plugins/gif_extractor.c
++++ b/src/plugins/gif_extractor.c
+@@ -118,6 +118,8 @@
+ if (GIF_OK !=
+ DGifGetExtension (gif_file, &et, &ext))
+ continue;
++ if (NULL == ext)
++ continue;
+ if (COMMENT_EXT_FUNC_CODE == et)
+ {
+ ec->proc (ec->cls,
+--- a/src/plugins/it_extractor.c
++++ b/src/plugins/it_extractor.c
+@@ -70,7 +70,7 @@
+ char itversion[8];
+ const struct Header *head;
+
+- if (HEADER_SIZE >
++ if ((ssize_t) HEADER_SIZE >
+ ec->read (ec->cls,
+ &data,
+ HEADER_SIZE))
+--- a/src/plugins/nsfe_extractor.c
++++ b/src/plugins/nsfe_extractor.c
+@@ -176,7 +176,7 @@
+
+ if (size < 8)
+ return 0;
+- if (size >
++ if ((ssize_t) size >
+ ec->read (ec->cls,
+ &data,
+ size))
+@@ -244,7 +244,7 @@
+ void *data;
+ const char *cdata;
+
+- if (size >
++ if ((ssize_t) size >
+ ec->read (ec->cls,
+ &data,
+ size))
+@@ -286,7 +286,7 @@
+
+ if (left < 1)
+ return 0;
+- if (size >
++ if ((ssize_t) size >
+ ec->read (ec->cls,
+ &data,
+ size))
+@@ -343,7 +343,7 @@
+ uint32_t chunksize;
+ int ret;
+
+- if (sizeof (struct header) >
++ if ((ssize_t) sizeof (struct header) >
+ ec->read (ec->cls,
+ &data,
+ sizeof (struct header)))
+--- a/src/plugins/s3m_extractor.c
++++ b/src/plugins/s3m_extractor.c
+@@ -80,7 +80,7 @@
+ struct S3MHeader header;
+ char song_name_NT[29];
+
+- if (sizeof (header) >
++ if ((ssize_t) sizeof (header) >
+ ec->read (ec->cls,
+ &data,
+ sizeof (header)))
+--- a/src/plugins/sid_extractor.c
++++ b/src/plugins/sid_extractor.c
+@@ -176,7 +176,7 @@
+ const struct header *head;
+ void *data;
+
+- if (sizeof (struct header) >
++ if ((ssize_t) sizeof (struct header) >
+ ec->read (ec->cls,
+ &data,
+ sizeof (struct header)))
+--- a/src/plugins/xm_extractor.c
++++ b/src/plugins/xm_extractor.c
+@@ -70,7 +70,7 @@
+ char xmversion[8];
+ size_t n;
+
+- if (sizeof (struct Header) >
++ if ((ssize_t) sizeof (struct Header) >
+ ec->read (ec->cls,
+ &data,
+ sizeof (struct Header)))
diff -Nru libextractor-1.3/debian/patches/series libextractor-1.3/debian/patches/series
--- libextractor-1.3/debian/patches/series 2016-04-26 21:34:10.000000000 +0200
+++ libextractor-1.3/debian/patches/series 2017-12-28 11:39:33.000000000 +0100
@@ -1,2 +1,9 @@
libgiflib5.1.patch
ffmpeg2.9.patch
+CVE-2017-15266.patch
+CVE-2017-15267.patch
+CVE-2017-15600.patch
+CVE-2017-15601.patch
+CVE-2017-15602.patch
+CVE-2017-15922.patch
+CVE-2017-17440.patch
Reply to: