--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package liblouis/3.0.0-3+deb9u4
- From: Samuel Thibault <sthibault@debian.org>
- Date: Sat, 16 Jun 2018 00:30:02 +0200
- Message-id: <20180615223002.iwcmtzbbxgbsdivt@var.youpi.perso.aquilenet.fr>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
Several new CVEs have been published. Their upstream fixes have now
propagated to testing, I'm proposing to push them to stretch too, I have
uploaded the attached change (yes, I skipped version deb9u3 whose patch
was looking dubious due to mere upstream indentation changes).
Samuel
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.17.0 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru liblouis-3.0.0/debian/changelog liblouis-3.0.0/debian/changelog
--- liblouis-3.0.0/debian/changelog 2018-05-25 10:46:29.000000000 +0200
+++ liblouis-3.0.0/debian/changelog 2018-06-16 00:27:09.000000000 +0200
@@ -1,3 +1,17 @@
+liblouis (3.0.0-3+deb9u4) stretch; urgency=medium
+
+ * patches/cve-2018-11440: Fix another buffer overflow for CVE 2018-11440
+ (Closes: #900085).
+ * patches/cve-2018-11577: Fix another segfault for CVE 2018-11577
+ (Closes: #900607).
+ * patches/cve-2018-11683: Fix a buffer overflow for CVE 2018-11683.
+ * patches/cve-2018-11684: Fix a buffer overflow for CVE 2018-11684.
+ * patches/cve-2018-11685: Fix a buffer overflow for CVE 2018-11685.
+ * patches/cve-2018-12085: Fix another buffer overflow for CVE 2018-12085
+ (Closes: Bug#901202).
+
+ -- Samuel Thibault <sthibault@debian.org> Sat, 16 Jun 2018 00:27:09 +0200
+
liblouis (3.0.0-3+deb9u2) stretch; urgency=medium
* patches/cve-2018-11410: Buffer overflow fix for CVE 2018-11410
diff -Nru liblouis-3.0.0/debian/patches/cve-2018-11440 liblouis-3.0.0/debian/patches/cve-2018-11440
--- liblouis-3.0.0/debian/patches/cve-2018-11440 1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/cve-2018-11440 2018-06-16 00:22:41.000000000 +0200
@@ -0,0 +1,25 @@
+commit 4417bad83df4481ed58419b28c5c91b9649e2a86
+Author: Christian Egli <christian.egli@sbs.ch>
+Date: Wed May 30 16:47:10 2018 +0200
+
+ Fix another buffer overflow in table parsing reported by Henri Salo
+
+ Fixes #575 and CVE-2018-11440
+
+---
+ liblouis/compileTranslationTable.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -1523,6 +1523,10 @@ parseChars (FileInfo * nested, CharsStri
+ {
+ if (in >= MAXSTRING)
+ break;
++ if (out >= MAXSTRING) {
++ result->length = lastOutSize;
++ return 1;
++ }
+ if (token->chars[in] < 128 || (token->chars[in] & 0x0040))
+ {
+ compileWarning (nested, "invalid UTF-8. Assuming Latin-1.");
diff -Nru liblouis-3.0.0/debian/patches/cve-2018-11577 liblouis-3.0.0/debian/patches/cve-2018-11577
--- liblouis-3.0.0/debian/patches/cve-2018-11577 1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/cve-2018-11577 2018-06-16 00:22:51.000000000 +0200
@@ -0,0 +1,54 @@
+commit 7e135b9313ad06218dfcf9ed63070edede7745a1
+Author: Christian Egli <christian.egli@sbs.ch>
+Date: Thu May 31 12:08:56 2018 +0200
+
+ Fix yet another buffer overflow in the braille table parser
+
+ Reported by Edward-L
+
+ Fixes #582
+
+---
+ liblouis/compileTranslationTable.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -2843,6 +2843,10 @@ compilePassOpcode (FileInfo * nested, Tr
+ passLinepos = 0;
+ while (passLinepos <= endTest)
+ {
++ if (passIC >= MAXSTRING) {
++ compileError(passNested, "Test part in multipass operand too long");
++ return 0;
++ }
+ switch ((passSubOp = passLine.chars[passLinepos]))
+ {
+ case pass_lookback:
+@@ -3038,6 +3042,10 @@ compilePassOpcode (FileInfo * nested, Tr
+ while (passLinepos < passLine.length &&
+ passLine.chars[passLinepos] > 32)
+ {
++ if (passIC >= MAXSTRING) {
++ compileError(passNested, "Action part in multipass operand too long");
++ return 0;
++ }
+ switch ((passSubOp = passLine.chars[passLinepos]))
+ {
+ case pass_string:
+@@ -3065,8 +3073,14 @@ compilePassOpcode (FileInfo * nested, Tr
+ if (passHoldString.length == 0)
+ return 0;
+ passInstructions[passIC++] = passHoldString.length;
+- for (kk = 0; kk < passHoldString.length; kk++)
++ for (kk = 0; kk < passHoldString.length; kk++) {
++ if (passIC >= MAXSTRING) {
++ compileError(passNested,
++ "@ operand in action part of multipass operand too long");
++ return 0;
++ }
+ passInstructions[passIC++] = passHoldString.chars[kk];
++ }
+ break;
+ case pass_variable:
+ passLinepos++;
diff -Nru liblouis-3.0.0/debian/patches/cve-2018-11683 liblouis-3.0.0/debian/patches/cve-2018-11683
--- liblouis-3.0.0/debian/patches/cve-2018-11683 1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/cve-2018-11683 2018-06-16 00:23:08.000000000 +0200
@@ -0,0 +1,73 @@
+commit e7eee2b7926668360a0d8e2abee6c35a00ebce3c
+Author: Christian Egli <christian.egli@sbs.ch>
+Date: Mon Jun 4 12:02:13 2018 +0200
+
+ Fix yet another buffer overflow in the braille table parser
+
+ Reported by Henri Salo
+
+ Fixes #591
+
+---
+ liblouis/compileTranslationTable.c | 5 ++---
+ tools/lou_translate.c | 12 +++++-------
+ 2 files changed, 7 insertions(+), 10 deletions(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -1536,14 +1536,14 @@ parseChars (FileInfo * nested, CharsStri
+ }
+ utf32 = (utf32 << 6) + (token->chars[in++] & 0x3f);
+ }
+- if (CHARSIZE == 2 && utf32 > 0xffff)
+- utf32 = 0xffff;
+- result->chars[out++] = (widechar) utf32;
+ if (out >= MAXSTRING)
+ {
+ result->length = lastOutSize;
+ return 1;
+ }
++ if (CHARSIZE == 2 && utf32 > 0xffff)
++ utf32 = 0xffff;
++ result->chars[out++] = (widechar) utf32;
+ }
+ result->length = out;
+ return 1;
+--- a/tools/lou_translate.c
++++ b/tools/lou_translate.c
+@@ -33,8 +33,6 @@
+ #include "unistr.h"
+ #include "version-etc.h"
+
+-#define BUFSIZE MAXSTRING - 4
+-
+ static int forward_flag = 0;
+ static int backward_flag = 0;
+
+@@ -57,11 +55,11 @@ const char version_etc_copyright[] =
+ static void
+ translate_input (int forward_translation, char *table_name)
+ {
+- char charbuf[BUFSIZE];
++ char charbuf[MAXSTRING];
+ char *outputbuf;
+ size_t outlen;
+- widechar inbuf[BUFSIZE];
+- widechar transbuf[BUFSIZE];
++ widechar inbuf[MAXSTRING];
++ widechar transbuf[MAXSTRING];
+ int inlen;
+ int translen;
+ int k;
+@@ -69,9 +67,9 @@ translate_input (int forward_translation
+ int result;
+ while (1)
+ {
+- translen = BUFSIZE;
++ translen = MAXSTRING;
+ k = 0;
+- while ((ch = fgetc(input)) != '\n' && ch != EOF && k < BUFSIZE)
++ while ((ch = fgetc(input)) != '\n' && ch != EOF && k < MAXSTRING - 1)
+ charbuf[k++] = ch;
+ if (ch == EOF && k == 0)
+ break;
diff -Nru liblouis-3.0.0/debian/patches/cve-2018-11684 liblouis-3.0.0/debian/patches/cve-2018-11684
--- liblouis-3.0.0/debian/patches/cve-2018-11684 1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/cve-2018-11684 2018-06-16 00:23:21.000000000 +0200
@@ -0,0 +1,38 @@
+commit fb2bfce4ed49ac4656a8f7e5b5526e4838da1dde
+Author: Christian Egli <christian.egli@sbs.ch>
+Date: Mon Jun 4 14:11:50 2018 +0200
+
+ Fix yet another buffer overflow in the braille table parser
+
+ Reported by Henri Salo
+
+ Fixes #592
+
+---
+ liblouis/compileTranslationTable.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -5216,6 +5216,10 @@ includeFile (FileInfo * nested, CharsStr
+ int rv;
+ for (k = 0; k < includedFile->length; k++)
+ includeThis[k] = (char) includedFile->chars[k];
++ if (k >= MAXSTRING) {
++ compileError(nested, "Include statement too long: 'include %s'", includeThis);
++ return 0;
++ }
+ includeThis[k] = 0;
+ tableFiles = resolveTable (includeThis, nested->fileName);
+ if (tableFiles == NULL)
+@@ -5225,9 +5229,8 @@ includeFile (FileInfo * nested, CharsStr
+ }
+ if (tableFiles[1] != NULL)
+ {
+- errorCount++;
+ free_tablefiles(tableFiles);
+- logMessage (LOG_ERROR, "Table list not supported in include statement: 'include %s'", includeThis);
++ compileError(nested, "Table list not supported in include statement: 'include %s'", includeThis);
+ return 0;
+ }
+ rv = compileFile (*tableFiles);
diff -Nru liblouis-3.0.0/debian/patches/cve-2018-11685 liblouis-3.0.0/debian/patches/cve-2018-11685
--- liblouis-3.0.0/debian/patches/cve-2018-11685 1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/cve-2018-11685 2018-06-16 00:23:25.000000000 +0200
@@ -0,0 +1,25 @@
+commit b5049cb17ae3d15b2b26890de0e24d0fecc080f5
+Author: Christian Egli <christian.egli@sbs.ch>
+Date: Mon Jun 4 15:47:28 2018 +0200
+
+ Fix yet another buffer overflow in the braille table parser
+
+ Reported by Henri Salo
+
+ Fixes #593
+
+---
+ liblouis/compileTranslationTable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -3582,7 +3582,7 @@ compileHyphenation (FileInfo * nested, C
+ HyphenationTrans *holdPointer;
+ HyphenHashTab *hashTab;
+ CharsString word;
+- char pattern[MAXSTRING];
++ char pattern[MAXSTRING + 1];
+ unsigned int stateNum = 0, lastState = 0;
+ int i, j, k = encoding->length;
+ widechar ch;
diff -Nru liblouis-3.0.0/debian/patches/cve-2018-12085 liblouis-3.0.0/debian/patches/cve-2018-12085
--- liblouis-3.0.0/debian/patches/cve-2018-12085 1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/cve-2018-12085 2018-06-16 00:11:31.000000000 +0200
@@ -0,0 +1,28 @@
+commit dbfa58bb128cae86729578ac596056b3385817ef
+Author: Christian Egli <christian.egli@sbs.ch>
+Date: Wed Jun 6 16:41:53 2018 +0200
+
+ Check index before writing to result->chars
+
+ Fixes #595
+
+---
+ liblouis/compileTranslationTable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -1505,12 +1505,12 @@ parseChars (FileInfo * nested, CharsStri
+ }
+ in++;
+ }
+- result->chars[out++] = (widechar) ch;
+ if (out >= MAXSTRING)
+ {
+ result->length = out;
+ return 1;
+ }
++ result->chars[out++] = (widechar) ch;
+ continue;
+ }
+ lastOutSize = out;
diff -Nru liblouis-3.0.0/debian/patches/series liblouis-3.0.0/debian/patches/series
--- liblouis-3.0.0/debian/patches/series 2018-05-25 10:46:29.000000000 +0200
+++ liblouis-3.0.0/debian/patches/series 2018-06-16 00:07:07.000000000 +0200
@@ -4,3 +4,9 @@
CVE-2017-13741.patch
CVE-2017-13741-2.patch
cve-2018-11410
+cve-2018-11440
+cve-2018-11577
+cve-2018-11683
+cve-2018-11684
+cve-2018-11685
+cve-2018-12085
--- End Message ---