Bug#988504: buster-pu: package tnef/1.4.12-1.2

[Håvard Flaget Aasen <haavard_aasen@yahoo.no>]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: haavard_aasen@yahoo.no

Added patch to fix CVE-2019-18849, bug #944851. The patch is identical
to that applied in jessie, but I also controlled it against the upstream
commit, to make sure nothing had changed and everything is included.

[ Reason ]
Fix: CVE-2019-18849 and bug: #944851
In tnef before 1.4.18, an attacker may be able to write to the victim's
.ssh/authorized_keys file via an e-mail message with a crafted
winmail.dat application/ms-tnef attachment, because of a heap-based
buffer over-read involving strdup.

[ Impact ]

[ Tests ]
None, but the original patch is from upstream. This exact patch has also been
included in jessie since late 2019

[ Risks ]
I consider the risk to be small since the code has been implemented by
upstream and has been included in jessie.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The changes is to prevent the possibility of not terminating strings with
strdup()


Regards,
Håvard

diff -Nru tnef-1.4.12/debian/changelog tnef-1.4.12/debian/changelog
--- tnef-1.4.12/debian/changelog	2017-05-29 15:03:02.000000000 +0200
+++ tnef-1.4.12/debian/changelog	2021-05-14 11:14:22.000000000 +0200
@@ -1,3 +1,15 @@
+tnef (1.4.12-1.2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-18849
+    In tnef before 1.4.18, an attacker may be able to write to the
+    victim's .ssh/authorized_keys file via an e-mail message with a
+    crafted winmail.dat application/ms-tnef attachment, because of
+    a heap-based buffer over-read involving strdup.
+    Closes: #944851
+
+ -- Håvard Flaget Aasen <haavard_aasen@yahoo.no>  Fri, 14 May 2021 11:14:22 +0200
+
 tnef (1.4.12-1.2) unstable; urgency=medium
 
   * Non-maintainer upload by the Wheezy LTS Team. (Closes: #862442)
diff -Nru tnef-1.4.12/debian/patches/CVE-2019-18849.patch tnef-1.4.12/debian/patches/CVE-2019-18849.patch
--- tnef-1.4.12/debian/patches/CVE-2019-18849.patch	1970-01-01 01:00:00.000000000 +0100
+++ tnef-1.4.12/debian/patches/CVE-2019-18849.patch	2021-05-14 11:11:07.000000000 +0200
@@ -0,0 +1,146 @@
+Description: This patch fixes CVE-2019-18849.
+ Fix strdup() on possibly unterminated string.
+Author: Paul Dreik
+Author: Utkarsh Gupta <guptautkarsh2102@gmail.com>
+Origin: https://github.com/verdammelt/tnef/pull/40
+Bug-Debian: https://bugs.debian.org/944851
+Reviewed-by: Håvard Flaget Aasen <haavard_aasen@yahoo.no>
+Last-Update: 2021-05-14
+
+--- a/src/alloc.c
++++ b/src/alloc.c
+@@ -72,13 +72,14 @@
+ 
+ /* attempts to malloc memory, if fails print error and call abort */
+ void*
+-xmalloc (size_t num, size_t size)
++xmalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+-
+-    void *ptr = malloc (res);
++    if (res + extra < res)
++        abort();
++    void *ptr = malloc (res + extra);
+     if (!ptr
+         && (size != 0))         /* some libc don't like size == 0 */
+     {
+@@ -90,41 +91,44 @@
+ 
+ /* Allocates memory but only up to a limit */
+ void*
+-checked_xmalloc (size_t num, size_t size)
++checked_xmalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+-
++    if (res + extra < res)
++        abort();
+     alloc_limit_assert ("checked_xmalloc", res);
+-    return xmalloc (num, size);
++    return xmalloc (num, size, extra);
+ }
+ 
+ /* xmallocs memory and clears it out */
+ void*
+-xcalloc (size_t num, size_t size)
++xcalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+ 
+     void *ptr;
+-    ptr = malloc(res);
++    if (res + extra < res)
++        abort();
++    ptr = malloc(res + extra);
+     if (ptr)
+     {
+-        memset (ptr, '\0', (res));
++        memset (ptr, '\0', (res + extra));
+     }
+     return ptr;
+ }
+ 
+ /* xcallocs memory but only up to a limit */
+ void*
+-checked_xcalloc (size_t num, size_t size)
++checked_xcalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+ 
+     alloc_limit_assert ("checked_xcalloc", (res));
+-    return xcalloc (num, size);
++    return xcalloc (num, size, extra);
+ }
+--- a/src/alloc.h
++++ b/src/alloc.h
+@@ -35,19 +35,23 @@
+ extern void set_alloc_limit (size_t size);
+ extern size_t get_alloc_limit();
+ extern void alloc_limit_assert (char *fn_name, size_t size);
+-extern void* checked_xmalloc (size_t num, size_t size);
+-extern void* xmalloc (size_t num, size_t size);
+-extern void* checked_xcalloc (size_t num, size_t size);
+-extern void* xcalloc (size_t num, size_t size);
++extern void* checked_xmalloc (size_t num, size_t size, size_t extra);
++extern void* xmalloc (size_t num, size_t size, size_t extra);
++extern void* checked_xcalloc (size_t num, size_t size, size_t extra);
++extern void* xcalloc (size_t num, size_t size, size_t extra);
+ 
+ #define XMALLOC(_type,_num)			                \
+-        ((_type*)xmalloc((_num), sizeof(_type)))
++  ((_type*)xmalloc((_num), sizeof(_type), 0))
+ #define XCALLOC(_type,_num) 				        \
+-        ((_type*)xcalloc((_num), sizeof (_type)))
++  ((_type*)xcalloc((_num), sizeof (_type), 0))
+ #define CHECKED_XMALLOC(_type,_num) 			        \
+-        ((_type*)checked_xmalloc((_num),sizeof(_type)))
+-#define CHECKED_XCALLOC(_type,_num) 			        \
+-        ((_type*)checked_xcalloc((_num),sizeof(_type)))
++  ((_type*)checked_xmalloc((_num),sizeof(_type),0))
++#define CHECKED_XMALLOC_ADDNULL(_type,_num)                     \
++  ((_type*)checked_xmalloc((_num),sizeof(_type),1))
++#define CHECKED_XCALLOC(_type,_num)         \
++  ((_type*)checked_xcalloc((_num),sizeof(_type),0))
++#define CHECKED_XCALLOC_ADDNULL(_type,_num)     \
++  ((_type*)checked_xcalloc((_num),sizeof(_type),1))
+ #define XFREE(_ptr)						\
+         do { if (_ptr) { free (_ptr); _ptr = 0; } } while (0)
+ 
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -244,7 +244,11 @@
+     attr->type = (type_and_name >> 16);
+     attr->name = ((type_and_name << 16) >> 16);
+     attr->len = geti32(in);
+-    attr->buf = CHECKED_XCALLOC (unsigned char, attr->len);
++    /* Allocate an extra byte for the null terminator,
++       in case the input lacks it,
++       this avoids strdup() being invoked on possibly non-terminated
++       input later (file.c, file_add_attr()). */
++    attr->buf = CHECKED_XCALLOC_ADDNULL(unsigned char, attr->len);
+     
+     (void)getbuf(in, attr->buf, attr->len);
+     
+--- a/src/mapi_attr.c
++++ b/src/mapi_attr.c
+@@ -314,8 +314,10 @@
+ 		}
+ 		else
+ 		{
+-		    v->data.buf = CHECKED_XMALLOC(unsigned char, v->len);
++            /* add space for a null terminator, in case of evil input */
++            v->data.buf = CHECKED_XMALLOC_ADDNULL(unsigned char, v->len);
+ 		    memmove (v->data.buf, buf+idx, v->len);
++            v->data.buf[v->len] = '\0';
+ 		}
+ 
+ 		idx += pad_to_4byte(v->len);
diff -Nru tnef-1.4.12/debian/patches/series tnef-1.4.12/debian/patches/series
--- tnef-1.4.12/debian/patches/series	2017-05-29 15:03:02.000000000 +0200
+++ tnef-1.4.12/debian/patches/series	2021-05-14 10:54:30.000000000 +0200
@@ -4,3 +4,4 @@
 fix-regression-1.patch
 fix-regression-2.patch
 CVE-2017-8911.patch
+CVE-2019-18849.patch