[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987246: marked as done (buster-pu: package tnef/1.4.12-1.2)

Your message dated Sat, 19 Jun 2021 10:56:39 +0100
with message-id <5c65c3ad2ac9b1b1f78bf73b1cf073041e619b51.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.10 point release
has caused the Debian Bug report #987246,
regarding buster-pu: package tnef/1.4.12-1.2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987246: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987246
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

The attached debdiff for tnef fixes CVE-2019-18849 in Buster.

It is marked as no-dsa by the security team.
The fix has been uploaded to Jessie long time ago and nobody complained up to now. 

  Thorsten
diff -Nru tnef-1.4.12/debian/changelog tnef-1.4.12/debian/changelog
--- tnef-1.4.12/debian/changelog	2017-05-29 15:03:02.000000000 +0200
+++ tnef-1.4.12/debian/changelog	2021-04-18 10:03:02.000000000 +0200
@@ -1,3 +1,12 @@
+tnef (1.4.12-1.2+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2019-18849 (Closes: #944851)
+    Using emails with a crafted winmail.dat application/ms-tnef attachment
+    might allow to change .ssh/authorized_keys.
+
+ -- Thorsten Alteholz <debian@alteholz.de>  Sun, 18 Apr 2021 10:03:02 +0200
+
 tnef (1.4.12-1.2) unstable; urgency=medium
 
   * Non-maintainer upload by the Wheezy LTS Team. (Closes: #862442)
diff -Nru tnef-1.4.12/debian/patches/CVE-2019-18849.patch tnef-1.4.12/debian/patches/CVE-2019-18849.patch
--- tnef-1.4.12/debian/patches/CVE-2019-18849.patch	1970-01-01 01:00:00.000000000 +0100
+++ tnef-1.4.12/debian/patches/CVE-2019-18849.patch	2021-04-18 10:03:02.000000000 +0200
@@ -0,0 +1,147 @@
+Index: tnef-1.4.12/src/alloc.c
+===================================================================
+--- tnef-1.4.12.orig/src/alloc.c	2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/alloc.c	2021-04-16 09:49:11.063016905 +0200
+@@ -72,13 +72,14 @@
+ 
+ /* attempts to malloc memory, if fails print error and call abort */
+ void*
+-xmalloc (size_t num, size_t size)
++xmalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+-
+-    void *ptr = malloc (res);
++    if (res + extra < res)
++        abort();
++    void *ptr = malloc (res + extra);
+     if (!ptr
+         && (size != 0))         /* some libc don't like size == 0 */
+     {
+@@ -90,41 +91,44 @@
+ 
+ /* Allocates memory but only up to a limit */
+ void*
+-checked_xmalloc (size_t num, size_t size)
++checked_xmalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+-
++    if (res + extra < res)
++        abort();
+     alloc_limit_assert ("checked_xmalloc", res);
+-    return xmalloc (num, size);
++    return xmalloc (num, size, extra);
+ }
+ 
+ /* xmallocs memory and clears it out */
+ void*
+-xcalloc (size_t num, size_t size)
++xcalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+ 
+     void *ptr;
+-    ptr = malloc(res);
++    if (res + extra < res)
++        abort();
++    ptr = malloc(res + extra);
+     if (ptr)
+     {
+-        memset (ptr, '\0', (res));
++        memset (ptr, '\0', (res + extra));
+     }
+     return ptr;
+ }
+ 
+ /* xcallocs memory but only up to a limit */
+ void*
+-checked_xcalloc (size_t num, size_t size)
++checked_xcalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+ 
+     alloc_limit_assert ("checked_xcalloc", (res));
+-    return xcalloc (num, size);
++    return xcalloc (num, size, extra);
+ }
+Index: tnef-1.4.12/src/alloc.h
+===================================================================
+--- tnef-1.4.12.orig/src/alloc.h	2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/alloc.h	2021-04-16 09:49:11.063016905 +0200
+@@ -35,19 +35,23 @@
+ extern void set_alloc_limit (size_t size);
+ extern size_t get_alloc_limit();
+ extern void alloc_limit_assert (char *fn_name, size_t size);
+-extern void* checked_xmalloc (size_t num, size_t size);
+-extern void* xmalloc (size_t num, size_t size);
+-extern void* checked_xcalloc (size_t num, size_t size);
+-extern void* xcalloc (size_t num, size_t size);
++extern void* checked_xmalloc (size_t num, size_t size, size_t extra);
++extern void* xmalloc (size_t num, size_t size, size_t extra);
++extern void* checked_xcalloc (size_t num, size_t size, size_t extra);
++extern void* xcalloc (size_t num, size_t size, size_t extra);
+ 
+ #define XMALLOC(_type,_num)			                \
+-        ((_type*)xmalloc((_num), sizeof(_type)))
++  ((_type*)xmalloc((_num), sizeof(_type), 0))
+ #define XCALLOC(_type,_num) 				        \
+-        ((_type*)xcalloc((_num), sizeof (_type)))
++  ((_type*)xcalloc((_num), sizeof (_type), 0))
+ #define CHECKED_XMALLOC(_type,_num) 			        \
+-        ((_type*)checked_xmalloc((_num),sizeof(_type)))
+-#define CHECKED_XCALLOC(_type,_num) 			        \
+-        ((_type*)checked_xcalloc((_num),sizeof(_type)))
++  ((_type*)checked_xmalloc((_num),sizeof(_type),0))
++#define CHECKED_XMALLOC_ADDNULL(_type,_num) 			        \
++  ((_type*)checked_xmalloc((_num),sizeof(_type),1))
++#define CHECKED_XCALLOC(_type,_num)			\
++  ((_type*)checked_xcalloc((_num),sizeof(_type),0))
++#define CHECKED_XCALLOC_ADDNULL(_type,_num)		\
++  ((_type*)checked_xcalloc((_num),sizeof(_type),1))
+ #define XFREE(_ptr)						\
+         do { if (_ptr) { free (_ptr); _ptr = 0; } } while (0)
+ 
+Index: tnef-1.4.12/src/attr.c
+===================================================================
+--- tnef-1.4.12.orig/src/attr.c	2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/attr.c	2021-04-16 09:49:59.640149076 +0200
+@@ -244,7 +244,11 @@
+     attr->type = (type_and_name >> 16);
+     attr->name = ((type_and_name << 16) >> 16);
+     attr->len = geti32(in);
+-    attr->buf = CHECKED_XCALLOC (unsigned char, attr->len);
++    /* Allocate an extra byte for the null terminator,
++       in case the input lacks it,
++       this avoids strdup() being invoked on possibly non-terminated
++       input later (file.c, file_add_attr()). */
++    attr->buf = CHECKED_XCALLOC_ADDNULL(unsigned char, attr->len);
+     
+     (void)getbuf(in, attr->buf, attr->len);
+     
+Index: tnef-1.4.12/src/mapi_attr.c
+===================================================================
+--- tnef-1.4.12.orig/src/mapi_attr.c	2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/mapi_attr.c	2021-04-16 09:51:07.653589451 +0200
+@@ -314,8 +314,11 @@
+ 		}
+ 		else
+ 		{
+-		    v->data.buf = CHECKED_XMALLOC(unsigned char, v->len);
+-		    memmove (v->data.buf, buf+idx, v->len);
++                 /* add space for a null terminator, in case of evil input */
++                    v->data.buf = CHECKED_XMALLOC_ADDNULL(unsigned char, v->len);
++                    memmove (v->data.buf, buf+idx, v->len);
++                    v->data.buf[v->len] = '\0';
++
+ 		}
+ 
+ 		idx += pad_to_4byte(v->len);
diff -Nru tnef-1.4.12/debian/patches/series tnef-1.4.12/debian/patches/series
--- tnef-1.4.12/debian/patches/series	2017-05-29 15:03:02.000000000 +0200
+++ tnef-1.4.12/debian/patches/series	2021-04-18 10:03:02.000000000 +0200
@@ -4,3 +4,5 @@
 fix-regression-1.patch
 fix-regression-2.patch
 CVE-2017-8911.patch
+
+CVE-2019-18849.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.10

Hi,

Each of the updates referenced in these bugs was included in the 10.10
point release today.

Regards,

Adam

--- End Message ---
Reply to: