[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991345: unblock: aspell/0.60.8-3

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package aspell

This upload deals with CVE-2019-25051, fixing a buffer overflow. This has
been reported in Debian BTS as severity grave #991307, closed by this
upload. Package is already built for all arches.

000-objstack-assert-that-the-alloc-size-will-fit-within-.patch is borrowed
from upstream (attached along with the debdiff for easier inspection).

Pasting from #991307 for further info:

--- 8< ------------------------------------------------------------------
The following vulnerability was published for aspell.

CVE-2019-25051[0]:
| objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in
| acommon::ObjStack::dup_top (called from acommon::StringMap::add and
| acommon::Config::lookup_list).

https://github.com/google/oss-fuzz-vulns/blob/main/vulns/aspell/OSV-2020-521.yaml
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18462

Patch:
https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-25051
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25051

Please adjust the affected versions in the BTS as needed.
--- 8< ------------------------------------------------------------------

Regards,

unblock aspell/0.60.8-3

diff -Nru aspell-0.60.8/debian/changelog aspell-0.60.8/debian/changelog
--- aspell-0.60.8/debian/changelog	2020-12-28 15:24:45.000000000 +0100
+++ aspell-0.60.8/debian/changelog	2021-07-20 23:42:34.000000000 +0200
@@ -1,3 +1,11 @@
+aspell (0.60.8-3) unstable; urgency=medium
+
+  * 000-objstack-assert-that-the-alloc-size-will-fit-within-.patch:
+    Fix CVE-2019-25051: objstack in GNU Aspell 0.60.8 has a heap-based
+    buffer overflow (Closes: #991307).
+
+ -- Agustin Martin Domingo <agmartin@debian.org>  Tue, 20 Jul 2021 23:42:34 +0200
+
 aspell (0.60.8-2) unstable; urgency=medium
 
   [ Debian Janitor ]
diff -Nru aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch
--- aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch	1970-01-01 01:00:00.000000000 +0100
+++ aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch	2021-07-20 23:37:07.000000000 +0200
@@ -0,0 +1,102 @@
+From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
+From: Kevin Atkinson <kevina@gnu.org>
+Date: Sat, 21 Dec 2019 20:32:47 +0000
+Bug-Debian: https://bugs.debian.org/991307
+Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
+ to prevent a buffer overflow
+
+Bug found using OSS-Fuze.
+-
+https://security-tracker.debian.org/tracker/CVE-2019-25051
+---
+ common/objstack.hpp | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/common/objstack.hpp b/common/objstack.hpp
+index 3997bf7..bd97ccd 100644
+--- a/common/objstack.hpp
++++ b/common/objstack.hpp
+@@ -5,6 +5,7 @@
+ #include "parm_string.hpp"
+ #include <stdlib.h>
+ #include <assert.h>
++#include <stddef.h>
+ 
+ namespace acommon {
+ 
+@@ -26,6 +27,12 @@ class ObjStack
+   byte * temp_end;
+   void setup_chunk();
+   void new_chunk();
++  bool will_overflow(size_t sz) const {
++    return offsetof(Node,data) + sz > chunk_size;
++  }
++  void check_size(size_t sz) {
++    assert(!will_overflow(sz));
++  }
+ 
+   ObjStack(const ObjStack &);
+   void operator=(const ObjStack &);
+@@ -56,7 +63,7 @@ public:
+   void * alloc_bottom(size_t size)  {
+     byte * tmp = bottom;
+     bottom += size;
+-    if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
++    if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
+     return tmp;
+   }
+   // This alloc_bottom will insure that the object is aligned based on the
+@@ -66,7 +73,7 @@ public:
+     align_bottom(align);
+     byte * tmp = bottom;
+     bottom += size;
+-    if (bottom > top) {new_chunk(); goto loop;}
++    if (bottom > top) {check_size(size); new_chunk(); goto loop;}
+     return tmp;
+   }
+   char * dup_bottom(ParmString str) {
+@@ -79,7 +86,7 @@ public:
+   // always be aligned as such.
+   void * alloc_top(size_t size) {
+     top -= size;
+-    if (top < bottom) {new_chunk(); top -= size;}
++    if (top < bottom) {check_size(size); new_chunk(); top -= size;}
+     return top;
+   }
+   // This alloc_top will insure that the object is aligned based on
+@@ -88,7 +95,7 @@ public:
+   {loop:
+     top -= size;
+     align_top(align);
+-    if (top < bottom) {new_chunk(); goto loop;}
++    if (top < bottom) {check_size(size); new_chunk(); goto loop;}
+     return top;
+   }
+   char * dup_top(ParmString str) {
+@@ -117,6 +124,7 @@ public:
+   void * alloc_temp(size_t size) {
+     temp_end = bottom + size;
+     if (temp_end > top) {
++      check_size(size);
+       new_chunk();
+       temp_end = bottom + size;
+     }
+@@ -131,6 +139,7 @@ public:
+     } else {
+       size_t s = temp_end - bottom;
+       byte * p = bottom;
++      check_size(size);
+       new_chunk();
+       memcpy(bottom, p, s);
+       temp_end = bottom + size;
+@@ -150,6 +159,7 @@ public:
+     } else {
+       size_t s = temp_end - bottom;
+       byte * p = bottom;
++      check_size(size);
+       new_chunk();
+       memcpy(bottom, p, s);
+       temp_end = bottom + size;
+-- 
+2.32.0
+
diff -Nru aspell-0.60.8/debian/patches/series aspell-0.60.8/debian/patches/series
--- aspell-0.60.8/debian/patches/series	2020-04-29 11:24:37.000000000 +0200
+++ aspell-0.60.8/debian/patches/series	2021-07-20 23:32:13.000000000 +0200
@@ -5,3 +5,4 @@
 07_filter.diff
 08_filters-info-installdir.diff
 09_debian-dictdir.diff
+1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch

From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001
From: Kevin Atkinson <kevina@gnu.org>
Date: Sat, 21 Dec 2019 20:32:47 +0000
Bug-Debian: https://bugs.debian.org/991307
Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk
 to prevent a buffer overflow

Bug found using OSS-Fuze.
-
https://security-tracker.debian.org/tracker/CVE-2019-25051
---
 common/objstack.hpp | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/common/objstack.hpp b/common/objstack.hpp
index 3997bf7..bd97ccd 100644
--- a/common/objstack.hpp
+++ b/common/objstack.hpp
@@ -5,6 +5,7 @@
 #include "parm_string.hpp"
 #include <stdlib.h>
 #include <assert.h>
+#include <stddef.h>
 
 namespace acommon {
 
@@ -26,6 +27,12 @@ class ObjStack
   byte * temp_end;
   void setup_chunk();
   void new_chunk();
+  bool will_overflow(size_t sz) const {
+    return offsetof(Node,data) + sz > chunk_size;
+  }
+  void check_size(size_t sz) {
+    assert(!will_overflow(sz));
+  }
 
   ObjStack(const ObjStack &);
   void operator=(const ObjStack &);
@@ -56,7 +63,7 @@ public:
   void * alloc_bottom(size_t size)  {
     byte * tmp = bottom;
     bottom += size;
-    if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;}
+    if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;}
     return tmp;
   }
   // This alloc_bottom will insure that the object is aligned based on the
@@ -66,7 +73,7 @@ public:
     align_bottom(align);
     byte * tmp = bottom;
     bottom += size;
-    if (bottom > top) {new_chunk(); goto loop;}
+    if (bottom > top) {check_size(size); new_chunk(); goto loop;}
     return tmp;
   }
   char * dup_bottom(ParmString str) {
@@ -79,7 +86,7 @@ public:
   // always be aligned as such.
   void * alloc_top(size_t size) {
     top -= size;
-    if (top < bottom) {new_chunk(); top -= size;}
+    if (top < bottom) {check_size(size); new_chunk(); top -= size;}
     return top;
   }
   // This alloc_top will insure that the object is aligned based on
@@ -88,7 +95,7 @@ public:
   {loop:
     top -= size;
     align_top(align);
-    if (top < bottom) {new_chunk(); goto loop;}
+    if (top < bottom) {check_size(size); new_chunk(); goto loop;}
     return top;
   }
   char * dup_top(ParmString str) {
@@ -117,6 +124,7 @@ public:
   void * alloc_temp(size_t size) {
     temp_end = bottom + size;
     if (temp_end > top) {
+      check_size(size);
       new_chunk();
       temp_end = bottom + size;
     }
@@ -131,6 +139,7 @@ public:
     } else {
       size_t s = temp_end - bottom;
       byte * p = bottom;
+      check_size(size);
       new_chunk();
       memcpy(bottom, p, s);
       temp_end = bottom + size;
@@ -150,6 +159,7 @@ public:
     } else {
       size_t s = temp_end - bottom;
       byte * p = bottom;
+      check_size(size);
       new_chunk();
       memcpy(bottom, p, s);
       temp_end = bottom + size;
-- 
2.32.0

Attachment: signature.asc
Description: PGP signature

Reply to: