[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1034813: unblock: pev/0.81-9

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pev@packages.debian.org, david.polverari@gmail.com
Control: affects -1 + src:pev

Please unblock package pev

[ Reason ]
As per https://udd.debian.org/cgi-bin/key_packages.yaml.cgi, pev is
considered a key package. The version in testing (0.81-8) suffers from
an important bug (#1034725). As such, it will not be removed if the
fixed version doesn't migrate to testing.

[ Impact ]
If pev/0.81-9 does not migrate to testing, bookworm users will likely
install and use an exploitable version of pev at release. If used to
open a maliciously-crafted PE file, it might result in the compromise of
the user's machine. There is a link for a PoC video of exploitability of
the bug at the closed upstream issue [1].

[1] (https://github.com/merces/libpe/issues/35)

[ Tests ]
No existing automated or manual tests exercise the affected code.

[ Risks ]
The changes made to the package are trivial. The applied patch
originated from upstream, and its changes are minimal. There is more
risk in not applying the patch than doing it.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock pev/0.81-9

diff -Nru pev-0.81/debian/changelog pev-0.81/debian/changelog
--- pev-0.81/debian/changelog	2022-11-07 17:46:55.000000000 +0000
+++ pev-0.81/debian/changelog	2023-04-22 19:41:47.000000000 +0000
@@ -1,3 +1,17 @@
+pev (0.81-9) unstable; urgency=medium
+
+  [ Debian Janitor ]
+  * Use secure URI in Homepage field.
+  * Update standards version to 4.6.2, no changes needed.
+
+  [ David da Silva Polverari ]
+  * debian/copyright: updated packaging copyright years.
+  * debian/patches/0006-fix-bo-pe_exports.patch: created to fix a buffer
+    overflow vulnerability present on libpe's pe_exports function
+    (CVE-2021-45423). (Closes: #1034725)
+
+ -- David da Silva Polverari <david.polverari@gmail.com>  Sat, 22 Apr 2023 19:41:47 +0000
+
 pev (0.81-8) unstable; urgency=medium
 
   * debian/control: bumped Standards-Version to 4.6.1.
diff -Nru pev-0.81/debian/control pev-0.81/debian/control
--- pev-0.81/debian/control	2022-11-07 17:46:55.000000000 +0000
+++ pev-0.81/debian/control	2023-04-22 19:41:47.000000000 +0000
@@ -1,9 +1,9 @@
 Source: pev
 Maintainer: David da Silva Polverari <david.polverari@gmail.com>
-Homepage: http://pev.sourceforge.net
+Homepage: https://pev.sourceforge.net
 Section: utils
 Priority: optional
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Build-Depends: debhelper-compat (= 13), libssl-dev
 Rules-Requires-Root: no
 Vcs-Browser: https://salsa.debian.org/debian/pev
diff -Nru pev-0.81/debian/copyright pev-0.81/debian/copyright
--- pev-0.81/debian/copyright	2022-11-07 17:46:55.000000000 +0000
+++ pev-0.81/debian/copyright	2023-04-22 19:41:47.000000000 +0000
@@ -59,7 +59,7 @@
            2016-2021 Petter Reinholdtsen <pere@debian.org>
            2017      Adam Borowski <kilobyte@angband.pl>
            2020      Adrian Bunk <bunk@debian.org>
-           2021-2022 David da Silva Polverari <david.polverari@gmail.com>
+           2021-2023 David da Silva Polverari <david.polverari@gmail.com>
            2021      Jelmer Vernooij <jelmer@debian.org>
 License: BSD-3-Clause
 
diff -Nru pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch
--- pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch	1970-01-01 00:00:00.000000000 +0000
+++ pev-0.81/debian/patches/0006-fix-bo-pe_exports.patch	2023-04-22 19:41:47.000000000 +0000
@@ -0,0 +1,28 @@
+Description: fix a buffer overflow vulnerability (CVE-2021-45423)
+ A Buffer Overflow vulnerability exists in Pev 0.81 via the pe_exports function
+ from exports.c. The array offsets_to_Names is dynamically allocated on the
+ stack using exp->NumberOfFunctions as its size. However, the loop uses
+ exp->NumberOfNames to iterate over it and set its components value. Therefore,
+ the loop code assumes that exp->NumberOfFunctions is greater than ordinal at
+ each iteration. This can lead to arbitrary code execution.
+Author: Saullo Carvalho Castelo Branco <saullocarvalho@gmail.com>
+Origin: upstream, https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32
+Bug: https://github.com/merces/libpe/issues/35
+Bug-Debian: https://bugs.debian.org/1034725
+Applied-Upstream: https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32
+Last-Update: 2023-04-22
+
+--- pev-0.81.orig/lib/libpe/exports.c
++++ pev-0.81/lib/libpe/exports.c
+@@ -130,7 +130,10 @@ pe_exports_t *pe_exports(pe_ctx_t *ctx)
+ 
+ 		const uint32_t entry_name_rva = *entry_name_list;
+ 		const uint64_t entry_name_ofs = pe_rva2ofs(ctx, entry_name_rva);
+-		offsets_to_Names[ordinal] = entry_name_ofs;
++
++        if (ordinal < exp->NumberOfFunctions) {
++            offsets_to_Names[ordinal] = entry_name_ofs;
++        }
+ 	}
+ 
+ 	//
diff -Nru pev-0.81/debian/patches/series pev-0.81/debian/patches/series
--- pev-0.81/debian/patches/series	2022-11-07 17:46:55.000000000 +0000
+++ pev-0.81/debian/patches/series	2023-04-22 19:41:47.000000000 +0000
@@ -3,3 +3,4 @@
 0003-makefile-reproducible.patch
 0004-avoid-fixed-path.patch
 0005-fix-ftbs-hurd-kfreebsd.patch
+0006-fix-bo-pe_exports.patch
Reply to: