--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bullseye-pu: package pev/0.81-3+deb11u1
- From: David da Silva Polverari <david.polverari@gmail.com>
- Date: Sat, 22 Apr 2023 22:52:00 -0300
- Message-id: <168221472023.89744.6321369051187994956.reportbug@athena.olympus>
Package: release.debian.org
Severity: important
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: david.polverari@gmail.com
[ Reason ]
A buffer overflow vulnerability exists in Pev 0.81 via the pe_exports
function from exports.c. The array offsets_to_Names is dynamically
allocated on the stack using exp->NumberOfFunctions as its size.
However, the loop uses exp->NumberOfNames to iterate over it and set its
components value. Therefore, the loop code assumes that
exp->NumberOfFunctions is greater than ordinal at each iteration. This
can lead to arbitrary code execution.
[ Impact ]
If the update isn't approved, users of pev in stable might have their
systems compromised by opening a maliciously-crafted PE file.
[ Tests ]
None of the existing autopkgtests fail.
[ Risks ]
The fix is trivial and should not present any risks. Also, the fix was
already applied upstream.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
The only change made to the package was the application of the existing
upstream patch.
[ Other info ]
No other information.
diff -Nru pev-0.81/debian/changelog pev-0.81/debian/changelog
--- pev-0.81/debian/changelog 2021-05-05 12:09:18.000000000 +0000
+++ pev-0.81/debian/changelog 2023-04-22 20:48:00.000000000 +0000
@@ -1,3 +1,12 @@
+pev (0.81-3+deb11u1) bullseye; urgency=medium
+
+ * debian/patches/0002-fix-bo-pe_exports.patch: created to fix a buffer
+ overflow vulnerability present on libpe's pe_exports function from exports.c
+ (CVE-2021-45423). Without this patch, a maliciously-crafted PE file opened
+ by pev utilities can trigger arbitrary code execution. (Closes: #1034725)
+
+ -- David da Silva Polverari <david.polverari@gmail.com> Sat, 22 Apr 2023 20:48:00 +0000
+
pev (0.81-3) unstable; urgency=medium
* QA upload.
diff -Nru pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch
--- pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch 1970-01-01 00:00:00.000000000 +0000
+++ pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch 2023-04-22 20:48:00.000000000 +0000
@@ -0,0 +1,28 @@
+Description: fix a buffer overflow vulnerability (CVE-2021-45423)
+ A Buffer Overflow vulnerability exists in Pev 0.81 via the pe_exports function
+ from exports.c. The array offsets_to_Names is dynamically allocated on the
+ stack using exp->NumberOfFunctions as its size. However, the loop uses
+ exp->NumberOfNames to iterate over it and set its components value. Therefore,
+ the loop code assumes that exp->NumberOfFunctions is greater than ordinal at
+ each iteration. This can lead to arbitrary code execution.
+Author: Saullo Carvalho Castelo Branco <saullocarvalho@gmail.com>
+Origin: upstream, https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32
+Bug: https://github.com/merces/libpe/issues/35
+Bug-Debian: https://bugs.debian.org/1034725
+Applied-Upstream: https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32
+Last-Update: 2023-04-22
+
+--- a/lib/libpe/exports.c
++++ b/lib/libpe/exports.c
+@@ -130,7 +130,10 @@
+
+ const uint32_t entry_name_rva = *entry_name_list;
+ const uint64_t entry_name_ofs = pe_rva2ofs(ctx, entry_name_rva);
+- offsets_to_Names[ordinal] = entry_name_ofs;
++
++ if (ordinal < exp->NumberOfFunctions) {
++ offsets_to_Names[ordinal] = entry_name_ofs;
++ }
+ }
+
+ //
diff -Nru pev-0.81/debian/patches/series pev-0.81/debian/patches/series
--- pev-0.81/debian/patches/series 2021-05-05 12:09:18.000000000 +0000
+++ pev-0.81/debian/patches/series 2023-04-22 20:48:00.000000000 +0000
@@ -1 +1,2 @@
0001-widechar-off-by-one.patch
+0002-fix-bo-pe_exports.patch
--- End Message ---