Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Daniel Baumann <daniel.baum...@progress-linux.org>,
t...@security.debian.org
* CVE-2019-15531: Invalid read for malformed DVI files.
(Closes: #935553)
diff -Nru libextractor-1.8/debian/changelog libextractor-1.8/debian/changelog
--- libextractor-1.8/debian/changelog 2018-12-27 20:45:49.000000000 +0200
+++ libextractor-1.8/debian/changelog 2022-01-23 23:10:06.000000000 +0200
@@ -1,3 +1,11 @@
+libextractor (1:1.8-2+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2019-15531: Invalid read for malformed DVI files.
+ (Closes: #935553)
+
+ -- Adrian Bunk <b...@debian.org> Sun, 23 Jan 2022 23:10:06 +0200
+
libextractor (1:1.8-2) unstable; urgency=high
* Fix out-of-bounds read vulnerability in common/convert.c (Closes: #917214,
diff -Nru libextractor-1.8/debian/patches/0001-fix-5846.patch
libextractor-1.8/debian/patches/0001-fix-5846.patch
--- libextractor-1.8/debian/patches/0001-fix-5846.patch 1970-01-01
02:00:00.000000000 +0200
+++ libextractor-1.8/debian/patches/0001-fix-5846.patch 2022-01-23
23:09:09.000000000 +0200
@@ -0,0 +1,181 @@
+From aad7a7857b815175e70e2270115a3c8cb0445765 Mon Sep 17 00:00:00 2001
+From: Christian Grothoff <christ...@grothoff.org>
+Date: Fri, 23 Aug 2019 09:35:53 +0200
+Subject: fix #5846
+
+---
+ src/plugins/dvi_extractor.c | 88 +++++++++++++++++++------------------
+ 1 file changed, 45 insertions(+), 43 deletions(-)
+
+diff --git a/src/plugins/dvi_extractor.c b/src/plugins/dvi_extractor.c
+index 268b48c..e3aa450 100644
+--- a/src/plugins/dvi_extractor.c
++++ b/src/plugins/dvi_extractor.c
+@@ -1,6 +1,6 @@
+ /*
+ This file is part of libextractor.
+- Copyright (C) 2002, 2003, 2004, 2012, 2017 Vidyut Samanta and Christian
Grothoff
++ Copyright (C) 2002, 2003, 2004, 2012, 2017, 2019 Vidyut Samanta and
Christian Grothoff
+
+ libextractor is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published
+@@ -182,6 +182,8 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
+ size = ec->get_size (ec->cls);
+ if (size > 16 * 1024 * 1024)
+ return; /* too large */
++ if (klen + 15 > size)
++ return; /* malformed klen */
+ if (NULL == (data = malloc ((size_t) size)))
+ return; /* out of memory */
+ memcpy (data, buf, iret);
+@@ -189,16 +191,16 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
+ while (off < size)
+ {
+ if (0 >= (iret = ec->read (ec->cls, &buf, 16 * 1024)))
+- {
+- free (data);
+- return;
+- }
++ {
++ free (data);
++ return;
++ }
+ memcpy (&data[off], buf, iret);
+ off += iret;
+ }
+ pos = size - 1;
+ while ( (223 == data[pos]) &&
+- (pos > 0) )
++ (pos > 0) )
+ pos--;
+ if ( (2 != data[pos]) ||
+ (pos < 40) )
+@@ -225,9 +227,9 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
+ break;
+ if ( (pos + 45 > size) ||
+ (pos + 45 < pos) )
+- goto CLEANUP;
++ goto CLEANUP;
+ if (data[pos] != 139) /* expect 'bop' */
+- goto CLEANUP;
++ goto CLEANUP;
+ pageCount++;
+ opos = pos;
+ pos = getIntAt (&data[opos + 41]);
+@@ -238,24 +240,24 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
+ }
+ /* ok, now we believe it's a dvi... */
+ snprintf (pages,
+- sizeof (pages),
+- "%u",
+- pageCount);
++ sizeof (pages),
++ "%u",
++ pageCount);
+ if (0 != ec->proc (ec->cls,
+- "dvi",
+- EXTRACTOR_METATYPE_PAGE_COUNT,
+- EXTRACTOR_METAFORMAT_UTF8,
+- "text/plain",
+- pages,
+- strlen (pages) + 1))
++ "dvi",
++ EXTRACTOR_METATYPE_PAGE_COUNT,
++ EXTRACTOR_METAFORMAT_UTF8,
++ "text/plain",
++ pages,
++ strlen (pages) + 1))
+ goto CLEANUP;
+ if (0 != ec->proc (ec->cls,
+- "dvi",
+- EXTRACTOR_METATYPE_MIMETYPE,
+- EXTRACTOR_METAFORMAT_UTF8,
+- "text/plain",
+- "application/x-dvi",
+- strlen ("application/x-dvi") + 1))
++ "dvi",
++ EXTRACTOR_METATYPE_MIMETYPE,
++ EXTRACTOR_METAFORMAT_UTF8,
++ "text/plain",
++ "application/x-dvi",
++ strlen ("application/x-dvi") + 1))
+ goto CLEANUP;
+ {
+ char comment[klen + 1];
+@@ -263,18 +265,18 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
+ comment[klen] = '\0';
+ memcpy (comment, &data[15], klen);
+ if (0 != ec->proc (ec->cls,
+- "dvi",
+- EXTRACTOR_METATYPE_COMMENT,
+- EXTRACTOR_METAFORMAT_C_STRING,
+- "text/plain",
+- comment,
+- klen + 1))
++ "dvi",
++ EXTRACTOR_METATYPE_COMMENT,
++ EXTRACTOR_METAFORMAT_C_STRING,
++ "text/plain",
++ comment,
++ klen + 1))
+ goto CLEANUP;
+ }
+ /* try to find PDF/ps special */
+ pos = opos;
+ while ( (size >= 100) &&
+- (pos < size - 100) )
++ (pos < size - 100) )
+ {
+ switch (data[pos])
+ {
+@@ -284,34 +286,34 @@ EXTRACTOR_dvi_extract_method (struct
EXTRACTOR_ExtractContext *ec)
+ break;
+ case 239: /* zzz1 */
+ len = data[pos + 1];
+- if (pos + 2 + len < size)
+- if (0 != parseZZZ ((const char *) data, pos + 2, len, ec->proc,
ec->cls))
+- goto CLEANUP;
++ if ( (pos + 2 + len < size) &&
++ (0 != parseZZZ ((const char *) data, pos + 2, len, ec->proc,
ec->cls)) )
++ goto CLEANUP;
+ pos += len + 2;
+ break;
+ case 240: /* zzz2 */
+ len = getShortAt (&data[pos + 1]);
+- if (pos + 3 + len < size)
+- if (0 != parseZZZ ((const char *) data, pos + 3, len, ec->proc,
ec->cls))
+- goto CLEANUP;
++ if ( (pos + 3 + len < size) &&
++ (0 != parseZZZ ((const char *) data, pos + 3, len, ec->proc,
ec->cls)) )
++ goto CLEANUP;
+ pos += len + 3;
+ break;
+ case 241: /* zzz3, who uses that? */
+ len = (getShortAt (&data[pos + 1])) + 65536 * data[pos + 3];
+- if (pos + 4 + len < size)
+- if (0 != parseZZZ ((const char *) data, pos + 4, len, ec->proc,
ec->cls))
+- goto CLEANUP;
++ if ( (pos + 4 + len < size) &&
++ (0 != parseZZZ ((const char *) data, pos + 4, len, ec->proc,
ec->cls)) )
++ goto CLEANUP;
+ pos += len + 4;
+ break;
+ case 242: /* zzz4, hurray! */
+ len = getIntAt (&data[pos + 1]);
+- if (pos + 1 + len < size)
+- if (0 != parseZZZ ((const char *) data, pos + 5, len, ec->proc,
ec->cls))
+- goto CLEANUP;
++ if ( (pos + 1 + len < size) &&
++ (0 != parseZZZ ((const char *) data, pos + 5, len, ec->proc,
ec->cls)) )
++ goto CLEANUP;
+ pos += len + 5;
+ break;
+ default: /* unsupported opcode, abort scan */
+- goto CLEANUP;
++ goto CLEANUP;
+ }
+ }
+ CLEANUP:
+--
+2.20.1
+
diff -Nru libextractor-1.8/debian/patches/series
libextractor-1.8/debian/patches/series
--- libextractor-1.8/debian/patches/series 2018-12-27 12:24:49.000000000
+0200
+++ libextractor-1.8/debian/patches/series 2022-01-23 23:09:50.000000000
+0200
@@ -1,2 +1,3 @@
CVE-2018-20430.patch
CVE-2018-20431.patch
+0001-fix-5846.patch
