Re: upload leptonlib

[Salvatore Bonaccorso]

Hi Ben,

MITRE did assign the following:

On Thu, Feb 22, 2018 at 05:38:16PM +0100, Ben Hutchings wrote:
> > > 1. #890548
> > 
> > This one has CVE-2018-7186.
> > 
> > > 2. Incomplete fix for #889759 / CVE-2018-3836

CVE-2018-7440

> > > 3. Similar issue to #889759 / CVE-2018-3836, "/" is not filtered so
> > > there is a possibility of path traversal and arbitrary file overwrite

CVE-2018-7442

> > > 4. #885704

CVE-2017-18196

> > > 5. The remaining hardcoded paths in /tmp

CVE-2018-7441

Regards,
Salvatore


signature.asc
Description: PGP signature

Re: upload leptonlib

[Santiago R.R.]

El 23/02/18 a las 10:08, Jeff Breidenbach escribió:
> >So these files should be also removed from the package in wheezy and jessie?
> 
> Yes.

Sorry if my previous message was maybe too brief.

It is not common to remove a file from the packages of a released debian
suite. I find it surprising that the fix was to remove the binaries.

It seems that upstream keeps their the source code (prog/printtiff.c,
prog/printsplitimage.c, prog/splitimage2pdf.c, prog/printimage.c) and
making reference to printimage and printsplitimage in README.html. They
are included in CMakeLists.txt, but debian doesn't rely on CMake to
build the package, it's some confusing.

Was upstream's position also to remove those binaries? Upstream was
unable to provide a patch?

Could you please elaborate more on why removing the mentioned files is
the right thing to do?

Cheers, and thanks for your work,

 -- Santiago


signature.asc
Description: PGP signature

Re: upload leptonlib

[Jeff Breidenbach]

>So these files should be also removed from the package in wheezy and
jessie?

Yes.

Re: upload leptonlib

[Santiago R.R.]

Security team: sorry for the lack of context in the message. Please see
https://lists.debian.org/debian-lts/2018/02/msg00054.html and
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=830660

El 22/02/18 a las 22:35, Jeff Breidenbach escribió:
>These binaries were removed in #830660.
>>$ strings /usr/bin/printsplitimage | grep ^/tmp/
>>/tmp/split
>>$ strings /usr/bin/splitimage2pdf | grep ^/tmp/
>>/tmp/[1]junk_split_image.ps
> 
> References
> 
>Visible links
>1. http://junk_split_image.ps/

So these files should be also removed from the package in wheezy and
jessie?

Cheers,

 -- Santiago


signature.asc
Description: PGP signature

FreeXL 1.0.5 - multiple heap-buffer-overflows

[Sebastiaan Couwenberg]

Dear Security & LTS Teams,

FreeXL 1.0.5 was released yesterday, it fixes various heap-buffer-overflows:

- heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
  https://bugzilla.redhat.com/show_bug.cgi?id=1547879
- heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
  https://bugzilla.redhat.com/show_bug.cgi?id=1547883
- heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
  https://bugzilla.redhat.com/show_bug.cgi?id=1547885
- heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
  1.0.4
  https://bugzilla.redhat.com/show_bug.cgi?id=1547889
- heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
  FreeXL 1.0.4
  https://bugzilla.redhat.com/show_bug.cgi?id=1547892

>From the release announcement:

"
 Few more vulnerabilities affecting FreeXL have been recently
 discovered; for more details please check Red Hat Bugzilla
 Bug 1547879

 all reported vulnerabilities are never expected to be encountered
 when reading valid XLS files, and can only affect purposely crafted
 files intended to maliciously trigger some nasty security breach.

 the new patched version (FreeXL-1.0.5) sanes any known security
 issue.

 [1] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.tar.gz
 [2] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.zip

 developers and system packagers are warmly invited to quickly
 adopt FreeXL-1.0.5

 note
 
 a new error code (FREEXL_CRAFTED_FILE) has been added to FreeXL,
 and it will be returned when a supposed XLS document contains
 "impossible values" (not compatible with the XLS specifications),
 thus leading to a legitimate suspect of a purposely crafted file.
"

https://groups.google.com/d/topic/spatialite-users/ddE78iVT5b4/discussion


I've uploaded freexl (1.0.5-1) to unstable yesterday, and I've
backported the fix to freexl (1.0.2-2+deb9u2), freexl (1.0.0g-1+deb8u5)
& freexl (1.0.0b-1+deb7u5) for stretch, jessie & wheezy respectively.
The changes are available in git:

http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=stretch
http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie
http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy

Are these OK to upload?

Kind Regards,

Bas
diff -Nru freexl-1.0.0b/debian/changelog freexl-1.0.0b/debian/changelog
--- freexl-1.0.0b/debian/changelog  2017-09-16 23:26:04.0 +0200
+++ freexl-1.0.0b/debian/changelog  2018-02-23 11:04:45.0 +0100
@@ -1,3 +1,21 @@
+freexl (1.0.0b-1+deb7u5) wheezy-security; urgency=high
+
+  * Add upstream patch to fix various heap-buffer-overflows.
+- heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+  https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+- heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+  https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+- heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+  https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+- heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
+  1.0.4
+  https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+- heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
+  FreeXL 1.0.4
+  https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+
+ -- Bas Couwenberg   Fri, 23 Feb 2018 11:04:45 +0100
+
 freexl (1.0.0b-1+deb7u4) wheezy-security; urgency=high
 
   * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
diff -Nru freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch 
freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch
--- freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch 1970-01-01 
01:00:00.0 +0100
+++ freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch 2018-02-23 
11:04:45.0 +0100
@@ -0,0 +1,122 @@
+Description: Security fixes from FreeXL 1.0.5.
+ heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ .
+ heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ .
+ heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ .
+ heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ .
+ heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 
1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+ .
+ Reported upstream in:
+ https://groups.google.com/d/topic/spatialite-users/b-d9iB5TDPE/discussion
+Author: Alessandro Furieri 
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/1f00f424a24b355e?sbs=0
+https://www.gaia-gis.it/fossil/freexl/ci/97c9f43cea4fcd54?sbs=0
+https://www.gaia-gis.it/fossil/freexl/ci/9907dcec7fc34a91?sbs=0
+
+--- a/headers/freexl.h
 b/headers/freexl.h
+@@ -292,6 +292,11 @@ extern "C"
+ #define FREEXL_CFBF_ILLEGAL_MINI_FAT_ENTRY-25 /**<