Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: jessie Severity: normal
This update contains four patches which I noticed in upstream's git. They appeared in July and the last fix (for a fix) was done last week. I have no idea when 0.99.3 will appear and the changes in the debdiff are the only (functional changes) in libclamunrar* since the 0.99. The fixes look like bugs found by afl (or other fuzzer) while throwing .rar files at clamav. Sebastian
diff -Nru libclamunrar-0.99/debian/changelog libclamunrar-0.99/debian/changelog --- libclamunrar-0.99/debian/changelog 2016-02-03 22:10:12.000000000 +0100 +++ libclamunrar-0.99/debian/changelog 2016-12-16 21:38:26.000000000 +0100 @@ -1,3 +1,10 @@ +libclamunrar (0.99-0+deb8u2) stable; urgency=medium + + * Add patches from upstream bugzilla bb11600 and bb11601 to fix out of band + access. + + -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Fri, 16 Dec 2016 21:38:26 +0100 + libclamunrar (0.99-0+deb8u1) stable; urgency=medium [ Scott Kitterman ] @@ -10,7 +17,7 @@ * switch from libclamunrar6 to libclamunrar7 * copy clamav's watch file * add pkg-config to dependencies so autoreconf does not break - * don't links against libpcre if available. + * don't link against libpcre if available. -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Wed, 03 Feb 2016 21:52:51 +0100 diff -Nru libclamunrar-0.99/debian/.git-dpm libclamunrar-0.99/debian/.git-dpm --- libclamunrar-0.99/debian/.git-dpm 2016-02-03 22:09:03.000000000 +0100 +++ libclamunrar-0.99/debian/.git-dpm 2016-12-16 21:38:26.000000000 +0100 @@ -1,8 +1,8 @@ # see git-dpm(1) from git-dpm package -1256542cf41587e62a048e687097f23cef1511f0 -1256542cf41587e62a048e687097f23cef1511f0 -1256542cf41587e62a048e687097f23cef1511f0 -1256542cf41587e62a048e687097f23cef1511f0 -libclamunrar_0.98.5.orig.tar.xz -6d4a3441e142002ffdaa76ad313bc018985e1999 -304828 +e677e64787390c59bdb925be08113ebf47aed869 +e677e64787390c59bdb925be08113ebf47aed869 +87f93791ab6959fd522bdf0b1211ff0480cff4c7 +87f93791ab6959fd522bdf0b1211ff0480cff4c7 +libclamunrar_0.99.orig.tar.xz +3299e943affefb7a1aea0cada292f1c4ec039aed +311248 diff -Nru libclamunrar-0.99/debian/patches/bb11600.patch libclamunrar-0.99/debian/patches/bb11600.patch --- libclamunrar-0.99/debian/patches/bb11600.patch 1970-01-01 01:00:00.000000000 +0100 +++ libclamunrar-0.99/debian/patches/bb11600.patch 2016-12-16 21:38:26.000000000 +0100 @@ -0,0 +1,24 @@ +From 5a04072c135be7b49279792401f10d7b4f723ab5 Mon Sep 17 00:00:00 2001 +From: Steven Morgan <smor...@sourcefire.com> +Date: Tue, 12 Jul 2016 12:36:29 -0400 +Subject: bb11600 - fix out of bounds stack read. + +Patch-Name: bb11600.patch +--- + libclamunrar/unrar20.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libclamunrar/unrar20.c b/libclamunrar/unrar20.c +index ecfe40cf32f3..d938c472e1d8 100644 +--- a/libclamunrar/unrar20.c ++++ b/libclamunrar/unrar20.c +@@ -117,7 +117,8 @@ static int read_tables20(int fd, unpack_data_t *unpack_data) + n = (rar_getbits(unpack_data) >> 14) + 3; + rar_addbits(unpack_data, 2); + while ((n-- > 0) && (i < table_size)) { +- table[i] = table[i-1]; ++ if (i>0) ++ table[i] = table[i-1]; + i++; + } + } else { diff -Nru libclamunrar-0.99/debian/patches/bb11600_pt2.patch libclamunrar-0.99/debian/patches/bb11600_pt2.patch --- libclamunrar-0.99/debian/patches/bb11600_pt2.patch 1970-01-01 01:00:00.000000000 +0100 +++ libclamunrar-0.99/debian/patches/bb11600_pt2.patch 2016-12-16 21:38:26.000000000 +0100 @@ -0,0 +1,24 @@ +From 6c667e29a8980bef06544bb2c931a18512aaf745 Mon Sep 17 00:00:00 2001 +From: Steven Morgan <smor...@sourcefire.com> +Date: Tue, 12 Jul 2016 14:31:38 -0400 +Subject: fix possible out of bounds stack read. + +Patch-Name: bb11600_pt2.patch +--- + libclamunrar/unrar.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/libclamunrar/unrar.c b/libclamunrar/unrar.c +index 456da4d6fef9..40a3d63cbd3e 100644 +--- a/libclamunrar/unrar.c ++++ b/libclamunrar/unrar.c +@@ -469,7 +469,8 @@ static int read_tables(int fd, unpack_data_t *unpack_data) + rar_addbits(unpack_data, 7); + } + while (n-- > 0 && i < table_size) { +- table[i] = table[i-1]; ++ if (i>0) ++ table[i] = table[i-1]; + i++; + } + } else { diff -Nru libclamunrar-0.99/debian/patches/bb11601.patch libclamunrar-0.99/debian/patches/bb11601.patch --- libclamunrar-0.99/debian/patches/bb11601.patch 1970-01-01 01:00:00.000000000 +0100 +++ libclamunrar-0.99/debian/patches/bb11601.patch 2016-12-16 21:38:26.000000000 +0100 @@ -0,0 +1,35 @@ +From df000ca42b250f861af33aaca16595e34975b715 Mon Sep 17 00:00:00 2001 +From: Steven Morgan <smor...@sourcefire.com> +Date: Wed, 13 Jul 2016 14:27:10 -0400 +Subject: bb11601 - check array boundaries in unrarvm rarvm_getbits(). + +Patch-Name: bb11601.patch +--- + libclamunrar/unrarvm.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c +index 29944cbea82a..1cf5bb629952 100644 +--- a/libclamunrar/unrarvm.c ++++ b/libclamunrar/unrarvm.c +@@ -215,12 +215,15 @@ unsigned int rarvm_getbits(rarvm_input_t *rarvm_input) + { + unsigned int bit_field; + +- bit_field = (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr] << 16; +- bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8; +- bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+2]; +- bit_field >>= (8-rarvm_input->in_bit); ++ if (rarvm_input->in_addr+2 < rarvm_input->buf_size) { ++ bit_field = (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr] << 16; ++ bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8; ++ bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+2]; ++ bit_field >>= (8-rarvm_input->in_bit); + +- return (bit_field & 0xffff); ++ return (bit_field & 0xffff); ++ } ++ return 0; + } + + unsigned int rarvm_read_data(rarvm_input_t *rarvm_input) diff -Nru libclamunrar-0.99/debian/patches/bb11601_pt2.patch libclamunrar-0.99/debian/patches/bb11601_pt2.patch --- libclamunrar-0.99/debian/patches/bb11601_pt2.patch 1970-01-01 01:00:00.000000000 +0100 +++ libclamunrar-0.99/debian/patches/bb11601_pt2.patch 2016-12-16 21:38:26.000000000 +0100 @@ -0,0 +1,43 @@ +From e677e64787390c59bdb925be08113ebf47aed869 Mon Sep 17 00:00:00 2001 +From: Steven Morgan <stevm...@cisco.com> +Date: Wed, 14 Dec 2016 13:29:00 -0500 +Subject: bb11601 - revise buffer limit check due. + +Patch-Name: bb11601_pt2.patch +--- + libclamunrar/unrarvm.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c +index 1cf5bb629952..102fe2ebf044 100644 +--- a/libclamunrar/unrarvm.c ++++ b/libclamunrar/unrarvm.c +@@ -213,17 +213,20 @@ void rarvm_addbits(rarvm_input_t *rarvm_input, int bits) + + unsigned int rarvm_getbits(rarvm_input_t *rarvm_input) + { +- unsigned int bit_field; ++ unsigned int bit_field = 0; + +- if (rarvm_input->in_addr+2 < rarvm_input->buf_size) { ++ if (rarvm_input->in_addr < rarvm_input->buf_size) { + bit_field = (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr] << 16; +- bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8; +- bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+2]; +- bit_field >>= (8-rarvm_input->in_bit); +- +- return (bit_field & 0xffff); ++ if (rarvm_input->in_addr+1 < rarvm_input->buf_size) { ++ bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8; ++ if (rarvm_input->in_addr+2 < rarvm_input->buf_size) { ++ bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+2]; ++ } ++ } + } +- return 0; ++ bit_field >>= (8-rarvm_input->in_bit); ++ ++ return (bit_field & 0xffff); + } + + unsigned int rarvm_read_data(rarvm_input_t *rarvm_input) diff -Nru libclamunrar-0.99/debian/patches/series libclamunrar-0.99/debian/patches/series --- libclamunrar-0.99/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libclamunrar-0.99/debian/patches/series 2016-12-16 21:38:26.000000000 +0100 @@ -0,0 +1,4 @@ +bb11600.patch +bb11600_pt2.patch +bb11601.patch +bb11601_pt2.patch