Package: liblouis Version: 3.0.0-3 Followup-For: Bug #874302 User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu artful ubuntu-patch
Dear Maintainer, In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: Illegal address access in getALine - debian/patches/CVE-2017-13738-and-2017-13744.patch: fix possible out-of-bounds write in liblouis/compileTranslationTable.c. - CVE-2017-13738 - CVE-2017-13744 * SECURITY UPDATE: heap-based buffer overflow - debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch: fix buffer overflow parsing malformed table in liblouis/compilerTranslationTable.c. - CVE-2017-13739 - CVE-2017-13740 - CVE-2017-13742 See that for us 41 and 43 were considered as ignored since it seems to catched just with ASAN. Thanks for considering the patch. -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.10.0-32-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru liblouis-3.0.0/debian/files liblouis-3.0.0/debian/files --- liblouis-3.0.0/debian/files 1969-12-31 21:00:00.000000000 -0300 +++ liblouis-3.0.0/debian/files 2017-09-04 10:28:23.000000000 -0300 @@ -0,0 +1 @@ +liblouis_3.0.0-3ubuntu1_source.buildinfo libs extra diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch --- liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch 1969-12-31 21:00:00.000000000 -0300 +++ liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch 2017-08-31 10:59:03.000000000 -0300 @@ -0,0 +1,19 @@ +From edf8ee00197e5a9b062554bdca00fe1617d257a4 Mon Sep 17 00:00:00 2001 +From: Mike Gorse <mgo...@suse.com> +Date: Tue, 29 Aug 2017 16:55:29 -0500 +Subject: [PATCH] Fix possible out-of-bounds write from a \ followed by + multiple newlines + +Fixes CVE-2017-13738 and CVE-2017-13744. +Index: liblouis-3.0.0/liblouis/compileTranslationTable.c +=================================================================== +--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c ++++ liblouis-3.0.0/liblouis/compileTranslationTable.c +@@ -573,6 +573,7 @@ getALine (FileInfo * nested) + if (pch == '\\' && ch == 10) + { + nested->linelen--; ++ pch = ch; + continue; + } + if (ch == 10 || nested->linelen >= MAXSTRING) diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch --- liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch 1969-12-31 21:00:00.000000000 -0300 +++ liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch 2017-08-31 11:15:15.000000000 -0300 @@ -0,0 +1,28 @@ +From d8cfdf1ab64a4c9c6685efe45bc735f68dac618c Mon Sep 17 00:00:00 2001 +From: Mike Gorse <mgo...@suse.com> +Date: Wed, 30 Aug 2017 12:53:02 -0500 +Subject: [PATCH] resolveSubtable: Fix buffer overflow parsing a malformed + table + +The subtable's name can theoretically be up to MAXSTRING characters long. +The base name is then copied into a buffer, and the subtable's name is +appended, so we should allocate more than MAXSTRING bytes for the buffer. + +Fixes CVE-2017-13739, CVE-2017-13740, and CVE-2017-13742. +--- + liblouis/compileTranslationTable.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: liblouis-3.0.0/liblouis/compileTranslationTable.c +=================================================================== +--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c ++++ liblouis-3.0.0/liblouis/compileTranslationTable.c +@@ -4899,7 +4899,7 @@ resolveSubtable (const char *table, cons + + if (table == NULL || table[0] == '\0') + return NULL; +- tableFile = (char *) malloc (MAXSTRING * sizeof(char)); ++ tableFile = (char *) malloc (MAXSTRING * sizeof(char) * 2); + + // + // First try to resolve against base diff -Nru liblouis-3.0.0/debian/patches/series liblouis-3.0.0/debian/patches/series --- liblouis-3.0.0/debian/patches/series 1969-12-31 21:00:00.000000000 -0300 +++ liblouis-3.0.0/debian/patches/series 2017-08-31 11:13:38.000000000 -0300 @@ -0,0 +1,2 @@ +CVE-2017-13738-and-2017-13744.patch +CVE-2017-13739-and-2017-13740-and-2017-13742.patch