Hi Salvatore, On 09/13/2017 07:27 PM, Bas Couwenberg wrote: > Should be fixed in the new upstream release: > > https://groups.google.com/forum/m/#!topic/spatialite-users/Wpj62XSzcZY > > I'm not able to work on this until I return from VAC.
I've cherry-picked the changes from 1.0.4 and prepared updates for stretch, jessie & wheezy. The changes are available in git, and the debdiffs are attached. * https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=stretch * https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie * https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy Are these OK to upload? Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
diff -Nru freexl-1.0.0b/debian/changelog freexl-1.0.0b/debian/changelog --- freexl-1.0.0b/debian/changelog 2015-11-13 11:39:37.000000000 +0100 +++ freexl-1.0.0b/debian/changelog 2017-09-16 23:26:04.000000000 +0200 @@ -1,3 +1,10 @@ +freexl (1.0.0b-1+deb7u4) wheezy-security; urgency=high + + * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924. + (closes: #875690, #875691) + + -- Bas Couwenberg <sebas...@debian.org> Sat, 16 Sep 2017 23:26:04 +0200 + freexl (1.0.0b-1+deb7u3) wheezy-security; urgency=high * Add patch to fix regression introduced by afl-vulnerabilitities.patch. diff -Nru freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch --- freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 1970-01-01 01:00:00.000000000 +0100 +++ freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 2017-09-16 23:26:04.000000000 +0200 @@ -0,0 +1,317 @@ +Description: fixing a security issue - Cisco TALOS-2017-430 and TALOS-2017-431 + CVE-2017-2923 & CVE-2017-2924 +Author: Alessandro Furieri <a.furi...@lqt.it> +Origin: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8 +Bug-Debian: https://bugs.debian.org/875690 + https://bugs.debian.org/875691 + +--- a/src/freexl.c ++++ b/src/freexl.c +@@ -935,6 +935,21 @@ set_sst_value (biff_workbook * workbook, + return FREEXL_OK; + } + ++static size_t ++xls_fread (size_t bufsz, void *buf, size_t size, size_t nmemb, FILE * fl) ++{ ++/* ++/ Sandro 2017-09-07 ++/ secure version of "fread" checking against buffer overflows ++/--------------------------- ++/ expected to fix the issue reported by ++/ Cisco [TALOS-2017-431] ++*/ ++ if ((size * nmemb) > bufsz) ++ return 0; ++ return fread (buf, size, nmemb, fl); ++} ++ + static fat_chain * + alloc_fat_chain (int swap, unsigned short sector_shift, + unsigned int directory_start) +@@ -1377,7 +1392,8 @@ read_fat_sector (FILE * xls, fat_chain * + max_fat = 128; + + /* reading a FAT sector */ +- if (fread (buf, 1, chain->sector_size, xls) != chain->sector_size) ++ if (xls_fread (sizeof (buf), buf, 1, chain->sector_size, xls) != ++ chain->sector_size) + return FREEXL_CFBF_READ_ERROR; + + for (i_fat = 0; i_fat < max_fat; i_fat++) +@@ -1419,7 +1435,8 @@ read_difat_sectors (FILE * xls, fat_chai + if (fseek (xls, where, SEEK_SET) != 0) + return FREEXL_CFBF_SEEK_ERROR; + /* reading a DIFAT sector */ +- if (fread (&difat, 1, chain->sector_size, xls) != chain->sector_size) ++ if (xls_fread (sizeof (difat), &difat, 1, chain->sector_size, xls) != ++ chain->sector_size) + return FREEXL_CFBF_READ_ERROR; + blocks++; + if (chain->swap) +@@ -1480,7 +1497,8 @@ read_miniFAT_sectors (FILE * xls, fat_ch + unsigned char *p_buf = buf; + block++; + /* reading a miniFAT sector */ +- if (fread (&buf, 1, chain->sector_size, xls) != chain->sector_size) ++ if (xls_fread (sizeof (buf), &buf, 1, chain->sector_size, xls) != ++ chain->sector_size) + return FREEXL_CFBF_READ_ERROR; + for (i_fat = 0; i_fat < max_fat; i_fat++) + { +@@ -1508,7 +1526,7 @@ read_cfbf_header (biff_workbook * workbo + int ret; + unsigned char *p_fat = header.fat_sector_map; + +- if (fread (&header, 1, 512, workbook->xls) != 512) ++ if (xls_fread (sizeof (header), &header, 1, 512, workbook->xls) != 512) + { + *err_code = FREEXL_CFBF_READ_ERROR; + return NULL; +@@ -1654,8 +1672,9 @@ read_mini_stream (biff_workbook * workbo + *errcode = FREEXL_CFBF_SEEK_ERROR; + return 0; + } +- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) != +- workbook->fat->sector_size) ++ if (xls_fread ++ (sizeof (buf), buf, 1, workbook->fat->sector_size, ++ workbook->xls) != workbook->fat->sector_size) + { + *errcode = FREEXL_CFBF_READ_ERROR; + return 0; +@@ -1987,7 +2006,7 @@ legacy_emergency_dimension (biff_workboo + /* looping on BIFF records */ + if (!first) + { +- if (fread (&buf, 1, 4, workbook->xls) != 4) ++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) + return 0; + memcpy (record_type.bytes, buf, 2); + memcpy (record_size.bytes, buf + 2, 2); +@@ -2013,9 +2032,9 @@ legacy_emergency_dimension (biff_workboo + /* INTEGER marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2040,9 +2059,9 @@ legacy_emergency_dimension (biff_workboo + /* NUMBER marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2065,9 +2084,9 @@ legacy_emergency_dimension (biff_workboo + /* RK marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2092,9 +2111,9 @@ legacy_emergency_dimension (biff_workboo + /* LABEL marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2171,7 +2190,7 @@ read_legacy_biff (biff_workbook * workbo + + /* attempting to get the main BOF */ + rewind (workbook->xls); +- if (fread (&buf, 1, 4, workbook->xls) != 4) ++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) + return 0; + memcpy (record_type.bytes, buf, 2); + memcpy (record_size.bytes, buf + 2, 2); +@@ -2207,7 +2226,7 @@ read_legacy_biff (biff_workbook * workbo + { + /* looping on BIFF records */ + +- if (fread (&buf, 1, 4, workbook->xls) != 4) ++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) + return 0; + memcpy (record_type.bytes, buf, 2); + memcpy (record_size.bytes, buf + 2, 2); +@@ -2233,9 +2252,9 @@ read_legacy_biff (biff_workbook * workbo + if (record_type.value == BIFF_CODEPAGE) + { + /* CODEPAGE marker found */ +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + memcpy (word16.bytes, workbook->record, 2); + if (swap) +@@ -2251,9 +2270,9 @@ read_legacy_biff (biff_workbook * workbo + if (record_type.value == BIFF_DATEMODE) + { + /* DATEMODE marker found */ +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + memcpy (word16.bytes, workbook->record, 2); + if (swap) +@@ -2285,9 +2304,9 @@ read_legacy_biff (biff_workbook * workbo + int is_date = 0; + int is_datetime = 0; + int is_time = 0; +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + if (workbook->biff_version == FREEXL_BIFF_VER_2 +@@ -2353,9 +2372,9 @@ read_legacy_biff (biff_workbook * workbo + /* XF [Extended Format] marker found */ + unsigned char format; + unsigned short s_format; +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + switch (workbook->biff_version) + { +@@ -2385,9 +2404,9 @@ read_legacy_biff (biff_workbook * workbo + unsigned int rows; + unsigned short columns; + char *utf8_name; +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record + 2, 2); +@@ -2435,9 +2454,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2503,9 +2522,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2586,9 +2605,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2688,9 +2707,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -3521,8 +3540,9 @@ read_cfbf_sector (biff_workbook * workbo + long where = (workbook->current_sector + 1) * workbook->fat->sector_size; + if (fseek (workbook->xls, where, SEEK_SET) != 0) + return FREEXL_CFBF_SEEK_ERROR; +- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) != +- workbook->fat->sector_size) ++ if (xls_fread ++ (sizeof (biff_workbook), buf, 1, workbook->fat->sector_size, ++ workbook->xls) != workbook->fat->sector_size) + return FREEXL_CFBF_READ_ERROR; + return FREEXL_OK; + } +@@ -3644,6 +3664,14 @@ read_biff_next_record (biff_workbook * w + if (record_type.value == 0x0000 && record_size.value == 0) + return -1; + ++/* ++/ Sandro 2017-09-07 ++/ fixing a security issue reported by ++/ Cisco [TALOS-2017-430] ++*/ ++ if (record_size.value > sizeof (workbook->record)) ++ return -1; ++ + /* saving the current record */ + workbook->record_type = record_type.value; + workbook->record_size = record_size.value; +@@ -3823,8 +3851,9 @@ get_workbook_stream (biff_workbook * wor + if (fseek (workbook->xls, where, SEEK_SET) != 0) + return FREEXL_CFBF_SEEK_ERROR; + /* reading a FAT Directory block [sector] */ +- if (fread (dir_block, 1, workbook->fat->sector_size, workbook->xls) != +- workbook->fat->sector_size) ++ if (xls_fread ++ (sizeof (dir_block), dir_block, 1, workbook->fat->sector_size, ++ workbook->xls) != workbook->fat->sector_size) + return FREEXL_CFBF_READ_ERROR; + workbook_start = 0xFFFFFFFF; + for (i_entry = 0; i_entry < max_entries; i_entry++) diff -Nru freexl-1.0.0b/debian/patches/series freexl-1.0.0b/debian/patches/series --- freexl-1.0.0b/debian/patches/series 2015-11-12 22:23:41.000000000 +0100 +++ freexl-1.0.0b/debian/patches/series 2017-09-16 23:26:04.000000000 +0200 @@ -1,3 +1,4 @@ afl-vulnerabilitities.patch 32bit-multiplication-overflow.patch afl-vulnerabilitities-regression.patch +CVE-2017-2923_CVE-2017-2924.patch
diff -Nru freexl-1.0.0g/debian/changelog freexl-1.0.0g/debian/changelog --- freexl-1.0.0g/debian/changelog 2015-11-13 11:31:45.000000000 +0100 +++ freexl-1.0.0g/debian/changelog 2017-09-16 23:26:04.000000000 +0200 @@ -1,3 +1,10 @@ +freexl (1.0.0g-1+deb8u4) jessie-security; urgency=high + + * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924. + (closes: #875690, #875691) + + -- Bas Couwenberg <sebas...@debian.org> Sat, 16 Sep 2017 23:26:04 +0200 + freexl (1.0.0g-1+deb8u3) jessie-security; urgency=high * Add patch to fix regression introduced by afl-vulnerabilitities.patch. diff -Nru freexl-1.0.0g/debian/patches/CVE-2017-2923_CVE-2017-2924.patch freexl-1.0.0g/debian/patches/CVE-2017-2923_CVE-2017-2924.patch --- freexl-1.0.0g/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 1970-01-01 01:00:00.000000000 +0100 +++ freexl-1.0.0g/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 2017-09-16 23:26:04.000000000 +0200 @@ -0,0 +1,352 @@ +Description: fixing a security issue - Cisco TALOS-2017-430 and TALOS-2017-431 + CVE-2017-2923 & CVE-2017-2924 +Author: Alessandro Furieri <a.furi...@lqt.it> +Origin: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8 +Bug-Debian: https://bugs.debian.org/875690 + https://bugs.debian.org/875691 + +--- a/src/freexl.c ++++ b/src/freexl.c +@@ -941,6 +941,21 @@ set_sst_value (biff_workbook * workbook, + return FREEXL_OK; + } + ++static size_t ++xls_fread (size_t bufsz, void *buf, size_t size, size_t nmemb, FILE * fl) ++{ ++/* ++/ Sandro 2017-09-07 ++/ secure version of "fread" checking against buffer overflows ++/--------------------------- ++/ expected to fix the issue reported by ++/ Cisco [TALOS-2017-431] ++*/ ++ if ((size * nmemb) > bufsz) ++ return 0; ++ return fread (buf, size, nmemb, fl); ++} ++ + static fat_chain * + alloc_fat_chain (int swap, unsigned short sector_shift, + unsigned int directory_start) +@@ -1383,7 +1398,8 @@ read_fat_sector (FILE * xls, fat_chain * + max_fat = 128; + + /* reading a FAT sector */ +- if (fread (buf, 1, chain->sector_size, xls) != chain->sector_size) ++ if (xls_fread (sizeof (buf), buf, 1, chain->sector_size, xls) != ++ chain->sector_size) + return FREEXL_CFBF_READ_ERROR; + + for (i_fat = 0; i_fat < max_fat; i_fat++) +@@ -1425,7 +1441,8 @@ read_difat_sectors (FILE * xls, fat_chai + if (fseek (xls, where, SEEK_SET) != 0) + return FREEXL_CFBF_SEEK_ERROR; + /* reading a DIFAT sector */ +- if (fread (&difat, 1, chain->sector_size, xls) != chain->sector_size) ++ if (xls_fread (sizeof (difat), &difat, 1, chain->sector_size, xls) != ++ chain->sector_size) + return FREEXL_CFBF_READ_ERROR; + blocks++; + if (chain->swap) +@@ -1486,7 +1503,8 @@ read_miniFAT_sectors (FILE * xls, fat_ch + unsigned char *p_buf = buf; + block++; + /* reading a miniFAT sector */ +- if (fread (&buf, 1, chain->sector_size, xls) != chain->sector_size) ++ if (xls_fread (sizeof (buf), &buf, 1, chain->sector_size, xls) != ++ chain->sector_size) + return FREEXL_CFBF_READ_ERROR; + for (i_fat = 0; i_fat < max_fat; i_fat++) + { +@@ -1514,7 +1532,7 @@ read_cfbf_header (biff_workbook * workbo + int ret; + unsigned char *p_fat = header.fat_sector_map; + +- if (fread (&header, 1, 512, workbook->xls) != 512) ++ if (xls_fread (sizeof (header), &header, 1, 512, workbook->xls) != 512) + { + *err_code = FREEXL_CFBF_READ_ERROR; + return NULL; +@@ -1660,8 +1678,9 @@ read_mini_stream (biff_workbook * workbo + *errcode = FREEXL_CFBF_SEEK_ERROR; + return 0; + } +- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) != +- workbook->fat->sector_size) ++ if (xls_fread ++ (sizeof (buf), buf, 1, workbook->fat->sector_size, ++ workbook->xls) != workbook->fat->sector_size) + { + *errcode = FREEXL_CFBF_READ_ERROR; + return 0; +@@ -1993,7 +2012,7 @@ legacy_emergency_dimension (biff_workboo + /* looping on BIFF records */ + if (!first) + { +- if (fread (&buf, 1, 4, workbook->xls) != 4) ++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) + return 0; + memcpy (record_type.bytes, buf, 2); + memcpy (record_size.bytes, buf + 2, 2); +@@ -2019,9 +2038,9 @@ legacy_emergency_dimension (biff_workboo + /* INTEGER marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2046,9 +2065,9 @@ legacy_emergency_dimension (biff_workboo + /* NUMBER marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2073,9 +2092,9 @@ legacy_emergency_dimension (biff_workboo + /* BOOLERR marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2098,9 +2117,9 @@ legacy_emergency_dimension (biff_workboo + /* RK marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2125,9 +2144,9 @@ legacy_emergency_dimension (biff_workboo + /* LABEL marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2204,7 +2223,7 @@ read_legacy_biff (biff_workbook * workbo + + /* attempting to get the main BOF */ + rewind (workbook->xls); +- if (fread (&buf, 1, 4, workbook->xls) != 4) ++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) + return 0; + memcpy (record_type.bytes, buf, 2); + memcpy (record_size.bytes, buf + 2, 2); +@@ -2240,7 +2259,7 @@ read_legacy_biff (biff_workbook * workbo + { + /* looping on BIFF records */ + +- if (fread (&buf, 1, 4, workbook->xls) != 4) ++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) + return 0; + memcpy (record_type.bytes, buf, 2); + memcpy (record_size.bytes, buf + 2, 2); +@@ -2253,7 +2272,7 @@ read_legacy_biff (biff_workbook * workbo + + if (record_type.value == BIFF_SHEETSOFFSET) + { +-/* unsupported BIFF4W format */ ++ /* unsupported BIFF4W format */ + return 0; + } + +@@ -2266,9 +2285,9 @@ read_legacy_biff (biff_workbook * workbo + if (record_type.value == BIFF_CODEPAGE) + { + /* CODEPAGE marker found */ +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + memcpy (word16.bytes, workbook->record, 2); + if (swap) +@@ -2284,9 +2303,9 @@ read_legacy_biff (biff_workbook * workbo + if (record_type.value == BIFF_DATEMODE) + { + /* DATEMODE marker found */ +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + memcpy (word16.bytes, workbook->record, 2); + if (swap) +@@ -2318,9 +2337,9 @@ read_legacy_biff (biff_workbook * workbo + int is_date = 0; + int is_datetime = 0; + int is_time = 0; +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + if (workbook->biff_version == FREEXL_BIFF_VER_2 +@@ -2386,9 +2405,9 @@ read_legacy_biff (biff_workbook * workbo + /* XF [Extended Format] marker found */ + unsigned char format; + unsigned short s_format; +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + switch (workbook->biff_version) + { +@@ -2418,9 +2437,9 @@ read_legacy_biff (biff_workbook * workbo + unsigned int rows; + unsigned short columns; + char *utf8_name; +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record + 2, 2); +@@ -2468,9 +2487,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2536,9 +2555,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2615,9 +2634,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2668,9 +2687,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2769,9 +2788,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -3636,8 +3655,9 @@ read_cfbf_sector (biff_workbook * workbo + long where = (workbook->current_sector + 1) * workbook->fat->sector_size; + if (fseek (workbook->xls, where, SEEK_SET) != 0) + return FREEXL_CFBF_SEEK_ERROR; +- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) != +- workbook->fat->sector_size) ++ if (xls_fread ++ (sizeof (biff_workbook), buf, 1, workbook->fat->sector_size, ++ workbook->xls) != workbook->fat->sector_size) + return FREEXL_CFBF_READ_ERROR; + return FREEXL_OK; + } +@@ -3759,6 +3779,14 @@ read_biff_next_record (biff_workbook * w + if (record_type.value == 0x0000 && record_size.value == 0) + return -1; + ++/* ++/ Sandro 2017-09-07 ++/ fixing a security issue reported by ++/ Cisco [TALOS-2017-430] ++*/ ++ if (record_size.value > sizeof (workbook->record)) ++ return -1; ++ + /* saving the current record */ + workbook->record_type = record_type.value; + workbook->record_size = record_size.value; +@@ -3938,8 +3966,9 @@ get_workbook_stream (biff_workbook * wor + if (fseek (workbook->xls, where, SEEK_SET) != 0) + return FREEXL_CFBF_SEEK_ERROR; + /* reading a FAT Directory block [sector] */ +- if (fread (dir_block, 1, workbook->fat->sector_size, workbook->xls) != +- workbook->fat->sector_size) ++ if (xls_fread ++ (sizeof (dir_block), dir_block, 1, workbook->fat->sector_size, ++ workbook->xls) != workbook->fat->sector_size) + return FREEXL_CFBF_READ_ERROR; + workbook_start = 0xFFFFFFFF; + for (i_entry = 0; i_entry < max_entries; i_entry++) diff -Nru freexl-1.0.0g/debian/patches/series freexl-1.0.0g/debian/patches/series --- freexl-1.0.0g/debian/patches/series 2015-11-12 22:23:41.000000000 +0100 +++ freexl-1.0.0g/debian/patches/series 2017-09-16 23:26:04.000000000 +0200 @@ -1,3 +1,4 @@ afl-vulnerabilitities.patch 32bit-multiplication-overflow.patch afl-vulnerabilitities-regression.patch +CVE-2017-2923_CVE-2017-2924.patch
diff -Nru freexl-1.0.2/debian/changelog freexl-1.0.2/debian/changelog --- freexl-1.0.2/debian/changelog 2016-05-01 03:11:00.000000000 +0200 +++ freexl-1.0.2/debian/changelog 2017-09-16 23:19:22.000000000 +0200 @@ -1,3 +1,11 @@ +freexl (1.0.2-2+deb9u1) stretch-security; urgency=high + + * Update branch in gbp.conf & Vcs-Git URL. + * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924. + (closes: #875690, #875691) + + -- Bas Couwenberg <sebas...@debian.org> Sat, 16 Sep 2017 23:19:22 +0200 + freexl (1.0.2-2) unstable; urgency=medium * Update Vcs-* URLs to use HTTPS. diff -Nru freexl-1.0.2/debian/control freexl-1.0.2/debian/control --- freexl-1.0.2/debian/control 2016-04-15 17:15:12.000000000 +0200 +++ freexl-1.0.2/debian/control 2017-09-16 23:05:24.000000000 +0200 @@ -9,7 +9,7 @@ dh-autoreconf Standards-Version: 3.9.8 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-grass/freexl.git -Vcs-Git: https://anonscm.debian.org/git/pkg-grass/freexl.git +Vcs-Git: https://anonscm.debian.org/git/pkg-grass/freexl.git -b stretch Homepage: https://www.gaia-gis.it/fossil/freexl/ Package: libfreexl-dev diff -Nru freexl-1.0.2/debian/gbp.conf freexl-1.0.2/debian/gbp.conf --- freexl-1.0.2/debian/gbp.conf 2015-11-20 01:03:15.000000000 +0100 +++ freexl-1.0.2/debian/gbp.conf 2017-09-16 23:05:16.000000000 +0200 @@ -6,7 +6,7 @@ # The default name for the Debian branch is "master". # Change it if the name is different (for instance, "debian/unstable"). -debian-branch = master +debian-branch = stretch # git-import-orig uses the following names for the upstream tags. # Change the value if you are not using git-import-orig diff -Nru freexl-1.0.2/debian/patches/CVE-2017-2923_CVE-2017-2924.patch freexl-1.0.2/debian/patches/CVE-2017-2923_CVE-2017-2924.patch --- freexl-1.0.2/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 1970-01-01 01:00:00.000000000 +0100 +++ freexl-1.0.2/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 2017-09-16 23:16:52.000000000 +0200 @@ -0,0 +1,352 @@ +Description: fixing a security issue - Cisco TALOS-2017-430 and TALOS-2017-431 + CVE-2017-2923 & CVE-2017-2924 +Author: Alessandro Furieri <a.furi...@lqt.it> +Origin: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8 +Bug-Debian: https://bugs.debian.org/875690 + https://bugs.debian.org/875691 + +--- a/src/freexl.c ++++ b/src/freexl.c +@@ -951,6 +951,21 @@ set_sst_value (biff_workbook * workbook, + return FREEXL_OK; + } + ++static size_t ++xls_fread (size_t bufsz, void *buf, size_t size, size_t nmemb, FILE * fl) ++{ ++/* ++/ Sandro 2017-09-07 ++/ secure version of "fread" checking against buffer overflows ++/--------------------------- ++/ expected to fix the issue reported by ++/ Cisco [TALOS-2017-431] ++*/ ++ if ((size * nmemb) > bufsz) ++ return 0; ++ return fread (buf, size, nmemb, fl); ++} ++ + static fat_chain * + alloc_fat_chain (int swap, unsigned short sector_shift, + unsigned int directory_start) +@@ -1393,7 +1408,8 @@ read_fat_sector (FILE * xls, fat_chain * + max_fat = 128; + + /* reading a FAT sector */ +- if (fread (buf, 1, chain->sector_size, xls) != chain->sector_size) ++ if (xls_fread (sizeof (buf), buf, 1, chain->sector_size, xls) != ++ chain->sector_size) + return FREEXL_CFBF_READ_ERROR; + + for (i_fat = 0; i_fat < max_fat; i_fat++) +@@ -1435,7 +1451,8 @@ read_difat_sectors (FILE * xls, fat_chai + if (fseek (xls, where, SEEK_SET) != 0) + return FREEXL_CFBF_SEEK_ERROR; + /* reading a DIFAT sector */ +- if (fread (&difat, 1, chain->sector_size, xls) != chain->sector_size) ++ if (xls_fread (sizeof (difat), &difat, 1, chain->sector_size, xls) != ++ chain->sector_size) + return FREEXL_CFBF_READ_ERROR; + blocks++; + if (chain->swap) +@@ -1496,7 +1513,8 @@ read_miniFAT_sectors (FILE * xls, fat_ch + unsigned char *p_buf = buf; + block++; + /* reading a miniFAT sector */ +- if (fread (&buf, 1, chain->sector_size, xls) != chain->sector_size) ++ if (xls_fread (sizeof (buf), &buf, 1, chain->sector_size, xls) != ++ chain->sector_size) + return FREEXL_CFBF_READ_ERROR; + for (i_fat = 0; i_fat < max_fat; i_fat++) + { +@@ -1524,7 +1542,7 @@ read_cfbf_header (biff_workbook * workbo + int ret; + unsigned char *p_fat = header.fat_sector_map; + +- if (fread (&header, 1, 512, workbook->xls) != 512) ++ if (xls_fread (sizeof (header), &header, 1, 512, workbook->xls) != 512) + { + *err_code = FREEXL_CFBF_READ_ERROR; + return NULL; +@@ -1670,8 +1688,9 @@ read_mini_stream (biff_workbook * workbo + *errcode = FREEXL_CFBF_SEEK_ERROR; + return 0; + } +- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) != +- workbook->fat->sector_size) ++ if (xls_fread ++ (sizeof (buf), buf, 1, workbook->fat->sector_size, ++ workbook->xls) != workbook->fat->sector_size) + { + *errcode = FREEXL_CFBF_READ_ERROR; + return 0; +@@ -2003,7 +2022,7 @@ legacy_emergency_dimension (biff_workboo + /* looping on BIFF records */ + if (!first) + { +- if (fread (&buf, 1, 4, workbook->xls) != 4) ++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) + return 0; + memcpy (record_type.bytes, buf, 2); + memcpy (record_size.bytes, buf + 2, 2); +@@ -2029,9 +2048,9 @@ legacy_emergency_dimension (biff_workboo + /* INTEGER marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2056,9 +2075,9 @@ legacy_emergency_dimension (biff_workboo + /* NUMBER marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2083,9 +2102,9 @@ legacy_emergency_dimension (biff_workboo + /* BOOLERR marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2108,9 +2127,9 @@ legacy_emergency_dimension (biff_workboo + /* RK marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2135,9 +2154,9 @@ legacy_emergency_dimension (biff_workboo + /* LABEL marker found */ + biff_word16 word16; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2214,7 +2233,7 @@ read_legacy_biff (biff_workbook * workbo + + /* attempting to get the main BOF */ + rewind (workbook->xls); +- if (fread (&buf, 1, 4, workbook->xls) != 4) ++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) + return 0; + memcpy (record_type.bytes, buf, 2); + memcpy (record_size.bytes, buf + 2, 2); +@@ -2250,7 +2269,7 @@ read_legacy_biff (biff_workbook * workbo + { + /* looping on BIFF records */ + +- if (fread (&buf, 1, 4, workbook->xls) != 4) ++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) + return 0; + memcpy (record_type.bytes, buf, 2); + memcpy (record_size.bytes, buf + 2, 2); +@@ -2263,7 +2282,7 @@ read_legacy_biff (biff_workbook * workbo + + if (record_type.value == BIFF_SHEETSOFFSET) + { +-/* unsupported BIFF4W format */ ++ /* unsupported BIFF4W format */ + return 0; + } + +@@ -2276,9 +2295,9 @@ read_legacy_biff (biff_workbook * workbo + if (record_type.value == BIFF_CODEPAGE) + { + /* CODEPAGE marker found */ +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + memcpy (word16.bytes, workbook->record, 2); + if (swap) +@@ -2294,9 +2313,9 @@ read_legacy_biff (biff_workbook * workbo + if (record_type.value == BIFF_DATEMODE) + { + /* DATEMODE marker found */ +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + memcpy (word16.bytes, workbook->record, 2); + if (swap) +@@ -2328,9 +2347,9 @@ read_legacy_biff (biff_workbook * workbo + int is_date = 0; + int is_datetime = 0; + int is_time = 0; +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + if (workbook->biff_version == FREEXL_BIFF_VER_2 +@@ -2396,9 +2415,9 @@ read_legacy_biff (biff_workbook * workbo + /* XF [Extended Format] marker found */ + unsigned char format; + unsigned short s_format; +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + switch (workbook->biff_version) + { +@@ -2428,9 +2447,9 @@ read_legacy_biff (biff_workbook * workbo + unsigned int rows; + unsigned short columns; + char *utf8_name; +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record + 2, 2); +@@ -2478,9 +2497,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2546,9 +2565,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2625,9 +2644,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2678,9 +2697,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -2779,9 +2798,9 @@ read_legacy_biff (biff_workbook * workbo + (workbook, swap, record_type.value, record_size.value)) + return 0; + +- if (fread +- (workbook->record, 1, record_size.value, +- workbook->xls) != record_size.value) ++ if (xls_fread ++ (sizeof (workbook->record), workbook->record, 1, ++ record_size.value, workbook->xls) != record_size.value) + return 0; + + memcpy (word16.bytes, workbook->record, 2); +@@ -3646,8 +3665,9 @@ read_cfbf_sector (biff_workbook * workbo + long where = (workbook->current_sector + 1) * workbook->fat->sector_size; + if (fseek (workbook->xls, where, SEEK_SET) != 0) + return FREEXL_CFBF_SEEK_ERROR; +- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) != +- workbook->fat->sector_size) ++ if (xls_fread ++ (sizeof (biff_workbook), buf, 1, workbook->fat->sector_size, ++ workbook->xls) != workbook->fat->sector_size) + return FREEXL_CFBF_READ_ERROR; + return FREEXL_OK; + } +@@ -3769,6 +3789,14 @@ read_biff_next_record (biff_workbook * w + if (record_type.value == 0x0000 && record_size.value == 0) + return -1; + ++/* ++/ Sandro 2017-09-07 ++/ fixing a security issue reported by ++/ Cisco [TALOS-2017-430] ++*/ ++ if (record_size.value > sizeof (workbook->record)) ++ return -1; ++ + /* saving the current record */ + workbook->record_type = record_type.value; + workbook->record_size = record_size.value; +@@ -3948,8 +3976,9 @@ get_workbook_stream (biff_workbook * wor + if (fseek (workbook->xls, where, SEEK_SET) != 0) + return FREEXL_CFBF_SEEK_ERROR; + /* reading a FAT Directory block [sector] */ +- if (fread (dir_block, 1, workbook->fat->sector_size, workbook->xls) != +- workbook->fat->sector_size) ++ if (xls_fread ++ (sizeof (dir_block), dir_block, 1, workbook->fat->sector_size, ++ workbook->xls) != workbook->fat->sector_size) + return FREEXL_CFBF_READ_ERROR; + workbook_start = 0xFFFFFFFF; + for (i_entry = 0; i_entry < max_entries; i_entry++) diff -Nru freexl-1.0.2/debian/patches/series freexl-1.0.2/debian/patches/series --- freexl-1.0.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ freexl-1.0.2/debian/patches/series 2017-09-16 23:11:29.000000000 +0200 @@ -0,0 +1 @@ +CVE-2017-2923_CVE-2017-2924.patch