Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hello, Several CVEs have been reported against liblouis in Bug#874302. The upstream fixes have been tested for 6 days in Debian unstable then 5 days in Debian testing. I propose to upload them to stable too, as attached debdiff shows. Samuel -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru liblouis-3.0.0/debian/changelog liblouis-3.0.0/debian/changelog --- liblouis-3.0.0/debian/changelog 2016-09-14 00:46:35.000000000 +0200 +++ liblouis-3.0.0/debian/changelog 2017-09-25 01:16:30.000000000 +0200 @@ -1,3 +1,14 @@ +liblouis (3.0.0-3+deb9u1) stretch; urgency=medium + + * debian/patches/CVE-2017-13738-and-2017-13744.patch: New patch. + * debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch: New + patch + * debian/patches/CVE-2017-13741.patch: New patch. + * debian/patches/CVE-2017-13741-2.patch: New patch. + * debian/patches/CVE-2017-13743.patch: New patch. + + -- Samuel Thibault <sthiba...@debian.org> Mon, 25 Sep 2017 01:16:30 +0200 + liblouis (3.0.0-3) unstable; urgency=medium * Upload to unstable. diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch --- liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch 1970-01-01 01:00:00.000000000 +0100 +++ liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch 2017-09-25 01:14:10.000000000 +0200 @@ -0,0 +1,19 @@ +From edf8ee00197e5a9b062554bdca00fe1617d257a4 Mon Sep 17 00:00:00 2001 +From: Mike Gorse <mgo...@suse.com> +Date: Tue, 29 Aug 2017 16:55:29 -0500 +Subject: [PATCH] Fix possible out-of-bounds write from a \ followed by + multiple newlines + +Fixes CVE-2017-13738 and CVE-2017-13744. +Index: liblouis-3.0.0/liblouis/compileTranslationTable.c +=================================================================== +--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c ++++ liblouis-3.0.0/liblouis/compileTranslationTable.c +@@ -573,6 +573,7 @@ getALine (FileInfo * nested) + if (pch == '\\' && ch == 10) + { + nested->linelen--; ++ pch = ch; + continue; + } + if (ch == 10 || nested->linelen >= MAXSTRING) diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch --- liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch 1970-01-01 01:00:00.000000000 +0100 +++ liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch 2017-09-25 01:14:10.000000000 +0200 @@ -0,0 +1,28 @@ +From d8cfdf1ab64a4c9c6685efe45bc735f68dac618c Mon Sep 17 00:00:00 2001 +From: Mike Gorse <mgo...@suse.com> +Date: Wed, 30 Aug 2017 12:53:02 -0500 +Subject: [PATCH] resolveSubtable: Fix buffer overflow parsing a malformed + table + +The subtable's name can theoretically be up to MAXSTRING characters long. +The base name is then copied into a buffer, and the subtable's name is +appended, so we should allocate more than MAXSTRING bytes for the buffer. + +Fixes CVE-2017-13739, CVE-2017-13740, and CVE-2017-13742. +--- + liblouis/compileTranslationTable.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: liblouis-3.0.0/liblouis/compileTranslationTable.c +=================================================================== +--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c ++++ liblouis-3.0.0/liblouis/compileTranslationTable.c +@@ -4899,7 +4899,7 @@ resolveSubtable (const char *table, cons + + if (table == NULL || table[0] == '\0') + return NULL; +- tableFile = (char *) malloc (MAXSTRING * sizeof(char)); ++ tableFile = (char *) malloc (MAXSTRING * sizeof(char) * 2); + + // + // First try to resolve against base diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch --- liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch 2017-09-25 01:14:10.000000000 +0200 @@ -0,0 +1,26 @@ +commit 1e36af516478e6c07fbc919541df226aac911fd7 +Author: Christian Egli <christian.e...@sbs.ch> +Date: Thu Aug 31 13:41:23 2017 +0200 + + Fix a tiny problem in the CVE patches + +--- + liblouis/compileTranslationTable.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/liblouis/compileTranslationTable.c ++++ b/liblouis/compileTranslationTable.c +@@ -3814,11 +3814,11 @@ doOpcode: + case CTO_Locale: + break; + case CTO_Undefined: ++ tmp_offset = table->undefined; + ok = +- tmp_offset = table->undefined; + compileBrailleIndicator (nested, "undefined character opcode", + CTO_Undefined, &tmp_offset); +- table->undefined = tmp_offset; ++ table->undefined = tmp_offset; + break; + + case CTO_Match: diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13741.patch liblouis-3.0.0/debian/patches/CVE-2017-13741.patch --- liblouis-3.0.0/debian/patches/CVE-2017-13741.patch 1970-01-01 01:00:00.000000000 +0100 +++ liblouis-3.0.0/debian/patches/CVE-2017-13741.patch 2017-09-25 01:14:10.000000000 +0200 @@ -0,0 +1,269 @@ +commit af5791ea792acc0a9707738001aa1df3daff7a66 +Author: Mike Gorse <mgo...@suse.com> +Date: Wed Aug 30 15:13:09 2017 -0500 + + Fix possible use after free when calling compileBrailleIndicator + + CompileBrailleIndicator calls addRule, which may realloc the table header, + so it is unsafe to pass an out parameter under the assumption that the + value of table will not change. + + Fixes CVE-2017-13741. + +--- + liblouis/compileTranslationTable.c | 89 +++++++++++++++++++++++++++---------- + 1 file changed, 67 insertions(+), 22 deletions(-) + +--- a/liblouis/compileTranslationTable.c ++++ b/liblouis/compileTranslationTable.c +@@ -3782,6 +3782,7 @@ compileRule (FileInfo * nested) + int k, i; + + noback = nofor = 0; ++ TranslationTableOffset tmp_offset; + doOpcode: + if (!getToken (nested, &token, NULL)) + return 1; /*blank line */ +@@ -3814,8 +3815,10 @@ doOpcode: + break; + case CTO_Undefined: + ok = ++ tmp_offset = table->undefined; + compileBrailleIndicator (nested, "undefined character opcode", +- CTO_Undefined, &table->undefined); ++ CTO_Undefined, &tmp_offset); ++ table->undefined = tmp_offset; + break; + + case CTO_Match: +@@ -3933,9 +3936,11 @@ doOpcode: + } + + case CTO_BegCapsPhrase: ++ tmp_offset = table->emphRules[capsRule][begPhraseOffset]; + ok = + compileBrailleIndicator (nested, "first word capital sign", +- CTO_BegCapsPhraseRule, &table->emphRules[capsRule][begPhraseOffset]); ++ CTO_BegCapsPhraseRule, &tmp_offset); ++ table->emphRules[capsRule][begPhraseOffset] = tmp_offset; + break; + case CTO_EndCapsPhrase: + switch (compileBeforeAfter(nested)) { +@@ -3945,9 +3950,11 @@ doOpcode: + ok = 0; + break; + } ++ tmp_offset = table->emphRules[capsRule][endPhraseBeforeOffset]; + ok = + compileBrailleIndicator (nested, "capital sign before last word", +- CTO_EndCapsPhraseBeforeRule, &table->emphRules[capsRule][endPhraseBeforeOffset]); ++ CTO_EndCapsPhraseBeforeRule, &tmp_offset); ++ table->emphRules[capsRule][endPhraseBeforeOffset] = tmp_offset; + break; + case 2: // after + if (table->emphRules[capsRule][endPhraseBeforeOffset]) { +@@ -3955,9 +3962,11 @@ doOpcode: + ok = 0; + break; + } ++ tmp_offset = table->emphRules[capsRule][endPhraseAfterOffset]; + ok = + compileBrailleIndicator (nested, "capital sign after last word", +- CTO_EndCapsPhraseAfterRule, &table->emphRules[capsRule][endPhraseAfterOffset]); ++ CTO_EndCapsPhraseAfterRule, &tmp_offset); ++ table->emphRules[capsRule][endPhraseAfterOffset] = tmp_offset; + break; + default: // error + compileError (nested, "Invalid lastword indicator location."); +@@ -3966,28 +3975,38 @@ doOpcode: + } + break; + case CTO_BegCaps: ++ tmp_offset = table->emphRules[capsRule][begOffset]; + ok = + compileBrailleIndicator (nested, "first letter capital sign", +- CTO_BegCapsRule, &table->emphRules[capsRule][begOffset]); ++ CTO_BegCapsRule, &tmp_offset); ++ table->emphRules[capsRule][begOffset] = tmp_offset; + break; + case CTO_EndCaps: ++ tmp_offset = table->emphRules[capsRule][endOffset]; + ok = + compileBrailleIndicator (nested, "last letter capital sign", +- CTO_EndCapsRule, &table->emphRules[capsRule][endOffset]); ++ CTO_EndCapsRule, &tmp_offset); ++ table->emphRules[capsRule][endOffset] = tmp_offset; + break; + case CTO_CapsLetter: ++ tmp_offset = table->emphRules[capsRule][letterOffset]; + ok = + compileBrailleIndicator (nested, "single letter capital sign", +- CTO_CapsLetterRule, &table->emphRules[capsRule][letterOffset]); ++ CTO_CapsLetterRule, &tmp_offset); ++ table->emphRules[capsRule][letterOffset] = tmp_offset; + break; + case CTO_BegCapsWord: ++ tmp_offset = table->emphRules[capsRule][begWordOffset]; + ok = + compileBrailleIndicator (nested, "capital word", CTO_BegCapsWordRule, +- &table->emphRules[capsRule][begWordOffset]); ++ &tmp_offset); ++ table->emphRules[capsRule][begWordOffset] = tmp_offset; + break; + case CTO_EndCapsWord: ++ tmp_offset = table->emphRules[capsRule][endWordOffset]; + ok = compileBrailleIndicator(nested, "capital word stop", +- CTO_EndCapsWordRule, &table->emphRules[capsRule][endWordOffset]); ++ CTO_EndCapsWordRule, &tmp_offset); ++ table->emphRules[capsRule][endWordOffset] = tmp_offset; + break; + case CTO_LenCapsPhrase: + ok = table->emphRules[capsRule][lenPhraseOffset] = compileNumber (nested); +@@ -4112,19 +4131,25 @@ doOpcode: + } + i++; // in table->emphRules the first index is used for caps + if (opcode == CTO_EmphLetter) { ++ tmp_offset = table->emphRules[i][letterOffset]; + ok = compileBrailleIndicator (nested, "single letter", + CTO_Emph1LetterRule + letterOffset + (8 * i), +- &table->emphRules[i][letterOffset]); ++ &tmp_offset); ++ table->emphRules[i][letterOffset] = tmp_offset; + } + else if (opcode == CTO_BegEmphWord) { ++ tmp_offset = table->emphRules[i][begWordOffset]; + ok = compileBrailleIndicator (nested, "word", + CTO_Emph1LetterRule + begWordOffset + (8 * i), +- &table->emphRules[i][begWordOffset]); ++ &tmp_offset); ++ table->emphRules[i][begWordOffset] = tmp_offset; + } + else if (opcode == CTO_EndEmphWord) { ++ tmp_offset = table->emphRules[i][endWordOffset]; + ok = compileBrailleIndicator(nested, "word stop", + CTO_Emph1LetterRule + endWordOffset + (8 * i), +- &table->emphRules[i][endWordOffset]); ++ &tmp_offset); ++ table->emphRules[i][endWordOffset] = tmp_offset; + } + else if (opcode == CTO_BegEmph) { + /* fail if both begemph and any of begemphphrase or begemphword are defined */ +@@ -4133,9 +4158,11 @@ doOpcode: + ok = 0; + break; + } ++ tmp_offset = table->emphRules[i][begOffset]; + ok = compileBrailleIndicator (nested, "first letter", + CTO_Emph1LetterRule + begOffset + (8 * i), +- &table->emphRules[i][begOffset]); ++ &tmp_offset); ++ table->emphRules[i][begOffset] = tmp_offset; + } + else if (opcode == CTO_EndEmph) { + if (table->emphRules[i][endWordOffset] || table->emphRules[i][endPhraseBeforeOffset] || table->emphRules[i][endPhraseAfterOffset]) { +@@ -4143,14 +4170,18 @@ doOpcode: + ok = 0; + break; + } ++ tmp_offset = table->emphRules[i][endOffset]; + ok = compileBrailleIndicator (nested, "last letter", + CTO_Emph1LetterRule + endOffset + (8 * i), +- &table->emphRules[i][endOffset]); ++ &tmp_offset); ++ table->emphRules[i][endOffset] = tmp_offset; + } + else if (opcode == CTO_BegEmphPhrase) { ++ tmp_offset = table->emphRules[i][begPhraseOffset]; + ok = compileBrailleIndicator (nested, "first word", + CTO_Emph1LetterRule + begPhraseOffset + (8 * i), +- &table->emphRules[i][begPhraseOffset]); ++ &tmp_offset); ++ table->emphRules[i][begPhraseOffset] = tmp_offset; + } + else if (opcode == CTO_EndEmphPhrase) + switch (compileBeforeAfter(nested)) { +@@ -4160,9 +4191,11 @@ doOpcode: + ok = 0; + break; + } ++ tmp_offset = table->emphRules[i][endPhraseBeforeOffset]; + ok = compileBrailleIndicator (nested, "last word before", + CTO_Emph1LetterRule + endPhraseBeforeOffset + (8 * i), +- &table->emphRules[i][endPhraseBeforeOffset]); ++ &tmp_offset); ++ table->emphRules[i][endPhraseBeforeOffset] = tmp_offset; + break; + case 2: // after + if (table->emphRules[i][endPhraseBeforeOffset]) { +@@ -4170,9 +4203,11 @@ doOpcode: + ok = 0; + break; + } ++ tmp_offset = table->emphRules[i][endPhraseAfterOffset]; + ok = compileBrailleIndicator (nested, "last word after", + CTO_Emph1LetterRule + endPhraseAfterOffset + (8 * i), +- &table->emphRules[i][endPhraseAfterOffset]); ++ &tmp_offset); ++ table->emphRules[i][endPhraseAfterOffset] = tmp_offset; + break; + default: // error + compileError (nested, "Invalid lastword indicator location."); +@@ -4186,9 +4221,11 @@ doOpcode: + break; + + case CTO_LetterSign: ++ tmp_offset = table->letterSign; + ok = + compileBrailleIndicator (nested, "letter sign", CTO_LetterRule, +- &table->letterSign); ++ &tmp_offset); ++ table->letterSign = tmp_offset; + break; + case CTO_NoLetsignBefore: + if (getRuleCharsText (nested, &ruleChars)) +@@ -4232,9 +4269,11 @@ doOpcode: + } + break; + case CTO_NumberSign: ++ tmp_offset = table->numberSign; + ok = + compileBrailleIndicator (nested, "number sign", CTO_NumberRule, +- &table->numberSign); ++ &tmp_offset); ++ table->numberSign = tmp_offset; + break; + + case CTO_Attribute: +@@ -4330,8 +4369,10 @@ doOpcode: + + case CTO_NoContractSign: + ++ tmp_offset = table->noContractSign; + ok = compileBrailleIndicator +- (nested, "no contractions sign", CTO_NoContractRule, &table->noContractSign); ++ (nested, "no contractions sign", CTO_NoContractRule, &tmp_offset); ++ table->noContractSign = tmp_offset; + break; + + case CTO_SeqDelimiter: +@@ -4446,14 +4487,18 @@ doOpcode: + break; + + case CTO_BegComp: ++ tmp_offset = table->begComp; + ok = + compileBrailleIndicator (nested, "begin computer braille", +- CTO_BegCompRule, &table->begComp); ++ CTO_BegCompRule, &tmp_offset); ++ table->begComp = tmp_offset; + break; + case CTO_EndComp: ++ tmp_offset = table->endComp; + ok = + compileBrailleIndicator (nested, "end computer braslle", +- CTO_EndCompRule, &table->endComp); ++ CTO_EndCompRule, &tmp_offset); ++ table->endComp = tmp_offset; + break; + case CTO_Syllable: + table->syllables = 1; diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13743.patch liblouis-3.0.0/debian/patches/CVE-2017-13743.patch --- liblouis-3.0.0/debian/patches/CVE-2017-13743.patch 1970-01-01 01:00:00.000000000 +0100 +++ liblouis-3.0.0/debian/patches/CVE-2017-13743.patch 2017-09-25 01:14:10.000000000 +0200 @@ -0,0 +1,46 @@ +commit 98eebd7564595b2403a8573c0725a38519546445 +Author: Christian Egli <christian.e...@sbs.ch> +Date: Fri Sep 1 15:12:30 2017 +0200 + + Guard against buffer overflow in _lou_showString + + I believe this fixes #397 and hence CVE-2017-13743 + +--- + liblouis/compileTranslationTable.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/liblouis/compileTranslationTable.c ++++ b/liblouis/compileTranslationTable.c +@@ -351,7 +351,7 @@ showString (widechar const *chars, int l + int charPos; + int bufPos = 0; + scratchBuf[bufPos++] = '\''; +- for (charPos = 0; charPos < length; charPos++) ++ for (charPos = 0; charPos < length && bufPos < (MAXSTRING-2); charPos++) + { + if (chars[charPos] >= 32 && chars[charPos] < 127) + scratchBuf[bufPos++] = (char) chars[charPos]; +@@ -388,14 +388,14 @@ showString (widechar const *chars, int l + leadingZeros = 0; + break; + } +- if ((bufPos + leadingZeros + hexLength + 4) >= sizeof (scratchBuf)) +- break; +- scratchBuf[bufPos++] = '\\'; +- scratchBuf[bufPos++] = escapeLetter; +- for (hexPos = 0; hexPos < leadingZeros; hexPos++) +- scratchBuf[bufPos++] = '0'; +- for (hexPos = 0; hexPos < hexLength; hexPos++) +- scratchBuf[bufPos++] = hexbuf[hexPos]; ++ if ((bufPos + leadingZeros + hexLength + 4) < (MAXSTRING-2)) { ++ scratchBuf[bufPos++] = '\\'; ++ scratchBuf[bufPos++] = escapeLetter; ++ for (hexPos = 0; hexPos < leadingZeros; hexPos++) ++ scratchBuf[bufPos++] = '0'; ++ for (hexPos = 0; hexPos < hexLength; hexPos++) ++ scratchBuf[bufPos++] = hexbuf[hexPos]; ++ } + } + } + scratchBuf[bufPos++] = '\''; diff -Nru liblouis-3.0.0/debian/patches/series liblouis-3.0.0/debian/patches/series --- liblouis-3.0.0/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ liblouis-3.0.0/debian/patches/series 2017-09-25 01:14:10.000000000 +0200 @@ -0,0 +1,5 @@ +CVE-2017-13738-and-2017-13744.patch +CVE-2017-13739-and-2017-13740-and-2017-13742.patch +CVE-2017-13743.patch +CVE-2017-13741.patch +CVE-2017-13741-2.patch