Le 08/06/2018 à 22:24, Adam D. Barratt a écrit :
Control: tags -1 + moreinfo
On Thu, 2017-12-28 at 17:32 +0100, Bertrand Marc wrote:
Would you allow an update of libextractor 1.3-2 in Jessie to fix
several minor security issues?
7 issues skipped by the security teams:
[...]
* CVE-2017-15600 <https://security-tracker.debian.org/tracker/CVE-
2017-15600>: In GNU Libextractor 1.4, there is a NULL Pointer
Dereference in the
EXTRACTOR_nsf_extract_method function of plugins/nsf_extractor.c.
I assume the same issue that Julien raised for the stretch package
applies here.
Regards,
Adam
Indeed. The attached patch would fix the issue.
Regards,
Bertrand
diff -Nru libextractor-1.3/debian/changelog libextractor-1.3/debian/changelog
--- libextractor-1.3/debian/changelog 2014-09-30 22:56:54.000000000 +0200
+++ libextractor-1.3/debian/changelog 2017-12-27 19:01:53.000000000 +0100
@@ -1,3 +1,14 @@
+libextractor (1:1.3-2+deb8u1) jessie; urgency=medium
+
+ * Fix CVE-2017-15266, CVE-2017-15267, CVE-2017-15600, CVE-2017-15601,
+ CVE-2017-15602, CVE-2017-15922 and CVE-2017-17440. Leon Zhao discovered
+ several security vulnerabilities, NULL Pointer Dereferences, heap-based
+ buffer overflows, integer signedness errors and out-of-bounds read that
+ may lead to a denial-of-service (application crash) or have other
+ unspecified impact.
+
+ -- Bertrand Marc <bm...@debian.org> Wed, 27 Dec 2017 19:01:53 +0100
+
libextractor (1:1.3-2) unstable; urgency=medium
* Build-depend on libmagic-dev and libavresample-dev to enable additional
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15266.patch libextractor-1.3/debian/patches/CVE-2017-15266.patch
--- libextractor-1.3/debian/patches/CVE-2017-15266.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15266.patch 2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,17 @@
+From: Bertrand Marc <bm...@debian.org>
+Subject: CVE-2017-15266
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00002.html
+Bug-Debian: https://bugs.debian.org/878314
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=b577d5452c5c4ee9d552da62a24b95f461551fe2
+--- a/src/plugins/wav_extractor.c
++++ b/src/plugins/wav_extractor.c
+@@ -109,6 +109,8 @@
+ return; /* invalid sample size found in wav file */
+ if (0 == channels)
+ return; /* invalid channels value -- avoid division by 0! */
++ if (0 == sample_rate)
++ return; /* invalid sample_rate */
+ samples = data_len / (channels * (sample_size >> 3));
+
+ snprintf (scratch,
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15267.patch libextractor-1.3/debian/patches/CVE-2017-15267.patch
--- libextractor-1.3/debian/patches/CVE-2017-15267.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15267.patch 2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,22 @@
+From: Markus Koschany <a...@debian.org>
+Date: Mon, 4 Dec 2017 00:00:15 +0100
+Subject: CVE-2017-15267
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00003.html
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878314
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=6095d7132b57fc7368fc7a40bab2a71b735724d2
+---
+ src/plugins/flac_extractor.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/src/plugins/flac_extractor.c
++++ b/src/plugins/flac_extractor.c
+@@ -339,6 +339,8 @@
+ {
+ entry = &vc->comments[count];
+ eq = (const char*) entry->entry;
++ if (NULL == eq)
++ break;
+ len = entry->length;
+ ilen = 0;
+ while ( ('=' != *eq) && ('\0' != *eq) &&
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15600.patch libextractor-1.3/debian/patches/CVE-2017-15600.patch
--- libextractor-1.3/debian/patches/CVE-2017-15600.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15600.patch 2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,29 @@
+From: Bertrand Marc <bm...@debian.org>, Markus Koschany <a...@debian.org>
+Subject: CVE-2017-15600
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7
+--- a/src/plugins/nsf_extractor.c
++++ b/src/plugins/nsf_extractor.c
+@@ -152,13 +152,17 @@
+ char nsfversion[32];
+ const struct header *head;
+ void *data;
++ ssize_t ds;
+
+- if (sizeof (struct header) >
+- ec->read (ec->cls,
+- &data,
+- sizeof (struct header)))
++ ds = ec->read (ec->cls,
++ &data,
++ sizeof (struct header));
++ if ( (-1 == ds) ||
++ (sizeof (struct header) > ds) )
+ return;
+ head = data;
++ if (NULL == head)
++ return;
+
+ /* Check "magic" id bytes */
+ if (memcmp (head->magicid, "NESM\x1a", 5))
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15601.patch libextractor-1.3/debian/patches/CVE-2017-15601.patch
--- libextractor-1.3/debian/patches/CVE-2017-15601.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15601.patch 2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,25 @@
+From: Bertrand Marc <bm...@debian.org>
+Subject: CVE-2017-15601
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00006.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=f813535dad4ad860b989952a46266a1469801091
+--- a/src/plugins/png_extractor.c
++++ b/src/plugins/png_extractor.c
+@@ -47,6 +47,8 @@
+ {
+ char *tmp;
+
++ if (n + 1 < n)
++ return NULL;
+ if (NULL == (tmp = malloc (n + 1)))
+ return NULL;
+ tmp[n] = '\0';
+@@ -221,6 +223,8 @@
+ compressed = data[pos++];
+ if (compressed && (0 != data[pos++]))
+ return 0; /* bad compression method */
++ if (pos > length)
++ return 0;
+ language = (char *) &data[pos];
+ ret = 0;
+ if ( (stnlen (language, length - pos) > 0) &&
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15602.patch libextractor-1.3/debian/patches/CVE-2017-15602.patch
--- libextractor-1.3/debian/patches/CVE-2017-15602.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15602.patch 2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,18 @@
+From: Bertrand Marc <bm...@debian.org>
+Subject: CVE-2017-15602
+
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=ffab889c1710c7646af9ed360c796a2a0a619efc
+--- a/src/plugins/nsfe_extractor.c
++++ b/src/plugins/nsfe_extractor.c
+@@ -374,7 +374,9 @@
+ 8))
+ break;
+ chunksize = nsfeuint (data);
+- off += 8 + chunksize;
++ if (off + chunksize + 8LLU <= off)
++ break; /* protect against looping */
++ off += 8LLU + chunksize;
+ if (0 == memcmp (data + 4, "INFO", 4))
+ ret = info_extract (ec, chunksize);
+ else if (0 == memcmp (data + 4, "auth", 4))
diff -Nru libextractor-1.3/debian/patches/CVE-2017-15922.patch libextractor-1.3/debian/patches/CVE-2017-15922.patch
--- libextractor-1.3/debian/patches/CVE-2017-15922.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-15922.patch 2017-12-26 19:25:34.000000000 +0100
@@ -0,0 +1,45 @@
+From: Bertrand Marc <bm...@debian.org>
+Subject: CVE-2017-15922
+
+Bug-Debian: https://bugs.debian.org/880016
+Bug-Upstream: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=d4d488b0e5ab13dda241d688d87a07816368f117
+---
+ src/plugins/dvi_extractor.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/dvi_extractor.c b/src/plugins/dvi_extractor.c
+index e4cfa3a..2c9eaa2 100644
+--- a/src/plugins/dvi_extractor.c
++++ b/src/plugins/dvi_extractor.c
+@@ -207,7 +210,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
+ goto CLEANUP;
+ opos = pos;
+ pos = getIntAt (&data[opos + 1]);
+- if (pos + 25 > size)
++ if ( (pos + 25 > size) ||
++ (pos + 25 < pos) )
+ goto CLEANUP;
+ /* assert pos at 'post' command */
+ if (data[pos] != 248)
+@@ -219,7 +223,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
+ {
+ if (UINT32_MAX == pos)
+ break;
+- if (pos + 45 > size)
++ if ( (pos + 45 > size) ||
++ (pos + 45 < pos) )
+ goto CLEANUP;
+ if (data[pos] != 139) /* expect 'bop' */
+ goto CLEANUP;
+@@ -268,7 +273,8 @@ EXTRACTOR_dvi_extract_method (struct EXTRACTOR_ExtractContext *ec)
+ }
+ /* try to find PDF/ps special */
+ pos = opos;
+- while (pos < size - 100)
++ while ( (size >= 100) &&
++ (pos < size - 100) )
+ {
+ switch (data[pos])
+ {
+
diff -Nru libextractor-1.3/debian/patches/CVE-2017-17440.patch libextractor-1.3/debian/patches/CVE-2017-17440.patch
--- libextractor-1.3/debian/patches/CVE-2017-17440.patch 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/CVE-2017-17440.patch 2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,98 @@
+From: Bertrand Marc <bm...@debian.org>
+Subject: CVE-2017-17440
+
+Bug-Debian: https://bugs.debian.org/883528
+Origin: https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e
+--- a/src/plugins/gif_extractor.c
++++ b/src/plugins/gif_extractor.c
+@@ -118,6 +118,8 @@
+ if (GIF_OK !=
+ DGifGetExtension (gif_file, &et, &ext))
+ continue;
++ if (NULL == ext)
++ continue;
+ if (COMMENT_EXT_FUNC_CODE == et)
+ {
+ ec->proc (ec->cls,
+--- a/src/plugins/it_extractor.c
++++ b/src/plugins/it_extractor.c
+@@ -70,7 +70,7 @@
+ char itversion[8];
+ const struct Header *head;
+
+- if (HEADER_SIZE >
++ if ((ssize_t) HEADER_SIZE >
+ ec->read (ec->cls,
+ &data,
+ HEADER_SIZE))
+--- a/src/plugins/nsfe_extractor.c
++++ b/src/plugins/nsfe_extractor.c
+@@ -176,7 +176,7 @@
+
+ if (size < 8)
+ return 0;
+- if (size >
++ if ((ssize_t) size >
+ ec->read (ec->cls,
+ &data,
+ size))
+@@ -244,7 +244,7 @@
+ void *data;
+ const char *cdata;
+
+- if (size >
++ if ((ssize_t) size >
+ ec->read (ec->cls,
+ &data,
+ size))
+@@ -286,7 +286,7 @@
+
+ if (left < 1)
+ return 0;
+- if (size >
++ if ((ssize_t) size >
+ ec->read (ec->cls,
+ &data,
+ size))
+@@ -343,7 +343,7 @@
+ uint32_t chunksize;
+ int ret;
+
+- if (sizeof (struct header) >
++ if ((ssize_t) sizeof (struct header) >
+ ec->read (ec->cls,
+ &data,
+ sizeof (struct header)))
+--- a/src/plugins/s3m_extractor.c
++++ b/src/plugins/s3m_extractor.c
+@@ -80,7 +80,7 @@
+ struct S3MHeader header;
+ char song_name_NT[29];
+
+- if (sizeof (header) >
++ if ((ssize_t) sizeof (header) >
+ ec->read (ec->cls,
+ &data,
+ sizeof (header)))
+--- a/src/plugins/sid_extractor.c
++++ b/src/plugins/sid_extractor.c
+@@ -176,7 +176,7 @@
+ const struct header *head;
+ void *data;
+
+- if (sizeof (struct header) >
++ if ((ssize_t) sizeof (struct header) >
+ ec->read (ec->cls,
+ &data,
+ sizeof (struct header)))
+--- a/src/plugins/xm_extractor.c
++++ b/src/plugins/xm_extractor.c
+@@ -70,7 +70,7 @@
+ char xmversion[8];
+ size_t n;
+
+- if (sizeof (struct Header) >
++ if ((ssize_t) sizeof (struct Header) >
+ ec->read (ec->cls,
+ &data,
+ sizeof (struct Header)))
diff -Nru libextractor-1.3/debian/patches/series libextractor-1.3/debian/patches/series
--- libextractor-1.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libextractor-1.3/debian/patches/series 2017-12-27 19:01:53.000000000 +0100
@@ -0,0 +1,9 @@
+CVE-2017-15266.patch
+CVE-2017-15267.patch
+CVE-2017-15600.patch
+CVE-2017-15601.patch
+CVE-2017-15602.patch
+CVE-2017-15922.patch
+CVE-2017-17440.patch
+
+