Package: release.debian.org Severity: important Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: david.polver...@gmail.com
[ Reason ] A buffer overflow vulnerability exists in Pev 0.81 via the pe_exports function from exports.c. The array offsets_to_Names is dynamically allocated on the stack using exp->NumberOfFunctions as its size. However, the loop uses exp->NumberOfNames to iterate over it and set its components value. Therefore, the loop code assumes that exp->NumberOfFunctions is greater than ordinal at each iteration. This can lead to arbitrary code execution. [ Impact ] If the update isn't approved, users of pev in stable might have their systems compromised by opening a maliciously-crafted PE file. [ Tests ] None of the existing autopkgtests fail. [ Risks ] The fix is trivial and should not present any risks. Also, the fix was already applied upstream. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] The only change made to the package was the application of the existing upstream patch. [ Other info ] No other information.
diff -Nru pev-0.81/debian/changelog pev-0.81/debian/changelog --- pev-0.81/debian/changelog 2021-05-05 12:09:18.000000000 +0000 +++ pev-0.81/debian/changelog 2023-04-22 20:48:00.000000000 +0000 @@ -1,3 +1,12 @@ +pev (0.81-3+deb11u1) bullseye; urgency=medium + + * debian/patches/0002-fix-bo-pe_exports.patch: created to fix a buffer + overflow vulnerability present on libpe's pe_exports function from exports.c + (CVE-2021-45423). Without this patch, a maliciously-crafted PE file opened + by pev utilities can trigger arbitrary code execution. (Closes: #1034725) + + -- David da Silva Polverari <david.polver...@gmail.com> Sat, 22 Apr 2023 20:48:00 +0000 + pev (0.81-3) unstable; urgency=medium * QA upload. diff -Nru pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch --- pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch 1970-01-01 00:00:00.000000000 +0000 +++ pev-0.81/debian/patches/0002-fix-bo-pe_exports.patch 2023-04-22 20:48:00.000000000 +0000 @@ -0,0 +1,28 @@ +Description: fix a buffer overflow vulnerability (CVE-2021-45423) + A Buffer Overflow vulnerability exists in Pev 0.81 via the pe_exports function + from exports.c. The array offsets_to_Names is dynamically allocated on the + stack using exp->NumberOfFunctions as its size. However, the loop uses + exp->NumberOfNames to iterate over it and set its components value. Therefore, + the loop code assumes that exp->NumberOfFunctions is greater than ordinal at + each iteration. This can lead to arbitrary code execution. +Author: Saullo Carvalho Castelo Branco <saullocarva...@gmail.com> +Origin: upstream, https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32 +Bug: https://github.com/merces/libpe/issues/35 +Bug-Debian: https://bugs.debian.org/1034725 +Applied-Upstream: https://github.com/merces/libpe/commit/5f44724e8fcdebf8a6b9fd009543c9dcfae4ea32 +Last-Update: 2023-04-22 + +--- a/lib/libpe/exports.c ++++ b/lib/libpe/exports.c +@@ -130,7 +130,10 @@ + + const uint32_t entry_name_rva = *entry_name_list; + const uint64_t entry_name_ofs = pe_rva2ofs(ctx, entry_name_rva); +- offsets_to_Names[ordinal] = entry_name_ofs; ++ ++ if (ordinal < exp->NumberOfFunctions) { ++ offsets_to_Names[ordinal] = entry_name_ofs; ++ } + } + + // diff -Nru pev-0.81/debian/patches/series pev-0.81/debian/patches/series --- pev-0.81/debian/patches/series 2021-05-05 12:09:18.000000000 +0000 +++ pev-0.81/debian/patches/series 2023-04-22 20:48:00.000000000 +0000 @@ -1 +1,2 @@ 0001-widechar-off-by-one.patch +0002-fix-bo-pe_exports.patch