Hi, I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
Proposed debdiffs in attachment. Cheers, Giuseppe.
diff -u libmodplug-0.7/src/libmodplug/stdafx.h
libmodplug-0.7/src/libmodplug/stdafx.h
--- libmodplug-0.7/src/libmodplug/stdafx.h
+++ libmodplug-0.7/src/libmodplug/stdafx.h
@@ -22,44 +22,42 @@
inline void ProcessPlugins(int n) {}
#else
-
+#if defined(HAVE_CONFIG_H) && !defined(CONFIG_H_INCLUDED)
+# include "config.h"
+# define CONFIG_H_INCLUDED 1
+#endif
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
-typedef signed char CHAR;
-typedef unsigned char UCHAR;
-typedef unsigned char* PUCHAR;
-typedef unsigned short USHORT;
-#if defined(__x86_64__)
-typedef unsigned int ULONG;
-typedef unsigned int UINT;
-typedef unsigned int DWORD;
-typedef int LONG;
-typedef long LONGLONG;
-typedef int * LPLONG;
-typedef unsigned int * LPDWORD;
-#else
-typedef unsigned long ULONG;
-typedef unsigned long UINT;
-typedef unsigned long DWORD;
-typedef long LONG;
-typedef long long LONGLONG;
-typedef long * LPLONG;
-typedef unsigned long * LPDWORD;
-#endif
-typedef unsigned short WORD;
-typedef unsigned char BYTE;
-typedef unsigned char * LPBYTE;
+typedef int8_t CHAR;
+typedef uint8_t UCHAR;
+typedef uint8_t* PUCHAR;
+typedef uint16_t USHORT;
+typedef uint32_t ULONG;
+typedef uint32_t UINT;
+typedef uint32_t DWORD;
+typedef int32_t LONG;
+typedef int64_t LONGLONG;
+typedef int32_t* LPLONG;
+typedef uint32_t* LPDWORD;
+typedef uint16_t WORD;
+typedef uint8_t BYTE;
+typedef uint8_t* LPBYTE;
typedef bool BOOL;
-typedef char * LPSTR;
-typedef void * LPVOID;
-typedef unsigned short * LPWORD;
-typedef const char * LPCSTR;
-typedef void * PVOID;
+typedef char* LPSTR;
+typedef void* LPVOID;
+typedef uint16_t* LPWORD;
+typedef const char* LPCSTR;
+typedef void* PVOID;
typedef void VOID;
-
inline LONG MulDiv (long a, long b, long c)
{
// if (!c) return 0;
diff -u libmodplug-0.7/debian/changelog libmodplug-0.7/debian/changelog
--- libmodplug-0.7/debian/changelog
+++ libmodplug-0.7/debian/changelog
@@ -1,3 +1,11 @@
+libmodplug (1:0.7-5.3) oldstable-security; urgency=high
+
+ * Non-maintainer upload.
+ * Fixed "CSoundFile::ReadMed()" Integer Overflow in src/load_med.cp
+ (Closes: #526657) (CVE-2009-1438)
+
+ -- Giuseppe Iuculano <giuse...@iuculano.it> Sat, 02 May 2009 18:16:49 +0200
+
libmodplug (1:0.7-5.2) unstable; urgency=medium
* Non-maintainer upload.
only in patch2:
unchanged:
--- libmodplug-0.7.orig/src/load_med.cpp
+++ libmodplug-0.7/src/load_med.cpp
@@ -692,21 +692,24 @@
}
}
// Song Comments
- UINT annotxt = bswapBE32(pmex->annotxt);
- UINT annolen = bswapBE32(pmex->annolen);
- if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength))
+ uint32_t annotxt = bswapBE32(pmex->annotxt);
+ uint32_t annolen = bswapBE32(pmex->annolen);
+ if ((annotxt) && (annolen) && (annotxt + annolen > annotxt) //
overflow checks.
+ && (annotxt+annolen <= dwMemLength))
{
m_lpszSongComments = new char[annolen+1];
memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
m_lpszSongComments[annolen] = 0;
}
// Song Name
- UINT songname = bswapBE32(pmex->songname);
- UINT songnamelen = bswapBE32(pmex->songnamelen);
- if ((songname) && (songnamelen) && (songname+songnamelen <=
dwMemLength))
+ uint32_t songname = bswapBE32(pmex->songname);
+ uint32_t songnamelen = bswapBE32(pmex->songnamelen);
+ if ((songname) && (songnamelen) && (songname+songnamelen >
songname)
+ && (songname+songnamelen <= dwMemLength))
{
if (songnamelen > 31) songnamelen = 31;
memcpy(m_szNames[0], lpStream+songname, songnamelen);
+ m_szNames[0][31] = '\0';
}
// Sample Names
DWORD smpinfoex = bswapBE32(pmex->iinfo);
@@ -716,14 +719,18 @@
UINT ientries = bswapBE16(pmex->i_ext_entries);
UINT ientrysz = bswapBE16(pmex->i_ext_entrsz);
- if ((iinfoptr) && (ientrysz < 256) && (iinfoptr +
ientries*ientrysz < dwMemLength))
+ if ((iinfoptr) && (ientrysz < 256) &&
+ (ientries*ientrysz < dwMemLength) &&
+ (iinfoptr < dwMemLength - (ientries*ientrysz)))
{
LPCSTR psznames = (LPCSTR)(lpStream + iinfoptr);
UINT maxnamelen = ientrysz;
+ // copy a max of 32 bytes.
if (maxnamelen > 32) maxnamelen = 32;
for (UINT i=0; i<ientries; i++) if (i <
m_nSamples)
{
lstrcpyn(m_szNames[i+1], psznames +
i*ientrysz, maxnamelen);
+ m_szNames[i+1][31] = '\0';
}
}
}
@@ -754,6 +761,7 @@
if ((trknameofs) && (trknameofs +
trknamelen < dwMemLength))
{
lstrcpyn(ChnSettings[i].szName,
(LPCSTR)(lpStream+trknameofs), MAX_CHANNELNAME);
+
ChnSettings[i].szName[MAX_CHANNELNAME-1] = '\0';
}
}
}
diff -u libmodplug-0.8.4/debian/changelog libmodplug-0.8.4/debian/changelog
--- libmodplug-0.8.4/debian/changelog
+++ libmodplug-0.8.4/debian/changelog
@@ -1,3 +1,13 @@
+libmodplug (1:0.8.4-1+lenny1) stable-security; urgency=high
+
+ * Non-maintainer upload.
+ * Fixed "PATinst()" Buffer Overflow Vulnerability in src/load_pat.c
+ (Closes: #526084)
+ * Fixed "CSoundFile::ReadMed()" Integer Overflow in src/load_med.cp
+ (Closes: #526657) (CVE-2009-1438)
+
+ -- Giuseppe Iuculano <giuse...@iuculano.it> Sat, 02 May 2009 17:28:07 +0200
+
libmodplug (1:0.8.4-1) unstable; urgency=low
* New upstream version (closes: #458792)
only in patch2:
unchanged:
--- libmodplug-0.8.4.orig/src/load_pat.cpp
+++ libmodplug-0.8.4/src/load_pat.cpp
@@ -1144,7 +1144,7 @@
hw.envelope_offset[3] = 0;
hw.envelope_offset[4] = 0;
hw.envelope_offset[5] = 0;
- strncpy(hw.reserved, midipat[gm-1], 36);
+ strncpy(hw.reserved, midipat[gm-1], sizeof(hw.reserved));
pat_setpat_inst(&hw, d, smp);
}
if( hw.reserved[0] )
only in patch2:
unchanged:
--- libmodplug-0.8.4.orig/src/load_med.cpp
+++ libmodplug-0.8.4/src/load_med.cpp
@@ -692,21 +692,24 @@
}
}
// Song Comments
- UINT annotxt = bswapBE32(pmex->annotxt);
- UINT annolen = bswapBE32(pmex->annolen);
- if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength))
+ uint32_t annotxt = bswapBE32(pmex->annotxt);
+ uint32_t annolen = bswapBE32(pmex->annolen);
+ if ((annotxt) && (annolen) && (annotxt + annolen > annotxt) //
overflow checks.
+ && (annotxt+annolen <= dwMemLength))
{
m_lpszSongComments = new char[annolen+1];
memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
m_lpszSongComments[annolen] = 0;
}
// Song Name
- UINT songname = bswapBE32(pmex->songname);
- UINT songnamelen = bswapBE32(pmex->songnamelen);
- if ((songname) && (songnamelen) && (songname+songnamelen <=
dwMemLength))
+ uint32_t songname = bswapBE32(pmex->songname);
+ uint32_t songnamelen = bswapBE32(pmex->songnamelen);
+ if ((songname) && (songnamelen) && (songname+songnamelen >
songname)
+ && (songname+songnamelen <= dwMemLength))
{
if (songnamelen > 31) songnamelen = 31;
memcpy(m_szNames[0], lpStream+songname, songnamelen);
+ m_szNames[0][31] = '\0';
}
// Sample Names
DWORD smpinfoex = bswapBE32(pmex->iinfo);
@@ -716,14 +719,18 @@
UINT ientries = bswapBE16(pmex->i_ext_entries);
UINT ientrysz = bswapBE16(pmex->i_ext_entrsz);
- if ((iinfoptr) && (ientrysz < 256) && (iinfoptr +
ientries*ientrysz < dwMemLength))
+ if ((iinfoptr) && (ientrysz < 256) &&
+ (ientries*ientrysz < dwMemLength) &&
+ (iinfoptr < dwMemLength - (ientries*ientrysz)))
{
LPCSTR psznames = (LPCSTR)(lpStream + iinfoptr);
UINT maxnamelen = ientrysz;
+ // copy a max of 32 bytes.
if (maxnamelen > 32) maxnamelen = 32;
for (UINT i=0; i<ientries; i++) if (i <
m_nSamples)
{
lstrcpyn(m_szNames[i+1], psznames +
i*ientrysz, maxnamelen);
+ m_szNames[i+1][31] = '\0';
}
}
}
@@ -754,6 +761,7 @@
if ((trknameofs) && (trknameofs +
trknamelen < dwMemLength))
{
lstrcpyn(ChnSettings[i].szName,
(LPCSTR)(lpStream+trknameofs), MAX_CHANNELNAME);
+
ChnSettings[i].szName[MAX_CHANNELNAME-1] = '\0';
}
}
}
signature.asc
Description: OpenPGP digital signature
