Hi, I've prepared a NMU to fix CVE-2009-1438 and SA34927 in stable and oldstable.
Proposed debdiffs in attachment. Cheers, Giuseppe.
diff -u libmodplug-0.7/src/libmodplug/stdafx.h libmodplug-0.7/src/libmodplug/stdafx.h --- libmodplug-0.7/src/libmodplug/stdafx.h +++ libmodplug-0.7/src/libmodplug/stdafx.h @@ -22,44 +22,42 @@ inline void ProcessPlugins(int n) {} #else - +#if defined(HAVE_CONFIG_H) && !defined(CONFIG_H_INCLUDED) +# include "config.h" +# define CONFIG_H_INCLUDED 1 +#endif +#ifdef HAVE_INTTYPES_H +# include <inttypes.h> +#endif +#ifdef HAVE_STDINT_H +# include <stdint.h> +#endif #include <stdlib.h> #include <stdio.h> #include <string.h> -typedef signed char CHAR; -typedef unsigned char UCHAR; -typedef unsigned char* PUCHAR; -typedef unsigned short USHORT; -#if defined(__x86_64__) -typedef unsigned int ULONG; -typedef unsigned int UINT; -typedef unsigned int DWORD; -typedef int LONG; -typedef long LONGLONG; -typedef int * LPLONG; -typedef unsigned int * LPDWORD; -#else -typedef unsigned long ULONG; -typedef unsigned long UINT; -typedef unsigned long DWORD; -typedef long LONG; -typedef long long LONGLONG; -typedef long * LPLONG; -typedef unsigned long * LPDWORD; -#endif -typedef unsigned short WORD; -typedef unsigned char BYTE; -typedef unsigned char * LPBYTE; +typedef int8_t CHAR; +typedef uint8_t UCHAR; +typedef uint8_t* PUCHAR; +typedef uint16_t USHORT; +typedef uint32_t ULONG; +typedef uint32_t UINT; +typedef uint32_t DWORD; +typedef int32_t LONG; +typedef int64_t LONGLONG; +typedef int32_t* LPLONG; +typedef uint32_t* LPDWORD; +typedef uint16_t WORD; +typedef uint8_t BYTE; +typedef uint8_t* LPBYTE; typedef bool BOOL; -typedef char * LPSTR; -typedef void * LPVOID; -typedef unsigned short * LPWORD; -typedef const char * LPCSTR; -typedef void * PVOID; +typedef char* LPSTR; +typedef void* LPVOID; +typedef uint16_t* LPWORD; +typedef const char* LPCSTR; +typedef void* PVOID; typedef void VOID; - inline LONG MulDiv (long a, long b, long c) { // if (!c) return 0; diff -u libmodplug-0.7/debian/changelog libmodplug-0.7/debian/changelog --- libmodplug-0.7/debian/changelog +++ libmodplug-0.7/debian/changelog @@ -1,3 +1,11 @@ +libmodplug (1:0.7-5.3) oldstable-security; urgency=high + + * Non-maintainer upload. + * Fixed "CSoundFile::ReadMed()" Integer Overflow in src/load_med.cp + (Closes: #526657) (CVE-2009-1438) + + -- Giuseppe Iuculano <giuse...@iuculano.it> Sat, 02 May 2009 18:16:49 +0200 + libmodplug (1:0.7-5.2) unstable; urgency=medium * Non-maintainer upload. only in patch2: unchanged: --- libmodplug-0.7.orig/src/load_med.cpp +++ libmodplug-0.7/src/load_med.cpp @@ -692,21 +692,24 @@ } } // Song Comments - UINT annotxt = bswapBE32(pmex->annotxt); - UINT annolen = bswapBE32(pmex->annolen); - if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength)) + uint32_t annotxt = bswapBE32(pmex->annotxt); + uint32_t annolen = bswapBE32(pmex->annolen); + if ((annotxt) && (annolen) && (annotxt + annolen > annotxt) // overflow checks. + && (annotxt+annolen <= dwMemLength)) { m_lpszSongComments = new char[annolen+1]; memcpy(m_lpszSongComments, lpStream+annotxt, annolen); m_lpszSongComments[annolen] = 0; } // Song Name - UINT songname = bswapBE32(pmex->songname); - UINT songnamelen = bswapBE32(pmex->songnamelen); - if ((songname) && (songnamelen) && (songname+songnamelen <= dwMemLength)) + uint32_t songname = bswapBE32(pmex->songname); + uint32_t songnamelen = bswapBE32(pmex->songnamelen); + if ((songname) && (songnamelen) && (songname+songnamelen > songname) + && (songname+songnamelen <= dwMemLength)) { if (songnamelen > 31) songnamelen = 31; memcpy(m_szNames[0], lpStream+songname, songnamelen); + m_szNames[0][31] = '\0'; } // Sample Names DWORD smpinfoex = bswapBE32(pmex->iinfo); @@ -716,14 +719,18 @@ UINT ientries = bswapBE16(pmex->i_ext_entries); UINT ientrysz = bswapBE16(pmex->i_ext_entrsz); - if ((iinfoptr) && (ientrysz < 256) && (iinfoptr + ientries*ientrysz < dwMemLength)) + if ((iinfoptr) && (ientrysz < 256) && + (ientries*ientrysz < dwMemLength) && + (iinfoptr < dwMemLength - (ientries*ientrysz))) { LPCSTR psznames = (LPCSTR)(lpStream + iinfoptr); UINT maxnamelen = ientrysz; + // copy a max of 32 bytes. if (maxnamelen > 32) maxnamelen = 32; for (UINT i=0; i<ientries; i++) if (i < m_nSamples) { lstrcpyn(m_szNames[i+1], psznames + i*ientrysz, maxnamelen); + m_szNames[i+1][31] = '\0'; } } } @@ -754,6 +761,7 @@ if ((trknameofs) && (trknameofs + trknamelen < dwMemLength)) { lstrcpyn(ChnSettings[i].szName, (LPCSTR)(lpStream+trknameofs), MAX_CHANNELNAME); + ChnSettings[i].szName[MAX_CHANNELNAME-1] = '\0'; } } }
diff -u libmodplug-0.8.4/debian/changelog libmodplug-0.8.4/debian/changelog --- libmodplug-0.8.4/debian/changelog +++ libmodplug-0.8.4/debian/changelog @@ -1,3 +1,13 @@ +libmodplug (1:0.8.4-1+lenny1) stable-security; urgency=high + + * Non-maintainer upload. + * Fixed "PATinst()" Buffer Overflow Vulnerability in src/load_pat.c + (Closes: #526084) + * Fixed "CSoundFile::ReadMed()" Integer Overflow in src/load_med.cp + (Closes: #526657) (CVE-2009-1438) + + -- Giuseppe Iuculano <giuse...@iuculano.it> Sat, 02 May 2009 17:28:07 +0200 + libmodplug (1:0.8.4-1) unstable; urgency=low * New upstream version (closes: #458792) only in patch2: unchanged: --- libmodplug-0.8.4.orig/src/load_pat.cpp +++ libmodplug-0.8.4/src/load_pat.cpp @@ -1144,7 +1144,7 @@ hw.envelope_offset[3] = 0; hw.envelope_offset[4] = 0; hw.envelope_offset[5] = 0; - strncpy(hw.reserved, midipat[gm-1], 36); + strncpy(hw.reserved, midipat[gm-1], sizeof(hw.reserved)); pat_setpat_inst(&hw, d, smp); } if( hw.reserved[0] ) only in patch2: unchanged: --- libmodplug-0.8.4.orig/src/load_med.cpp +++ libmodplug-0.8.4/src/load_med.cpp @@ -692,21 +692,24 @@ } } // Song Comments - UINT annotxt = bswapBE32(pmex->annotxt); - UINT annolen = bswapBE32(pmex->annolen); - if ((annotxt) && (annolen) && (annotxt+annolen <= dwMemLength)) + uint32_t annotxt = bswapBE32(pmex->annotxt); + uint32_t annolen = bswapBE32(pmex->annolen); + if ((annotxt) && (annolen) && (annotxt + annolen > annotxt) // overflow checks. + && (annotxt+annolen <= dwMemLength)) { m_lpszSongComments = new char[annolen+1]; memcpy(m_lpszSongComments, lpStream+annotxt, annolen); m_lpszSongComments[annolen] = 0; } // Song Name - UINT songname = bswapBE32(pmex->songname); - UINT songnamelen = bswapBE32(pmex->songnamelen); - if ((songname) && (songnamelen) && (songname+songnamelen <= dwMemLength)) + uint32_t songname = bswapBE32(pmex->songname); + uint32_t songnamelen = bswapBE32(pmex->songnamelen); + if ((songname) && (songnamelen) && (songname+songnamelen > songname) + && (songname+songnamelen <= dwMemLength)) { if (songnamelen > 31) songnamelen = 31; memcpy(m_szNames[0], lpStream+songname, songnamelen); + m_szNames[0][31] = '\0'; } // Sample Names DWORD smpinfoex = bswapBE32(pmex->iinfo); @@ -716,14 +719,18 @@ UINT ientries = bswapBE16(pmex->i_ext_entries); UINT ientrysz = bswapBE16(pmex->i_ext_entrsz); - if ((iinfoptr) && (ientrysz < 256) && (iinfoptr + ientries*ientrysz < dwMemLength)) + if ((iinfoptr) && (ientrysz < 256) && + (ientries*ientrysz < dwMemLength) && + (iinfoptr < dwMemLength - (ientries*ientrysz))) { LPCSTR psznames = (LPCSTR)(lpStream + iinfoptr); UINT maxnamelen = ientrysz; + // copy a max of 32 bytes. if (maxnamelen > 32) maxnamelen = 32; for (UINT i=0; i<ientries; i++) if (i < m_nSamples) { lstrcpyn(m_szNames[i+1], psznames + i*ientrysz, maxnamelen); + m_szNames[i+1][31] = '\0'; } } } @@ -754,6 +761,7 @@ if ((trknameofs) && (trknameofs + trknamelen < dwMemLength)) { lstrcpyn(ChnSettings[i].szName, (LPCSTR)(lpStream+trknameofs), MAX_CHANNELNAME); + ChnSettings[i].szName[MAX_CHANNELNAME-1] = '\0'; } } }
signature.asc
Description: OpenPGP digital signature