Source: r-base Version: 3.1.1-1 Severity: grave Tags: patch security upstream fixed-upstream Justification: user security hole Control: fixed -1 3.3.3-1
Hi, the following vulnerability was published for r-base. CVE-2016-8714[0]: | An exploitable buffer overflow vulnerability exists in the | LoadEncoding functionality of the R programming language version | 3.3.0. A specially crafted R script can cause a buffer overflow | resulting in a memory corruption. An attacker can send a malicious R | script to trigger this vulnerability. The relevant changes seem to be the following, but I might be mistaken. (btw, is there a VCS repository for r-base or does upstream not share development VCS?) ----cut---------cut---------cut---------cut---------cut---------cut----- --- r-base-3.3.2/src/library/grDevices/src/devPS.c 2016-01-05 00:15:05.000000000 +0100 +++ r-base-3.3.3/src/library/grDevices/src/devPS.c 2017-01-17 00:15:12.000000000 +0100 @@ -412,10 +412,10 @@ /* check for incomplete encoding file */ if(!state->p) return 1; while (isspace((int)* state->p)) state->p++; - if (state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; } + if (*state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; } state->p0 = state->p; while (!isspace((int)*state->p)) state->p++; - if (state->p != '\0') *state->p++ = '\0'; + if (*state->p != '\0') *state->p++ = '\0'; if(c == 45) strcpy(dest, "/minus"); else strcpy(dest, state->p0); break; } @@ -513,13 +513,15 @@ if (!(fp = R_fopen(R_ExpandFileName(buf), "r"))) return 0; } if (GetNextItem(fp, buf, -1, &state)) return 0; /* encoding name */ - strcpy(encname, buf+1); + strncpy(encname, buf+1, 99); + encname[99] = '\0'; if (!isPDF) snprintf(enccode, 5000, "/%s [\n", encname); else enccode[0] = '\0'; if (GetNextItem(fp, buf, 0, &state)) { fclose(fp); return 0;} /* [ */ for(i = 0; i < 256; i++) { if (GetNextItem(fp, buf, i, &state)) { fclose(fp); return 0; } - strcpy(encnames[i].cname, buf+1); + strncpy(encnames[i].cname, buf+1, 39); + encnames[i].cname[39] = '\0'; strcat(enccode, " /"); strcat(enccode, encnames[i].cname); if(i%8 == 7) strcat(enccode, "\n"); } ----cut---------cut---------cut---------cut---------cut---------cut----- If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Can you as well please make sure with the release team that the fix might enter for stretch? For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-8714 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8714 [1] http://www.talosintelligence.com/reports/TALOS-2016-0227/ Regards, Salvatore