Your message dated Wed, 15 Mar 2017 16:56:59 -0500 with message-id <22729.47275.565037.6...@max.eddelbuettel.com> and subject line Re: Bug#857466: r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality has caused the Debian Bug report #857466, regarding r-base: CVE-2016-8714: R: Buffer overflow in the LoadEncoding functionality to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 857466: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857466 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: r-base Version: 3.1.1-1 Severity: grave Tags: patch security upstream fixed-upstream Justification: user security hole Control: fixed -1 3.3.3-1 Hi, the following vulnerability was published for r-base. CVE-2016-8714[0]: | An exploitable buffer overflow vulnerability exists in the | LoadEncoding functionality of the R programming language version | 3.3.0. A specially crafted R script can cause a buffer overflow | resulting in a memory corruption. An attacker can send a malicious R | script to trigger this vulnerability. The relevant changes seem to be the following, but I might be mistaken. (btw, is there a VCS repository for r-base or does upstream not share development VCS?) ----cut---------cut---------cut---------cut---------cut---------cut----- --- r-base-3.3.2/src/library/grDevices/src/devPS.c 2016-01-05 00:15:05.000000000 +0100 +++ r-base-3.3.3/src/library/grDevices/src/devPS.c 2017-01-17 00:15:12.000000000 +0100 @@ -412,10 +412,10 @@ /* check for incomplete encoding file */ if(!state->p) return 1; while (isspace((int)* state->p)) state->p++; - if (state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; } + if (*state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; } state->p0 = state->p; while (!isspace((int)*state->p)) state->p++; - if (state->p != '\0') *state->p++ = '\0'; + if (*state->p != '\0') *state->p++ = '\0'; if(c == 45) strcpy(dest, "/minus"); else strcpy(dest, state->p0); break; } @@ -513,13 +513,15 @@ if (!(fp = R_fopen(R_ExpandFileName(buf), "r"))) return 0; } if (GetNextItem(fp, buf, -1, &state)) return 0; /* encoding name */ - strcpy(encname, buf+1); + strncpy(encname, buf+1, 99); + encname[99] = '\0'; if (!isPDF) snprintf(enccode, 5000, "/%s [\n", encname); else enccode[0] = '\0'; if (GetNextItem(fp, buf, 0, &state)) { fclose(fp); return 0;} /* [ */ for(i = 0; i < 256; i++) { if (GetNextItem(fp, buf, i, &state)) { fclose(fp); return 0; } - strcpy(encnames[i].cname, buf+1); + strncpy(encnames[i].cname, buf+1, 39); + encnames[i].cname[39] = '\0'; strcat(enccode, " /"); strcat(enccode, encnames[i].cname); if(i%8 == 7) strcat(enccode, "\n"); } ----cut---------cut---------cut---------cut---------cut---------cut----- If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Can you as well please make sure with the release team that the fix might enter for stretch? For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-8714 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8714 [1] http://www.talosintelligence.com/reports/TALOS-2016-0227/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Sorry, didn't catch this earlier as I was in Europe ... and my server was down. Been catching up since -- but this has been addressed and @security will now prepare the post. On 11 March 2017 at 17:56, Salvatore Bonaccorso wrote: | Source: r-base | Version: 3.1.1-1 | Severity: grave | Tags: patch security upstream fixed-upstream | Justification: user security hole | Control: fixed -1 3.3.3-1 | | Hi, | | the following vulnerability was published for r-base. | | CVE-2016-8714[0]: | | An exploitable buffer overflow vulnerability exists in the | | LoadEncoding functionality of the R programming language version | | 3.3.0. A specially crafted R script can cause a buffer overflow | | resulting in a memory corruption. An attacker can send a malicious R | | script to trigger this vulnerability. | | The relevant changes seem to be the following, but I might be mistaken. (btw, | is there a VCS repository for r-base or does upstream not share development | VCS?) They do at svn.r-project.org -- but that isn't browsable -- and the community has a mirror here https://github.com/wch/r-source | ----cut---------cut---------cut---------cut---------cut---------cut----- | --- r-base-3.3.2/src/library/grDevices/src/devPS.c 2016-01-05 00:15:05.000000000 +0100 | +++ r-base-3.3.3/src/library/grDevices/src/devPS.c 2017-01-17 00:15:12.000000000 +0100 | @@ -412,10 +412,10 @@ | /* check for incomplete encoding file */ | if(!state->p) return 1; | while (isspace((int)* state->p)) state->p++; | - if (state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; } | + if (*state->p == '\0' || *state->p == '%'|| *state->p == '\n') { state->p = NULL; continue; } | state->p0 = state->p; | while (!isspace((int)*state->p)) state->p++; | - if (state->p != '\0') *state->p++ = '\0'; | + if (*state->p != '\0') *state->p++ = '\0'; | if(c == 45) strcpy(dest, "/minus"); else strcpy(dest, state->p0); | break; | } | @@ -513,13 +513,15 @@ | if (!(fp = R_fopen(R_ExpandFileName(buf), "r"))) return 0; | } | if (GetNextItem(fp, buf, -1, &state)) return 0; /* encoding name */ | - strcpy(encname, buf+1); | + strncpy(encname, buf+1, 99); | + encname[99] = '\0'; | if (!isPDF) snprintf(enccode, 5000, "/%s [\n", encname); | else enccode[0] = '\0'; | if (GetNextItem(fp, buf, 0, &state)) { fclose(fp); return 0;} /* [ */ | for(i = 0; i < 256; i++) { | if (GetNextItem(fp, buf, i, &state)) { fclose(fp); return 0; } | - strcpy(encnames[i].cname, buf+1); | + strncpy(encnames[i].cname, buf+1, 39); | + encnames[i].cname[39] = '\0'; | strcat(enccode, " /"); strcat(enccode, encnames[i].cname); | if(i%8 == 7) strcat(enccode, "\n"); | } | ----cut---------cut---------cut---------cut---------cut---------cut----- | | If you fix the vulnerability please also make sure to include the | CVE (Common Vulnerabilities & Exposures) id in your changelog entry. I did. | Can you as well please make sure with the release team that the fix might enter | for stretch? How would I do that? Suggest current upstream 3.3.3 to be passed down, or prepare a 'testing-security' upload? Dirk | | For further information see: | | [0] https://security-tracker.debian.org/tracker/CVE-2016-8714 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8714 | [1] http://www.talosintelligence.com/reports/TALOS-2016-0227/ | | Regards, | Salvatore -- http://dirk.eddelbuettel.com | @eddelbuettel | e...@debian.org
--- End Message ---
