Hi all, On Do 16 Jul 2015 20:41:43 CEST, Ben Hutchings wrote:
PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
Attached you find a .debdiff for fuseiso in unstable adding two patches to fuseiso, that hopefully fix the reported issues [1,2].
Under [1,2] Florian Weimer from Redhat offers two ISO images that reproduce the observed issues. I am still waiting for Florian Weimer to get back to me about those ISO images (one ISO arrived here in a corrupt state, the other ISO I have only just asked for).
I have tested my changes on the code in respect to potential breakages, ISO images mount well here with the changes applied. But the real test will happen, once I have the reproducer ISO images at hand.
Greets, Mike [1] https://bugzilla.redhat.com/show_bug.cgi?id=862211 [2] https://bugzilla.redhat.com/show_bug.cgi?id=861358 -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
diff -Nru fuseiso-20070708/debian/changelog fuseiso-20070708/debian/changelog --- fuseiso-20070708/debian/changelog 2014-10-02 02:55:59.000000000 +0200 +++ fuseiso-20070708/debian/changelog 2015-10-01 10:34:35.000000000 +0200 @@ -1,3 +1,16 @@ +fuseiso (20070708-3.2) unstable; urgency=medium + + * Non-maintainer upload. + * debian/patches (Closes: #779047): + + Add 02-prevent-buffer-overflow.patch. Prevent stack-based buffer overflow + when concatenating strings to an absolute path names. Prevention is done + by checking that the result we stay under the maximum path lenght as given + by the platforms PATH_MAX constant. + + Add 03-prevent-integer-overflow.patch. Prevent integer overflow in ZISO + code. Bail out if a ZF block size > 2^17 is to be read. + + -- Mike Gabriel <sunwea...@debian.org> Thu, 01 Oct 2015 10:34:33 +0200 + fuseiso (20070708-3.1) unstable; urgency=medium * Non-maintainer upload. diff -Nru fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch --- fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ fuseiso-20070708/debian/patches/02-prevent-buffer-overflow.patch 2015-10-01 10:27:16.000000000 +0200 @@ -0,0 +1,35 @@ +Description: Prevent stack-based buffer overflow on too-long path names +Author: Mike Gabriel <mike.gabr...@das-netzwerkteam.de> + +--- a/src/isofs.c ++++ b/src/isofs.c +@@ -1532,13 +1532,23 @@ + if(path[1] != '\0') { // not root dir + strcat(absolute_entry, "/"); + }; +- strcat(absolute_entry, entry); +- if(g_hash_table_lookup(lookup_table, absolute_entry)) { +- // already in lookup cache ++ ++ if(strlen(absolute_entry) + strlen(entry) <= PATH_MAX-1) { ++ strcat(absolute_entry, entry); ++ if(g_hash_table_lookup(lookup_table, absolute_entry)) { ++ // already in lookup cache ++ isofs_free_inode(inode); ++ } else { ++ g_hash_table_insert(lookup_table, g_strdup(absolute_entry), inode); ++ }; ++ } ++ else { ++ printf("readdir: absolute path name for entry '%s' exceeding PATH_MAX (%d)\n", entry, PATH_MAX); + isofs_free_inode(inode); +- } else { +- g_hash_table_insert(lookup_table, g_strdup(absolute_entry), inode); +- }; ++ free(buf); ++ free(entry); ++ return -EIO; ++ } + + free(entry); + diff -Nru fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch --- fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ fuseiso-20070708/debian/patches/03-prevent-integer-overflow.patch 2015-10-01 10:31:11.000000000 +0200 @@ -0,0 +1,16 @@ +Description: Prevent integer overflow in ZISO code +Author: Mike Gabriel <mike.gabr...@das-netzwerkteam.de> + +--- a/src/isofs.c ++++ b/src/isofs.c +@@ -1618,6 +1618,10 @@ + }; + + static int isofs_real_read_zf(isofs_inode *inode, char *out_buf, size_t size, off_t offset) { ++ if( inode->zf_block_shift > 17 ) { ++ fprintf(stderr, "isofs_real_read_zf: can't handle ZF block size of 2^%d\n", inode->zf_block_shift); ++ return -EIO; ++ } + int zf_block_size = 1 << inode->zf_block_shift; + int zf_start = offset / zf_block_size; + int zf_end = (offset + size) / zf_block_size; diff -Nru fuseiso-20070708/debian/patches/series fuseiso-20070708/debian/patches/series --- fuseiso-20070708/debian/patches/series 2012-12-25 08:47:27.000000000 +0100 +++ fuseiso-20070708/debian/patches/series 2015-10-01 06:19:42.000000000 +0200 @@ -1,2 +1,4 @@ 00-support_large_iso.patch 01-fix_typo.patch +02-prevent-buffer-overflow.patch +03-prevent-integer-overflow.patch
pgpUjeAIpdjK7.pgp
Description: Digitale PGP-Signatur