Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
The Fuzzing Project found two issues in the exfat-utils package and the security
team asked me to fix them via a stable update.
exfat-utils (0.9.7-2+deb7u1) wheezy; urgency=medium
* Add d/patches/check-sector-and-cluster-size. Fix for
https://github.com/relan/exfat/issues/5 found and reported by
The Fuzzing Project.
* Add d/patches/detect-infinite-loop. Fix for
https://github.com/relan/exfat/issues/6 found and reported by
The Fuzzing Project.
-- Sven Hoexter <hoex...@debian.org> Thu, 29 Oct 2015 12:37:48 +0100
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u exfat-utils-0.9.7/debian/gbp.conf exfat-utils-0.9.7/debian/gbp.conf
--- exfat-utils-0.9.7/debian/gbp.conf
+++ exfat-utils-0.9.7/debian/gbp.conf
@@ -2,0 +3 @@
+debian-branch = wheezy-updates
diff -u exfat-utils-0.9.7/debian/changelog exfat-utils-0.9.7/debian/changelog
--- exfat-utils-0.9.7/debian/changelog
+++ exfat-utils-0.9.7/debian/changelog
@@ -1,3 +1,14 @@
+exfat-utils (0.9.7-2+deb7u1) wheezy; urgency=medium
+
+ * Add d/patches/check-sector-and-cluster-size. Fix for
+ https://github.com/relan/exfat/issues/5 found and reported by
+ The Fuzzing Project.
+ * Add d/patches/detect-infinite-loop. Fix for
+ https://github.com/relan/exfat/issues/6 found and reported by
+ The Fuzzing Project.
+
+ -- Sven Hoexter <hoex...@debian.org> Thu, 29 Oct 2015 12:37:48 +0100
+
exfat-utils (0.9.7-2) unstable; urgency=low
* Move manual link creation from debian/rules to debian/links
diff -u exfat-utils-0.9.7/debian/patches/series exfat-utils-0.9.7/debian/patches/series
--- exfat-utils-0.9.7/debian/patches/series
+++ exfat-utils-0.9.7/debian/patches/series
@@ -2,0 +3,2 @@
+check-sector-and-cluster-size
+detect-infinite-loop
only in patch2:
unchanged:
--- exfat-utils-0.9.7.orig/debian/patches/check-sector-and-cluster-size
+++ exfat-utils-0.9.7/debian/patches/check-sector-and-cluster-size
@@ -0,0 +1,49 @@
+Patch for https://github.com/relan/exfat/issues/5
+See also:
+https://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html
+Index: exfat-utils/libexfat/mount.c
+===================================================================
+--- exfat-utils.orig/libexfat/mount.c
++++ exfat-utils/libexfat/mount.c
+@@ -172,6 +172,24 @@ int exfat_mount(struct exfat* ef, const
+ exfat_error("exFAT file system is not found");
+ return -EIO;
+ }
++ /* sector cannot be smaller than 512 bytes */
++ if (ef->sb->sector_bits < 9)
++ {
++ exfat_close(ef->dev);
++ exfat_error("too small sector size: 2^%hhd", ef->sb->sector_bits);
++ free(ef->sb);
++ return -EIO;
++ }
++ /* officially exFAT supports cluster size up to 32 MB */
++ if ((int) ef->sb->sector_bits + (int) ef->sb->spc_bits > 25)
++ {
++ exfat_close(ef->dev);
++ exfat_error("too big cluster size: 2^(%hhd+%hhd)",
++ ef->sb->sector_bits, ef->sb->spc_bits);
++ free(ef->sb);
++ return -EIO;
++ }
++
+ if (ef->sb->version.major != 1 || ef->sb->version.minor != 0)
+ {
+ exfat_close(ef->dev);
+@@ -187,16 +205,6 @@ int exfat_mount(struct exfat* ef, const
+ exfat_error("unsupported FAT count: %hhu", ef->sb->fat_count);
+ return -EIO;
+ }
+- /* officially exFAT supports cluster size up to 32 MB */
+- if ((int) ef->sb->sector_bits + (int) ef->sb->spc_bits > 25)
+- {
+- exfat_close(ef->dev);
+- free(ef->sb);
+- exfat_error("too big cluster size: 2^%d",
+- (int) ef->sb->sector_bits + (int) ef->sb->spc_bits);
+- return -EIO;
+- }
+-
+ ef->zero_cluster = malloc(CLUSTER_SIZE(*ef->sb));
+ if (ef->zero_cluster == NULL)
+ {
only in patch2:
unchanged:
--- exfat-utils-0.9.7.orig/debian/patches/detect-infinite-loop
+++ exfat-utils-0.9.7/debian/patches/detect-infinite-loop
@@ -0,0 +1,48 @@
+Patch for https://github.com/relan/exfat/issues/6
+See also:
+https://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html
+Index: exfat-utils/libexfat/mount.c
+===================================================================
+--- exfat-utils.orig/libexfat/mount.c
++++ exfat-utils/libexfat/mount.c
+@@ -27,17 +27,32 @@
+
+ static uint64_t rootdir_size(const struct exfat* ef)
+ {
+- uint64_t clusters = 0;
++ uint32_t clusters = 0;
++ uint32_t clusters_max = le32_to_cpu(ef->sb->cluster_count);
+ cluster_t rootdir_cluster = le32_to_cpu(ef->sb->rootdir_cluster);
+
+- while (!CLUSTER_INVALID(rootdir_cluster))
+- {
+- clusters++;
+- /* root directory cannot be contiguous because there is no flag
+- to indicate this */
+- rootdir_cluster = exfat_next_cluster(ef, ef->root, rootdir_cluster);
++ /* Iterate all clusters of the root directory to calculate its size.
++ It can't be contiguous because there is no flag to indicate this. */
++ do
++ {
++ if (clusters == clusters_max) /* infinite loop detected */
++ {
++ exfat_error("root directory cannot occupy all %d clusters",
++ clusters);
++ return 0;
++ }
++ if (CLUSTER_INVALID(rootdir_cluster))
++ {
++ exfat_error("bad cluster %#x while reading root directory",
++ rootdir_cluster);
++ return 0;
++ }
++ rootdir_cluster = exfat_next_cluster(ef, ef->root, rootdir_cluster);
++ clusters++;
+ }
+- return clusters * CLUSTER_SIZE(*ef->sb);
++ while (rootdir_cluster != EXFAT_CLUSTER_END);
++
++ return (uint64_t) clusters * CLUSTER_SIZE(*ef->sb);
+ }
+
+ static const char* get_option(const char* options, const char* option_name)
