Bug#875690: Fixed in FreeXL 1.0.4

2017-09-16 Thread Sebastiaan Couwenberg 
Hi Salvatore,

On 09/13/2017 07:27 PM, Bas Couwenberg wrote:
> Should be fixed in the new upstream release:
> 
> https://groups.google.com/forum/m/#!topic/spatialite-users/Wpj62XSzcZY
> 
> I'm not able to work on this until I return from VAC.

I've cherry-picked the changes from 1.0.4 and prepared updates for
stretch, jessie & wheezy. The changes are available in git, and the
debdiffs are attached.

 * https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=stretch
 * https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie
 * https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy

Are these OK to upload?

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1
diff -Nru freexl-1.0.0b/debian/changelog freexl-1.0.0b/debian/changelog
--- freexl-1.0.0b/debian/changelog  2015-11-13 11:39:37.0 +0100
+++ freexl-1.0.0b/debian/changelog  2017-09-16 23:26:04.0 +0200
@@ -1,3 +1,10 @@
+freexl (1.0.0b-1+deb7u4) wheezy-security; urgency=high
+
+  * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
+(closes: #875690, #875691)
+
+ -- Bas Couwenberg   Sat, 16 Sep 2017 23:26:04 +0200
+
 freexl (1.0.0b-1+deb7u3) wheezy-security; urgency=high
 
   * Add patch to fix regression introduced by afl-vulnerabilitities.patch.
diff -Nru freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 
freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch
--- freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch  
1970-01-01 01:00:00.0 +0100
+++ freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch  
2017-09-16 23:26:04.0 +0200
@@ -0,0 +1,317 @@
+Description: fixing a security issue - Cisco TALOS-2017-430 and TALOS-2017-431
+ CVE-2017-2923 & CVE-2017-2924
+Author: Alessandro Furieri 
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8
+Bug-Debian: https://bugs.debian.org/875690
+https://bugs.debian.org/875691
+
+--- a/src/freexl.c
 b/src/freexl.c
+@@ -935,6 +935,21 @@ set_sst_value (biff_workbook * workbook,
+ return FREEXL_OK;
+ }
+ 
++static size_t
++xls_fread (size_t bufsz, void *buf, size_t size, size_t nmemb, FILE * fl)
++{
++/* 
++/ Sandro 2017-09-07
++/ secure version of "fread" checking against buffer overflows 
++/---
++/ expected to fix the issue reported by
++/ Cisco [TALOS-2017-431]
++*/
++if ((size * nmemb) > bufsz)
++  return 0;
++return fread (buf, size, nmemb, fl);
++}
++
+ static fat_chain *
+ alloc_fat_chain (int swap, unsigned short sector_shift,
+unsigned int directory_start)
+@@ -1377,7 +1392,8 @@ read_fat_sector (FILE * xls, fat_chain *
+   max_fat = 128;
+ 
+ /* reading a FAT sector */
+-if (fread (buf, 1, chain->sector_size, xls) != chain->sector_size)
++if (xls_fread (sizeof (buf), buf, 1, chain->sector_size, xls) !=
++  chain->sector_size)
+   return FREEXL_CFBF_READ_ERROR;
+ 
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+@@ -1419,7 +1435,8 @@ read_difat_sectors (FILE * xls, fat_chai
+ if (fseek (xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a DIFAT sector */
+-if (fread (, 1, chain->sector_size, xls) != chain->sector_size)
++if (xls_fread (sizeof (difat), , 1, chain->sector_size, xls) !=
++chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ blocks++;
+ if (chain->swap)
+@@ -1480,7 +1497,8 @@ read_miniFAT_sectors (FILE * xls, fat_ch
+ unsigned char *p_buf = buf;
+ block++;
+ /* reading a miniFAT sector */
+-if (fread (, 1, chain->sector_size, xls) != chain->sector_size)
++if (xls_fread (sizeof (buf), , 1, chain->sector_size, xls) !=
++chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+   {
+@@ -1508,7 +1526,7 @@ read_cfbf_header (biff_workbook * workbo
+ int ret;
+ unsigned char *p_fat = header.fat_sector_map;
+ 
+-if (fread (, 1, 512, workbook->xls) != 512)
++if (xls_fread (sizeof (header), , 1, 512, workbook->xls) != 512)
+   {
+ *err_code = FREEXL_CFBF_READ_ERROR;
+ return NULL;
+@@ -1654,8 +1672,9 @@ read_mini_stream (biff_workbook * workbo
+   *errcode = FREEXL_CFBF_SEEK_ERROR;
+   return 0;
+   }
+-if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+-workbook->fat->sector_size)
++if (xls_fread
++(sizeof (buf), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+   {
+   *errcode = FREEXL_CFBF_READ_ERROR;
+   return 0;
+@@ -1987,7 +2006,7 @@ legacy_emergency_dimension (biff_workboo
+ /* looping on BIFF records */
+ if (!first)
+

Bug#875690: Fixed in FreeXL 1.0.4

2017-09-13 Thread Bas Couwenberg 
Control: tags -1 fixed-upstream

Should be fixed in the new upstream release:

https://groups.google.com/forum/m/#!topic/spatialite-users/Wpj62XSzcZY

I'm not able to work on this until I return from VAC.

Kind Regards,

Bas