Bug#880630: jessie-pu: package liblouis/2.5.3-3

Samuel Thibault sthibault at debian.org
Fri Nov 3 00:54:32 UTC 2017 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu

Hello,

Bug#880621 reports that Jessie is affected by CVE-2014-8184.  I'm
proposing to upload there the RedHat fix plus a fix for that fix (it
didn't actually take care of issues in the strncpy call). Debdiff is
attached.

Samuel

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
diff -Nru liblouis-2.5.3/debian/changelog liblouis-2.5.3/debian/changelog
--- liblouis-2.5.3/debian/changelog	2014-06-24 23:33:27.000000000 +0200
+++ liblouis-2.5.3/debian/changelog	2017-11-03 01:14:02.000000000 +0100
@@ -1,3 +1,10 @@
+liblouis (2.5.3-3+deb8u1) jessie; urgency=medium
+
+  * Apply RedHat's patch to fix CVE-2014-8184 (Closes: Bug#880621).
+  * Fix RedHat's patch.
+
+ -- Samuel Thibault <sthibault at debian.org>  Fri, 03 Nov 2017 01:14:02 +0100
+
 liblouis (2.5.3-3) unstable; urgency=low
 
   [ Samuel Thibault ]
diff -Nru liblouis-2.5.3/debian/patches/CVE-2014-8184 liblouis-2.5.3/debian/patches/CVE-2014-8184
--- liblouis-2.5.3/debian/patches/CVE-2014-8184	1970-01-01 01:00:00.000000000 +0100
+++ liblouis-2.5.3/debian/patches/CVE-2014-8184	2017-11-03 01:14:02.000000000 +0100
@@ -0,0 +1,99 @@
+https://github.com/liblouis/liblouis/issues/425
+https://bugzilla.redhat.com/show_bug.cgi?id=1492701
+https://access.redhat.com/errata/RHSA-2017:3111
+
+From 2fe2b279994e3ed70bae461e284702cc1c7d4665 Mon Sep 17 00:00:00 2001
+From: Raphael Sanchez Prudencio <rsprudencio at redhat.com>
+Date: Mon, 18 Sep 2017 18:44:31 +0200
+Subject: [PATCH 5/7] Fix multiple stack-based buffer overflows in findTable().
+
+Fixes CVE-2014-8184.
+---
+ liblouis/compileTranslationTable.c | 35 +++++++++++------------------------
+ 1 file changed, 11 insertions(+), 24 deletions(-)
+
+diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c
+index ec4963f0..25c0208f 100644
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -4502,8 +4502,7 @@ findTable (const char *tableName)
+   char trialPath[MAXSTRING];
+   if (tableName == NULL || tableName[0] == 0)
+     return NULL;
+-  strcpy (trialPath, tablePath);
+-  strcat (trialPath, tableName);
++  snprintf (trialPath, MAXSTRING-1, "%s%s", tablePath, tableName);
+   if ((tableFile = fopen (trialPath, "rb")))
+     return tableFile;
+   pathEnd[0] = DIR_SEP;
+@@ -4522,18 +4521,15 @@ findTable (const char *tableName)
+ 	    break;
+ 	if (k == listLength || k == 0)
+ 	  {			/* Only one file */
+-	    strcpy (trialPath, pathList);
+-	    strcat (trialPath, pathEnd);
+-	    strcat (trialPath, tableName);
++	    snprintf (trialPath, MAXSTRING-1, "%s%s%s", pathList, pathEnd, tableName);
+ 	    if ((tableFile = fopen (trialPath, "rb")))
+ 	      break;
+ 	  }
+ 	else
+ 	  {			/* Compile a list of files */
+-	    strncpy (trialPath, pathList, k);
+-	    trialPath[k] = 0;
+-	    strcat (trialPath, pathEnd);
+-	    strcat (trialPath, tableName);
++	    char path[MAXSTRING];
++	    strncpy (path, pathList, k);
++	    snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName);
+ 	    currentListPos = k + 1;
+ 	    if ((tableFile = fopen (trialPath, "rb")))
+ 	      break;
+@@ -4542,11 +4538,8 @@ findTable (const char *tableName)
+ 		for (k = currentListPos; k < listLength; k++)
+ 		  if (pathList[k] == ',')
+ 		    break;
+-		strncpy (trialPath,
+-			 &pathList[currentListPos], k - currentListPos);
+-		trialPath[k - currentListPos] = 0;
+-		strcat (trialPath, pathEnd);
+-		strcat (trialPath, tableName);
++		strncpy (path, &pathList[currentListPos], k - currentListPos);
++		snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName);
+ 		if ((tableFile = fopen (trialPath, "rb")))
+ 		  currentListPos = k + 1;
+ 		break;
+@@ -4564,26 +4557,20 @@ findTable (const char *tableName)
+   pathList = lou_getDataPath ();
+   if (pathList)
+     {
+-      strcpy (trialPath, pathList);
+-      strcat (trialPath, pathEnd);
+ #ifdef _WIN32
+-      strcat (trialPath, "liblouis\\tables\\");
++      snprintf (trialPath, MAXSTRING-1, "%s%sliblouis\\tables\\%s", pathList, pathEnd, tableName);
+ #else
+-      strcat (trialPath, "liblouis/tables/");
++      snprintf (trialPath, MAXSTRING-1, "%s%sliblouis/tables/%s", pathList, pathEnd, tableName);
+ #endif
+-      strcat (trialPath, tableName);
+       if ((tableFile = fopen (trialPath, "rb")))
+ 	return tableFile;
+     }
+   /* See if table on installed or program path. */
+ #ifdef _WIN32
+-  strcpy (trialPath, lou_getProgramPath ());
+-  strcat (trialPath, "\\share\\liblouss\\tables\\");
++  snprintf (trialPath, MAXSTRING-1, "%s\\share\\liblouss\\tables\\%s", lou_getProgramPath(), tableName);
+ #else
+-  strcpy (trialPath, TABLESDIR);
+-  strcat (trialPath, pathEnd);
++  snprintf (trialPath, MAXSTRING-1, "%s%s%s", TABLESDIR, pathEnd, tableName);
+ #endif
+-  strcat (trialPath, tableName);
+   if ((tableFile = fopen (trialPath, "rb")))
+     return tableFile;
+   return NULL;
+-- 
+2.13.5
+
diff -Nru liblouis-2.5.3/debian/patches/CVE-2014-8184-fix liblouis-2.5.3/debian/patches/CVE-2014-8184-fix
--- liblouis-2.5.3/debian/patches/CVE-2014-8184-fix	1970-01-01 01:00:00.000000000 +0100
+++ liblouis-2.5.3/debian/patches/CVE-2014-8184-fix	2017-11-03 01:14:02.000000000 +0100
@@ -0,0 +1,33 @@
+The RedHat CVE-2014-8184 patch did not fix the potential buffer overruns
+and missing trailing \0 from the strncpy call.
+---
+ liblouis/compileTranslationTable.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -4534,6 +4534,8 @@ findTable (const char *tableName)
+ 	int listLength;
+ 	int currentListPos = 0;
+ 	listLength = strlen (pathList);
++	if (listLength >= MAXSTRING)
++	  listLength = MAXSTRING-1;
+ 	for (k = 0; k < listLength; k++)
+ 	  if (pathList[k] == ',')
+ 	    break;
+@@ -4547,6 +4549,7 @@ findTable (const char *tableName)
+ 	  {			/* Compile a list of files */
+ 	    char path[MAXSTRING];
+ 	    strncpy (path, pathList, k);
++	    path[k] = 0;
+ 	    snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName);
+ 	    currentListPos = k + 1;
+ 	    if ((tableFile = fopen (trialPath, "rb")))
+@@ -4557,6 +4560,7 @@ findTable (const char *tableName)
+ 		  if (pathList[k] == ',')
+ 		    break;
+ 		strncpy (path, &pathList[currentListPos], k - currentListPos);
++		path[k - currentListPos] = 0;
+ 		snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName);
+ 		if ((tableFile = fopen (trialPath, "rb")))
+ 		  currentListPos = k + 1;
diff -Nru liblouis-2.5.3/debian/patches/series liblouis-2.5.3/debian/patches/series
--- liblouis-2.5.3/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ liblouis-2.5.3/debian/patches/series	2017-11-03 01:14:02.000000000 +0100
@@ -0,0 +1,2 @@
+CVE-2014-8184
+CVE-2014-8184-fix

More information about the Pkg-a11y-devel mailing list