[Pkg-clamav-devel] Bug#774522: wheezy-pu: clamav/0.98.5+dfsg-0+deb7u2

Sat Jan 3 22:30:11 UTC 2015

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org at packages.debian.org
Usertags: pu

Dear release team:

I'd like to update the clamav package in Wheezy with the following change:
|    * Add "libmspack-qtmd-fix-frame_end-overflow" to avoid endless-loop on
|     special crafted quantum compressed cab files. Patch suggested by Andreas
|     Cadhalpus (Closes: #773318).

There was the same change to libmspack in #773041. We have the same
libmspack in clamav since 0.98.5~rc1+dfsg-1 which is now in s-p-u/
w-updates. We wanted to use the same library in stable and sid/jessie so
now we need to update the libmspack copy since it is not in Wheezy.

Attaching debdiff with git-dpm changes.

Sebastian
-------------- next part --------------
diff -Nru clamav-0.98.5+dfsg/debian/.git-dpm clamav-0.98.5+dfsg/debian/.git-dpm

--- clamav-0.98.5+dfsg/debian/.git-dpm	2014-11-21 14:22:13.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/.git-dpm	2015-01-03 22:44:52.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e084728afa6d6b031edd8ebe6bcb5f2dfc3a91dc
-e084728afa6d6b031edd8ebe6bcb5f2dfc3a91dc
+a0449d2079c4ba5822e6567ad7094c10108f16cd
+a0449d2079c4ba5822e6567ad7094c10108f16cd
 14c3d5ca803fd6baa5ab413e87ca6d6bb2e26a3d
 14c3d5ca803fd6baa5ab413e87ca6d6bb2e26a3d
 clamav_0.98.5+dfsg.orig.tar.xz
diff -Nru clamav-0.98.5+dfsg/debian/changelog clamav-0.98.5+dfsg/debian/changelog
--- clamav-0.98.5+dfsg/debian/changelog	2014-11-21 15:05:24.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/changelog	2015-01-03 22:44:52.000000000 +0100
@@ -1,3 +1,12 @@
+clamav (0.98.5+dfsg-0+deb7u2) stable; urgency=medium
+
+  [ Sebastian Andrzej Siewior ]
+  * Add "libmspack-qtmd-fix-frame_end-overflow" to avoid endless-loop on
+    special crafted quantum compressed cab files. Patch suggested by Andreas
+    Cadhalpus (Closes: #773318).
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 03 Jan 2015 22:43:46 +0100
+
 clamav (0.98.5+dfsg-0+deb7u1) stable; urgency=medium
 
   [ Sebastian Andrzej Siewior ]
diff -Nru clamav-0.98.5+dfsg/debian/patches/0018-libmspack-qtmd-fix-frame_end-overflow.patch clamav-0.98.5+dfsg/debian/patches/0018-libmspack-qtmd-fix-frame_end-overflow.patch
--- clamav-0.98.5+dfsg/debian/patches/0018-libmspack-qtmd-fix-frame_end-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/patches/0018-libmspack-qtmd-fix-frame_end-overflow.patch	2015-01-03 22:44:52.000000000 +0100
@@ -0,0 +1,62 @@
+From a0449d2079c4ba5822e6567ad7094c10108f16cd Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+Date: Tue, 23 Dec 2014 21:20:43 +0100
+Subject: libmspack: qtmd: fix frame_end overflow
+
+Debian bts #773041, #772891 contains a report of a .cab file which
+causes an endless loop.
+Eric Sharkey diagnosed the problem as frame_end is 32bit and overflows
+and the result the loop makes no progress.
+The problem seems that after the overflow, window_posn is larger than
+frame_end and therefore we never enter the loop to make progress. But we
+still have out_bytes >0 so we don't leave the outer loop either.
+
+Andreas Cadhalpun suggested to instead makeing frame_end 64bit, we could
+avoid the overflow by reordering the code the following way:
+
+original, with just out_bytes (without (qtm->o_end - qtm->o_ptr))
+| frame_end = window_posn + out_bytes;
+| if ((window_posn + frame_todo) < frame_end) {
+|         frame_end = window_posn + frame_todo;
+| }
+
+replace frame_end in "if" with its content (and move the first frame_end
+into the else path)
+| if ((window_posn + frame_todo) < (window_posn + out_bytes))
+|         frame_end = window_posn + frame_todo;
+| else
+|         frame_end = window_posn + out_bytes;
+
+remove window_posn from "if" since it is the same both times.
+| if (frame_todo <  out_bytes)
+|         frame_end = window_posn + frame_todo;
+| else
+|         frame_end = window_posn + out_bytes;
+
+Andreas added:
+|This works, because frame_todo is at most QTM_FRAME_SIZE = 32768.
+
+Suggested-as-patch: Andreas Cadhalpun <andreas.cadhalpun at googlemail.com>
+[sebastian at breakpoint: added patch description]
+Signed-off-by: Sebastian Andrzej Siewior <sebastian at breakpoint.cc>
+---
+ libclamav/libmspack-0.4alpha/mspack/qtmd.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/libclamav/libmspack-0.4alpha/mspack/qtmd.c b/libclamav/libmspack-0.4alpha/mspack/qtmd.c
+index 12b27f5608c4..e584aef8e576 100644
+--- a/libclamav/libmspack-0.4alpha/mspack/qtmd.c
++++ b/libclamav/libmspack-0.4alpha/mspack/qtmd.c
+@@ -296,9 +296,10 @@ int qtmd_decompress(struct qtmd_stream *qtm, off_t out_bytes) {
+ 
+     /* decode more, up to the number of bytes needed, the frame boundary,
+      * or the window boundary, whichever comes first */
+-    frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+-    if ((window_posn + frame_todo) < frame_end) {
++    if (frame_todo < (out_bytes - (qtm->o_end - qtm->o_ptr))) {
+       frame_end = window_posn + frame_todo;
++    } else {
++      frame_end = window_posn + (out_bytes - (qtm->o_end - qtm->o_ptr));
+     }
+     if (frame_end > qtm->window_size) {
+       frame_end = qtm->window_size;
diff -Nru clamav-0.98.5+dfsg/debian/patches/series clamav-0.98.5+dfsg/debian/patches/series
--- clamav-0.98.5+dfsg/debian/patches/series	2014-11-21 14:22:13.000000000 +0100
+++ clamav-0.98.5+dfsg/debian/patches/series	2015-01-03 22:44:52.000000000 +0100
@@ -15,3 +15,4 @@
 0015-clamav-milter-add-additinal-SMFIF_-flags-before-invo.patch
 0016-Bump-.so-version-number.patch
 0017-llvm-don-t-use-system-libs.patch
+0018-libmspack-qtmd-fix-frame_end-overflow.patch
