[freexl] 01/01: Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924. (closes: #875690, #875691)
Bas Couwenberg
sebastic at debian.org
Sat Sep 16 21:55:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
sebastic pushed a commit to branch jessie
in repository freexl.
commit 356ece3ba2597fa79e434f5a40e4918dafc2ba4d
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date: Sat Sep 16 23:19:16 2017 +0200
Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924. (closes: #875690, #875691)
---
debian/changelog | 7 +
debian/patches/CVE-2017-2923_CVE-2017-2924.patch | 352 +++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 360 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 3677a93..07745f5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+freexl (1.0.0g-1+deb8u4) jessie-security; urgency=high
+
+ * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
+ (closes: #875690, #875691)
+
+ -- Bas Couwenberg <sebastic at debian.org> Sat, 16 Sep 2017 23:26:04 +0200
+
freexl (1.0.0g-1+deb8u3) jessie-security; urgency=high
* Add patch to fix regression introduced by afl-vulnerabilitities.patch.
diff --git a/debian/patches/CVE-2017-2923_CVE-2017-2924.patch b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch
new file mode 100644
index 0000000..97cc3b8
--- /dev/null
+++ b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch
@@ -0,0 +1,352 @@
+Description: fixing a security issue - Cisco TALOS-2017-430 and TALOS-2017-431
+ CVE-2017-2923 & CVE-2017-2924
+Author: Alessandro Furieri <a.furieri at lqt.it>
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8
+Bug-Debian: https://bugs.debian.org/875690
+ https://bugs.debian.org/875691
+
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -941,6 +941,21 @@ set_sst_value (biff_workbook * workbook,
+ return FREEXL_OK;
+ }
+
++static size_t
++xls_fread (size_t bufsz, void *buf, size_t size, size_t nmemb, FILE * fl)
++{
++/*
++/ Sandro 2017-09-07
++/ secure version of "fread" checking against buffer overflows
++/---------------------------
++/ expected to fix the issue reported by
++/ Cisco [TALOS-2017-431]
++*/
++ if ((size * nmemb) > bufsz)
++ return 0;
++ return fread (buf, size, nmemb, fl);
++}
++
+ static fat_chain *
+ alloc_fat_chain (int swap, unsigned short sector_shift,
+ unsigned int directory_start)
+@@ -1383,7 +1398,8 @@ read_fat_sector (FILE * xls, fat_chain *
+ max_fat = 128;
+
+ /* reading a FAT sector */
+- if (fread (buf, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (buf), buf, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+@@ -1425,7 +1441,8 @@ read_difat_sectors (FILE * xls, fat_chai
+ if (fseek (xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a DIFAT sector */
+- if (fread (&difat, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (difat), &difat, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ blocks++;
+ if (chain->swap)
+@@ -1486,7 +1503,8 @@ read_miniFAT_sectors (FILE * xls, fat_ch
+ unsigned char *p_buf = buf;
+ block++;
+ /* reading a miniFAT sector */
+- if (fread (&buf, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (buf), &buf, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+ {
+@@ -1514,7 +1532,7 @@ read_cfbf_header (biff_workbook * workbo
+ int ret;
+ unsigned char *p_fat = header.fat_sector_map;
+
+- if (fread (&header, 1, 512, workbook->xls) != 512)
++ if (xls_fread (sizeof (header), &header, 1, 512, workbook->xls) != 512)
+ {
+ *err_code = FREEXL_CFBF_READ_ERROR;
+ return NULL;
+@@ -1660,8 +1678,9 @@ read_mini_stream (biff_workbook * workbo
+ *errcode = FREEXL_CFBF_SEEK_ERROR;
+ return 0;
+ }
+- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (buf), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ {
+ *errcode = FREEXL_CFBF_READ_ERROR;
+ return 0;
+@@ -1993,7 +2012,7 @@ legacy_emergency_dimension (biff_workboo
+ /* looping on BIFF records */
+ if (!first)
+ {
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2019,9 +2038,9 @@ legacy_emergency_dimension (biff_workboo
+ /* INTEGER marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2046,9 +2065,9 @@ legacy_emergency_dimension (biff_workboo
+ /* NUMBER marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2073,9 +2092,9 @@ legacy_emergency_dimension (biff_workboo
+ /* BOOLERR marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2098,9 +2117,9 @@ legacy_emergency_dimension (biff_workboo
+ /* RK marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2125,9 +2144,9 @@ legacy_emergency_dimension (biff_workboo
+ /* LABEL marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2204,7 +2223,7 @@ read_legacy_biff (biff_workbook * workbo
+
+ /* attempting to get the main BOF */
+ rewind (workbook->xls);
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2240,7 +2259,7 @@ read_legacy_biff (biff_workbook * workbo
+ {
+ /* looping on BIFF records */
+
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2253,7 +2272,7 @@ read_legacy_biff (biff_workbook * workbo
+
+ if (record_type.value == BIFF_SHEETSOFFSET)
+ {
+-/* unsupported BIFF4W format */
++ /* unsupported BIFF4W format */
+ return 0;
+ }
+
+@@ -2266,9 +2285,9 @@ read_legacy_biff (biff_workbook * workbo
+ if (record_type.value == BIFF_CODEPAGE)
+ {
+ /* CODEPAGE marker found */
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ memcpy (word16.bytes, workbook->record, 2);
+ if (swap)
+@@ -2284,9 +2303,9 @@ read_legacy_biff (biff_workbook * workbo
+ if (record_type.value == BIFF_DATEMODE)
+ {
+ /* DATEMODE marker found */
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ memcpy (word16.bytes, workbook->record, 2);
+ if (swap)
+@@ -2318,9 +2337,9 @@ read_legacy_biff (biff_workbook * workbo
+ int is_date = 0;
+ int is_datetime = 0;
+ int is_time = 0;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ if (workbook->biff_version == FREEXL_BIFF_VER_2
+@@ -2386,9 +2405,9 @@ read_legacy_biff (biff_workbook * workbo
+ /* XF [Extended Format] marker found */
+ unsigned char format;
+ unsigned short s_format;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ switch (workbook->biff_version)
+ {
+@@ -2418,9 +2437,9 @@ read_legacy_biff (biff_workbook * workbo
+ unsigned int rows;
+ unsigned short columns;
+ char *utf8_name;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record + 2, 2);
+@@ -2468,9 +2487,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2536,9 +2555,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2615,9 +2634,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2668,9 +2687,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2769,9 +2788,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -3636,8 +3655,9 @@ read_cfbf_sector (biff_workbook * workbo
+ long where = (workbook->current_sector + 1) * workbook->fat->sector_size;
+ if (fseek (workbook->xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (biff_workbook), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ return FREEXL_OK;
+ }
+@@ -3759,6 +3779,14 @@ read_biff_next_record (biff_workbook * w
+ if (record_type.value == 0x0000 && record_size.value == 0)
+ return -1;
+
++/*
++/ Sandro 2017-09-07
++/ fixing a security issue reported by
++/ Cisco [TALOS-2017-430]
++*/
++ if (record_size.value > sizeof (workbook->record))
++ return -1;
++
+ /* saving the current record */
+ workbook->record_type = record_type.value;
+ workbook->record_size = record_size.value;
+@@ -3938,8 +3966,9 @@ get_workbook_stream (biff_workbook * wor
+ if (fseek (workbook->xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a FAT Directory block [sector] */
+- if (fread (dir_block, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (dir_block), dir_block, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ workbook_start = 0xFFFFFFFF;
+ for (i_entry = 0; i_entry < max_entries; i_entry++)
diff --git a/debian/patches/series b/debian/patches/series
index d6cf717..c920916 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
afl-vulnerabilitities.patch
32bit-multiplication-overflow.patch
afl-vulnerabilitities-regression.patch
+CVE-2017-2923_CVE-2017-2924.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-grass/freexl.git
More information about the Pkg-grass-devel
mailing list