[freexl] 02/03: Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924. (closes: #875690, #875691)
Bas Couwenberg
sebastic at debian.org
Sat Sep 16 21:55:39 UTC 2017
This is an automated email from the git hooks/post-receive script.
sebastic pushed a commit to branch stretch
in repository freexl.
commit 509a783cfa6dfcdd289c2bcd4d0940ddfda647c1
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date: Sat Sep 16 23:19:16 2017 +0200
Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924. (closes: #875690, #875691)
---
debian/changelog | 2 +
debian/patches/CVE-2017-2923_CVE-2017-2924.patch | 352 +++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 355 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 503889b..421fea7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
freexl (1.0.2-3) UNRELEASED; urgency=medium
* Update branch in gbp.conf & Vcs-Git URL.
+ * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
+ (closes: #875690, #875691)
-- Bas Couwenberg <sebastic at debian.org> Sat, 16 Sep 2017 23:05:37 +0200
diff --git a/debian/patches/CVE-2017-2923_CVE-2017-2924.patch b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch
new file mode 100644
index 0000000..096d2e9
--- /dev/null
+++ b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch
@@ -0,0 +1,352 @@
+Description: fixing a security issue - Cisco TALOS-2017-430 and TALOS-2017-431
+ CVE-2017-2923 & CVE-2017-2924
+Author: Alessandro Furieri <a.furieri at lqt.it>
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8
+Bug-Debian: https://bugs.debian.org/875690
+ https://bugs.debian.org/875691
+
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -951,6 +951,21 @@ set_sst_value (biff_workbook * workbook,
+ return FREEXL_OK;
+ }
+
++static size_t
++xls_fread (size_t bufsz, void *buf, size_t size, size_t nmemb, FILE * fl)
++{
++/*
++/ Sandro 2017-09-07
++/ secure version of "fread" checking against buffer overflows
++/---------------------------
++/ expected to fix the issue reported by
++/ Cisco [TALOS-2017-431]
++*/
++ if ((size * nmemb) > bufsz)
++ return 0;
++ return fread (buf, size, nmemb, fl);
++}
++
+ static fat_chain *
+ alloc_fat_chain (int swap, unsigned short sector_shift,
+ unsigned int directory_start)
+@@ -1393,7 +1408,8 @@ read_fat_sector (FILE * xls, fat_chain *
+ max_fat = 128;
+
+ /* reading a FAT sector */
+- if (fread (buf, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (buf), buf, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+@@ -1435,7 +1451,8 @@ read_difat_sectors (FILE * xls, fat_chai
+ if (fseek (xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a DIFAT sector */
+- if (fread (&difat, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (difat), &difat, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ blocks++;
+ if (chain->swap)
+@@ -1496,7 +1513,8 @@ read_miniFAT_sectors (FILE * xls, fat_ch
+ unsigned char *p_buf = buf;
+ block++;
+ /* reading a miniFAT sector */
+- if (fread (&buf, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (buf), &buf, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+ {
+@@ -1524,7 +1542,7 @@ read_cfbf_header (biff_workbook * workbo
+ int ret;
+ unsigned char *p_fat = header.fat_sector_map;
+
+- if (fread (&header, 1, 512, workbook->xls) != 512)
++ if (xls_fread (sizeof (header), &header, 1, 512, workbook->xls) != 512)
+ {
+ *err_code = FREEXL_CFBF_READ_ERROR;
+ return NULL;
+@@ -1670,8 +1688,9 @@ read_mini_stream (biff_workbook * workbo
+ *errcode = FREEXL_CFBF_SEEK_ERROR;
+ return 0;
+ }
+- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (buf), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ {
+ *errcode = FREEXL_CFBF_READ_ERROR;
+ return 0;
+@@ -2003,7 +2022,7 @@ legacy_emergency_dimension (biff_workboo
+ /* looping on BIFF records */
+ if (!first)
+ {
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2029,9 +2048,9 @@ legacy_emergency_dimension (biff_workboo
+ /* INTEGER marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2056,9 +2075,9 @@ legacy_emergency_dimension (biff_workboo
+ /* NUMBER marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2083,9 +2102,9 @@ legacy_emergency_dimension (biff_workboo
+ /* BOOLERR marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2108,9 +2127,9 @@ legacy_emergency_dimension (biff_workboo
+ /* RK marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2135,9 +2154,9 @@ legacy_emergency_dimension (biff_workboo
+ /* LABEL marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2214,7 +2233,7 @@ read_legacy_biff (biff_workbook * workbo
+
+ /* attempting to get the main BOF */
+ rewind (workbook->xls);
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2250,7 +2269,7 @@ read_legacy_biff (biff_workbook * workbo
+ {
+ /* looping on BIFF records */
+
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2263,7 +2282,7 @@ read_legacy_biff (biff_workbook * workbo
+
+ if (record_type.value == BIFF_SHEETSOFFSET)
+ {
+-/* unsupported BIFF4W format */
++ /* unsupported BIFF4W format */
+ return 0;
+ }
+
+@@ -2276,9 +2295,9 @@ read_legacy_biff (biff_workbook * workbo
+ if (record_type.value == BIFF_CODEPAGE)
+ {
+ /* CODEPAGE marker found */
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ memcpy (word16.bytes, workbook->record, 2);
+ if (swap)
+@@ -2294,9 +2313,9 @@ read_legacy_biff (biff_workbook * workbo
+ if (record_type.value == BIFF_DATEMODE)
+ {
+ /* DATEMODE marker found */
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ memcpy (word16.bytes, workbook->record, 2);
+ if (swap)
+@@ -2328,9 +2347,9 @@ read_legacy_biff (biff_workbook * workbo
+ int is_date = 0;
+ int is_datetime = 0;
+ int is_time = 0;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ if (workbook->biff_version == FREEXL_BIFF_VER_2
+@@ -2396,9 +2415,9 @@ read_legacy_biff (biff_workbook * workbo
+ /* XF [Extended Format] marker found */
+ unsigned char format;
+ unsigned short s_format;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ switch (workbook->biff_version)
+ {
+@@ -2428,9 +2447,9 @@ read_legacy_biff (biff_workbook * workbo
+ unsigned int rows;
+ unsigned short columns;
+ char *utf8_name;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record + 2, 2);
+@@ -2478,9 +2497,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2546,9 +2565,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2625,9 +2644,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2678,9 +2697,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2779,9 +2798,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -3646,8 +3665,9 @@ read_cfbf_sector (biff_workbook * workbo
+ long where = (workbook->current_sector + 1) * workbook->fat->sector_size;
+ if (fseek (workbook->xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (biff_workbook), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ return FREEXL_OK;
+ }
+@@ -3769,6 +3789,14 @@ read_biff_next_record (biff_workbook * w
+ if (record_type.value == 0x0000 && record_size.value == 0)
+ return -1;
+
++/*
++/ Sandro 2017-09-07
++/ fixing a security issue reported by
++/ Cisco [TALOS-2017-430]
++*/
++ if (record_size.value > sizeof (workbook->record))
++ return -1;
++
+ /* saving the current record */
+ workbook->record_type = record_type.value;
+ workbook->record_size = record_size.value;
+@@ -3948,8 +3976,9 @@ get_workbook_stream (biff_workbook * wor
+ if (fseek (workbook->xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a FAT Directory block [sector] */
+- if (fread (dir_block, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (dir_block), dir_block, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ workbook_start = 0xFFFFFFFF;
+ for (i_entry = 0; i_entry < max_entries; i_entry++)
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..e3c3d30
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-2923_CVE-2017-2924.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-grass/freexl.git
More information about the Pkg-grass-devel
mailing list