Bug#875690: Fixed in FreeXL 1.0.4
Sebastiaan Couwenberg
sebastic at xs4all.nl
Sat Sep 16 22:01:53 UTC 2017
Hi Salvatore,
On 09/13/2017 07:27 PM, Bas Couwenberg wrote:
> Should be fixed in the new upstream release:
>
> https://groups.google.com/forum/m/#!topic/spatialite-users/Wpj62XSzcZY
>
> I'm not able to work on this until I return from VAC.
I've cherry-picked the changes from 1.0.4 and prepared updates for
stretch, jessie & wheezy. The changes are available in git, and the
debdiffs are attached.
* https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=stretch
* https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie
* https://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy
Are these OK to upload?
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
-------------- next part --------------
diff -Nru freexl-1.0.0b/debian/changelog freexl-1.0.0b/debian/changelog
--- freexl-1.0.0b/debian/changelog 2015-11-13 11:39:37.000000000 +0100
+++ freexl-1.0.0b/debian/changelog 2017-09-16 23:26:04.000000000 +0200
@@ -1,3 +1,10 @@
+freexl (1.0.0b-1+deb7u4) wheezy-security; urgency=high
+
+ * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
+ (closes: #875690, #875691)
+
+ -- Bas Couwenberg <sebastic at debian.org> Sat, 16 Sep 2017 23:26:04 +0200
+
freexl (1.0.0b-1+deb7u3) wheezy-security; urgency=high
* Add patch to fix regression introduced by afl-vulnerabilitities.patch.
diff -Nru freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch
--- freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 1970-01-01 01:00:00.000000000 +0100
+++ freexl-1.0.0b/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 2017-09-16 23:26:04.000000000 +0200
@@ -0,0 +1,317 @@
+Description: fixing a security issue - Cisco TALOS-2017-430 and TALOS-2017-431
+ CVE-2017-2923 & CVE-2017-2924
+Author: Alessandro Furieri <a.furieri at lqt.it>
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8
+Bug-Debian: https://bugs.debian.org/875690
+ https://bugs.debian.org/875691
+
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -935,6 +935,21 @@ set_sst_value (biff_workbook * workbook,
+ return FREEXL_OK;
+ }
+
++static size_t
++xls_fread (size_t bufsz, void *buf, size_t size, size_t nmemb, FILE * fl)
++{
++/*
++/ Sandro 2017-09-07
++/ secure version of "fread" checking against buffer overflows
++/---------------------------
++/ expected to fix the issue reported by
++/ Cisco [TALOS-2017-431]
++*/
++ if ((size * nmemb) > bufsz)
++ return 0;
++ return fread (buf, size, nmemb, fl);
++}
++
+ static fat_chain *
+ alloc_fat_chain (int swap, unsigned short sector_shift,
+ unsigned int directory_start)
+@@ -1377,7 +1392,8 @@ read_fat_sector (FILE * xls, fat_chain *
+ max_fat = 128;
+
+ /* reading a FAT sector */
+- if (fread (buf, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (buf), buf, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+@@ -1419,7 +1435,8 @@ read_difat_sectors (FILE * xls, fat_chai
+ if (fseek (xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a DIFAT sector */
+- if (fread (&difat, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (difat), &difat, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ blocks++;
+ if (chain->swap)
+@@ -1480,7 +1497,8 @@ read_miniFAT_sectors (FILE * xls, fat_ch
+ unsigned char *p_buf = buf;
+ block++;
+ /* reading a miniFAT sector */
+- if (fread (&buf, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (buf), &buf, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+ {
+@@ -1508,7 +1526,7 @@ read_cfbf_header (biff_workbook * workbo
+ int ret;
+ unsigned char *p_fat = header.fat_sector_map;
+
+- if (fread (&header, 1, 512, workbook->xls) != 512)
++ if (xls_fread (sizeof (header), &header, 1, 512, workbook->xls) != 512)
+ {
+ *err_code = FREEXL_CFBF_READ_ERROR;
+ return NULL;
+@@ -1654,8 +1672,9 @@ read_mini_stream (biff_workbook * workbo
+ *errcode = FREEXL_CFBF_SEEK_ERROR;
+ return 0;
+ }
+- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (buf), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ {
+ *errcode = FREEXL_CFBF_READ_ERROR;
+ return 0;
+@@ -1987,7 +2006,7 @@ legacy_emergency_dimension (biff_workboo
+ /* looping on BIFF records */
+ if (!first)
+ {
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2013,9 +2032,9 @@ legacy_emergency_dimension (biff_workboo
+ /* INTEGER marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2040,9 +2059,9 @@ legacy_emergency_dimension (biff_workboo
+ /* NUMBER marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2065,9 +2084,9 @@ legacy_emergency_dimension (biff_workboo
+ /* RK marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2092,9 +2111,9 @@ legacy_emergency_dimension (biff_workboo
+ /* LABEL marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2171,7 +2190,7 @@ read_legacy_biff (biff_workbook * workbo
+
+ /* attempting to get the main BOF */
+ rewind (workbook->xls);
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2207,7 +2226,7 @@ read_legacy_biff (biff_workbook * workbo
+ {
+ /* looping on BIFF records */
+
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2233,9 +2252,9 @@ read_legacy_biff (biff_workbook * workbo
+ if (record_type.value == BIFF_CODEPAGE)
+ {
+ /* CODEPAGE marker found */
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ memcpy (word16.bytes, workbook->record, 2);
+ if (swap)
+@@ -2251,9 +2270,9 @@ read_legacy_biff (biff_workbook * workbo
+ if (record_type.value == BIFF_DATEMODE)
+ {
+ /* DATEMODE marker found */
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ memcpy (word16.bytes, workbook->record, 2);
+ if (swap)
+@@ -2285,9 +2304,9 @@ read_legacy_biff (biff_workbook * workbo
+ int is_date = 0;
+ int is_datetime = 0;
+ int is_time = 0;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ if (workbook->biff_version == FREEXL_BIFF_VER_2
+@@ -2353,9 +2372,9 @@ read_legacy_biff (biff_workbook * workbo
+ /* XF [Extended Format] marker found */
+ unsigned char format;
+ unsigned short s_format;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ switch (workbook->biff_version)
+ {
+@@ -2385,9 +2404,9 @@ read_legacy_biff (biff_workbook * workbo
+ unsigned int rows;
+ unsigned short columns;
+ char *utf8_name;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record + 2, 2);
+@@ -2435,9 +2454,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2503,9 +2522,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2586,9 +2605,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2688,9 +2707,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -3521,8 +3540,9 @@ read_cfbf_sector (biff_workbook * workbo
+ long where = (workbook->current_sector + 1) * workbook->fat->sector_size;
+ if (fseek (workbook->xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (biff_workbook), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ return FREEXL_OK;
+ }
+@@ -3644,6 +3664,14 @@ read_biff_next_record (biff_workbook * w
+ if (record_type.value == 0x0000 && record_size.value == 0)
+ return -1;
+
++/*
++/ Sandro 2017-09-07
++/ fixing a security issue reported by
++/ Cisco [TALOS-2017-430]
++*/
++ if (record_size.value > sizeof (workbook->record))
++ return -1;
++
+ /* saving the current record */
+ workbook->record_type = record_type.value;
+ workbook->record_size = record_size.value;
+@@ -3823,8 +3851,9 @@ get_workbook_stream (biff_workbook * wor
+ if (fseek (workbook->xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a FAT Directory block [sector] */
+- if (fread (dir_block, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (dir_block), dir_block, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ workbook_start = 0xFFFFFFFF;
+ for (i_entry = 0; i_entry < max_entries; i_entry++)
diff -Nru freexl-1.0.0b/debian/patches/series freexl-1.0.0b/debian/patches/series
--- freexl-1.0.0b/debian/patches/series 2015-11-12 22:23:41.000000000 +0100
+++ freexl-1.0.0b/debian/patches/series 2017-09-16 23:26:04.000000000 +0200
@@ -1,3 +1,4 @@
afl-vulnerabilitities.patch
32bit-multiplication-overflow.patch
afl-vulnerabilitities-regression.patch
+CVE-2017-2923_CVE-2017-2924.patch
-------------- next part --------------
diff -Nru freexl-1.0.0g/debian/changelog freexl-1.0.0g/debian/changelog
--- freexl-1.0.0g/debian/changelog 2015-11-13 11:31:45.000000000 +0100
+++ freexl-1.0.0g/debian/changelog 2017-09-16 23:26:04.000000000 +0200
@@ -1,3 +1,10 @@
+freexl (1.0.0g-1+deb8u4) jessie-security; urgency=high
+
+ * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
+ (closes: #875690, #875691)
+
+ -- Bas Couwenberg <sebastic at debian.org> Sat, 16 Sep 2017 23:26:04 +0200
+
freexl (1.0.0g-1+deb8u3) jessie-security; urgency=high
* Add patch to fix regression introduced by afl-vulnerabilitities.patch.
diff -Nru freexl-1.0.0g/debian/patches/CVE-2017-2923_CVE-2017-2924.patch freexl-1.0.0g/debian/patches/CVE-2017-2923_CVE-2017-2924.patch
--- freexl-1.0.0g/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 1970-01-01 01:00:00.000000000 +0100
+++ freexl-1.0.0g/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 2017-09-16 23:26:04.000000000 +0200
@@ -0,0 +1,352 @@
+Description: fixing a security issue - Cisco TALOS-2017-430 and TALOS-2017-431
+ CVE-2017-2923 & CVE-2017-2924
+Author: Alessandro Furieri <a.furieri at lqt.it>
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8
+Bug-Debian: https://bugs.debian.org/875690
+ https://bugs.debian.org/875691
+
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -941,6 +941,21 @@ set_sst_value (biff_workbook * workbook,
+ return FREEXL_OK;
+ }
+
++static size_t
++xls_fread (size_t bufsz, void *buf, size_t size, size_t nmemb, FILE * fl)
++{
++/*
++/ Sandro 2017-09-07
++/ secure version of "fread" checking against buffer overflows
++/---------------------------
++/ expected to fix the issue reported by
++/ Cisco [TALOS-2017-431]
++*/
++ if ((size * nmemb) > bufsz)
++ return 0;
++ return fread (buf, size, nmemb, fl);
++}
++
+ static fat_chain *
+ alloc_fat_chain (int swap, unsigned short sector_shift,
+ unsigned int directory_start)
+@@ -1383,7 +1398,8 @@ read_fat_sector (FILE * xls, fat_chain *
+ max_fat = 128;
+
+ /* reading a FAT sector */
+- if (fread (buf, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (buf), buf, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+@@ -1425,7 +1441,8 @@ read_difat_sectors (FILE * xls, fat_chai
+ if (fseek (xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a DIFAT sector */
+- if (fread (&difat, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (difat), &difat, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ blocks++;
+ if (chain->swap)
+@@ -1486,7 +1503,8 @@ read_miniFAT_sectors (FILE * xls, fat_ch
+ unsigned char *p_buf = buf;
+ block++;
+ /* reading a miniFAT sector */
+- if (fread (&buf, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (buf), &buf, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+ {
+@@ -1514,7 +1532,7 @@ read_cfbf_header (biff_workbook * workbo
+ int ret;
+ unsigned char *p_fat = header.fat_sector_map;
+
+- if (fread (&header, 1, 512, workbook->xls) != 512)
++ if (xls_fread (sizeof (header), &header, 1, 512, workbook->xls) != 512)
+ {
+ *err_code = FREEXL_CFBF_READ_ERROR;
+ return NULL;
+@@ -1660,8 +1678,9 @@ read_mini_stream (biff_workbook * workbo
+ *errcode = FREEXL_CFBF_SEEK_ERROR;
+ return 0;
+ }
+- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (buf), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ {
+ *errcode = FREEXL_CFBF_READ_ERROR;
+ return 0;
+@@ -1993,7 +2012,7 @@ legacy_emergency_dimension (biff_workboo
+ /* looping on BIFF records */
+ if (!first)
+ {
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2019,9 +2038,9 @@ legacy_emergency_dimension (biff_workboo
+ /* INTEGER marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2046,9 +2065,9 @@ legacy_emergency_dimension (biff_workboo
+ /* NUMBER marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2073,9 +2092,9 @@ legacy_emergency_dimension (biff_workboo
+ /* BOOLERR marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2098,9 +2117,9 @@ legacy_emergency_dimension (biff_workboo
+ /* RK marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2125,9 +2144,9 @@ legacy_emergency_dimension (biff_workboo
+ /* LABEL marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2204,7 +2223,7 @@ read_legacy_biff (biff_workbook * workbo
+
+ /* attempting to get the main BOF */
+ rewind (workbook->xls);
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2240,7 +2259,7 @@ read_legacy_biff (biff_workbook * workbo
+ {
+ /* looping on BIFF records */
+
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2253,7 +2272,7 @@ read_legacy_biff (biff_workbook * workbo
+
+ if (record_type.value == BIFF_SHEETSOFFSET)
+ {
+-/* unsupported BIFF4W format */
++ /* unsupported BIFF4W format */
+ return 0;
+ }
+
+@@ -2266,9 +2285,9 @@ read_legacy_biff (biff_workbook * workbo
+ if (record_type.value == BIFF_CODEPAGE)
+ {
+ /* CODEPAGE marker found */
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ memcpy (word16.bytes, workbook->record, 2);
+ if (swap)
+@@ -2284,9 +2303,9 @@ read_legacy_biff (biff_workbook * workbo
+ if (record_type.value == BIFF_DATEMODE)
+ {
+ /* DATEMODE marker found */
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ memcpy (word16.bytes, workbook->record, 2);
+ if (swap)
+@@ -2318,9 +2337,9 @@ read_legacy_biff (biff_workbook * workbo
+ int is_date = 0;
+ int is_datetime = 0;
+ int is_time = 0;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ if (workbook->biff_version == FREEXL_BIFF_VER_2
+@@ -2386,9 +2405,9 @@ read_legacy_biff (biff_workbook * workbo
+ /* XF [Extended Format] marker found */
+ unsigned char format;
+ unsigned short s_format;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ switch (workbook->biff_version)
+ {
+@@ -2418,9 +2437,9 @@ read_legacy_biff (biff_workbook * workbo
+ unsigned int rows;
+ unsigned short columns;
+ char *utf8_name;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record + 2, 2);
+@@ -2468,9 +2487,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2536,9 +2555,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2615,9 +2634,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2668,9 +2687,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2769,9 +2788,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -3636,8 +3655,9 @@ read_cfbf_sector (biff_workbook * workbo
+ long where = (workbook->current_sector + 1) * workbook->fat->sector_size;
+ if (fseek (workbook->xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (biff_workbook), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ return FREEXL_OK;
+ }
+@@ -3759,6 +3779,14 @@ read_biff_next_record (biff_workbook * w
+ if (record_type.value == 0x0000 && record_size.value == 0)
+ return -1;
+
++/*
++/ Sandro 2017-09-07
++/ fixing a security issue reported by
++/ Cisco [TALOS-2017-430]
++*/
++ if (record_size.value > sizeof (workbook->record))
++ return -1;
++
+ /* saving the current record */
+ workbook->record_type = record_type.value;
+ workbook->record_size = record_size.value;
+@@ -3938,8 +3966,9 @@ get_workbook_stream (biff_workbook * wor
+ if (fseek (workbook->xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a FAT Directory block [sector] */
+- if (fread (dir_block, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (dir_block), dir_block, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ workbook_start = 0xFFFFFFFF;
+ for (i_entry = 0; i_entry < max_entries; i_entry++)
diff -Nru freexl-1.0.0g/debian/patches/series freexl-1.0.0g/debian/patches/series
--- freexl-1.0.0g/debian/patches/series 2015-11-12 22:23:41.000000000 +0100
+++ freexl-1.0.0g/debian/patches/series 2017-09-16 23:26:04.000000000 +0200
@@ -1,3 +1,4 @@
afl-vulnerabilitities.patch
32bit-multiplication-overflow.patch
afl-vulnerabilitities-regression.patch
+CVE-2017-2923_CVE-2017-2924.patch
-------------- next part --------------
diff -Nru freexl-1.0.2/debian/changelog freexl-1.0.2/debian/changelog
--- freexl-1.0.2/debian/changelog 2016-05-01 03:11:00.000000000 +0200
+++ freexl-1.0.2/debian/changelog 2017-09-16 23:19:22.000000000 +0200
@@ -1,3 +1,11 @@
+freexl (1.0.2-2+deb9u1) stretch-security; urgency=high
+
+ * Update branch in gbp.conf & Vcs-Git URL.
+ * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
+ (closes: #875690, #875691)
+
+ -- Bas Couwenberg <sebastic at debian.org> Sat, 16 Sep 2017 23:19:22 +0200
+
freexl (1.0.2-2) unstable; urgency=medium
* Update Vcs-* URLs to use HTTPS.
diff -Nru freexl-1.0.2/debian/control freexl-1.0.2/debian/control
--- freexl-1.0.2/debian/control 2016-04-15 17:15:12.000000000 +0200
+++ freexl-1.0.2/debian/control 2017-09-16 23:05:24.000000000 +0200
@@ -9,7 +9,7 @@
dh-autoreconf
Standards-Version: 3.9.8
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-grass/freexl.git
-Vcs-Git: https://anonscm.debian.org/git/pkg-grass/freexl.git
+Vcs-Git: https://anonscm.debian.org/git/pkg-grass/freexl.git -b stretch
Homepage: https://www.gaia-gis.it/fossil/freexl/
Package: libfreexl-dev
diff -Nru freexl-1.0.2/debian/gbp.conf freexl-1.0.2/debian/gbp.conf
--- freexl-1.0.2/debian/gbp.conf 2015-11-20 01:03:15.000000000 +0100
+++ freexl-1.0.2/debian/gbp.conf 2017-09-16 23:05:16.000000000 +0200
@@ -6,7 +6,7 @@
# The default name for the Debian branch is "master".
# Change it if the name is different (for instance, "debian/unstable").
-debian-branch = master
+debian-branch = stretch
# git-import-orig uses the following names for the upstream tags.
# Change the value if you are not using git-import-orig
diff -Nru freexl-1.0.2/debian/patches/CVE-2017-2923_CVE-2017-2924.patch freexl-1.0.2/debian/patches/CVE-2017-2923_CVE-2017-2924.patch
--- freexl-1.0.2/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 1970-01-01 01:00:00.000000000 +0100
+++ freexl-1.0.2/debian/patches/CVE-2017-2923_CVE-2017-2924.patch 2017-09-16 23:16:52.000000000 +0200
@@ -0,0 +1,352 @@
+Description: fixing a security issue - Cisco TALOS-2017-430 and TALOS-2017-431
+ CVE-2017-2923 & CVE-2017-2924
+Author: Alessandro Furieri <a.furieri at lqt.it>
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8
+Bug-Debian: https://bugs.debian.org/875690
+ https://bugs.debian.org/875691
+
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -951,6 +951,21 @@ set_sst_value (biff_workbook * workbook,
+ return FREEXL_OK;
+ }
+
++static size_t
++xls_fread (size_t bufsz, void *buf, size_t size, size_t nmemb, FILE * fl)
++{
++/*
++/ Sandro 2017-09-07
++/ secure version of "fread" checking against buffer overflows
++/---------------------------
++/ expected to fix the issue reported by
++/ Cisco [TALOS-2017-431]
++*/
++ if ((size * nmemb) > bufsz)
++ return 0;
++ return fread (buf, size, nmemb, fl);
++}
++
+ static fat_chain *
+ alloc_fat_chain (int swap, unsigned short sector_shift,
+ unsigned int directory_start)
+@@ -1393,7 +1408,8 @@ read_fat_sector (FILE * xls, fat_chain *
+ max_fat = 128;
+
+ /* reading a FAT sector */
+- if (fread (buf, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (buf), buf, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+@@ -1435,7 +1451,8 @@ read_difat_sectors (FILE * xls, fat_chai
+ if (fseek (xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a DIFAT sector */
+- if (fread (&difat, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (difat), &difat, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ blocks++;
+ if (chain->swap)
+@@ -1496,7 +1513,8 @@ read_miniFAT_sectors (FILE * xls, fat_ch
+ unsigned char *p_buf = buf;
+ block++;
+ /* reading a miniFAT sector */
+- if (fread (&buf, 1, chain->sector_size, xls) != chain->sector_size)
++ if (xls_fread (sizeof (buf), &buf, 1, chain->sector_size, xls) !=
++ chain->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ for (i_fat = 0; i_fat < max_fat; i_fat++)
+ {
+@@ -1524,7 +1542,7 @@ read_cfbf_header (biff_workbook * workbo
+ int ret;
+ unsigned char *p_fat = header.fat_sector_map;
+
+- if (fread (&header, 1, 512, workbook->xls) != 512)
++ if (xls_fread (sizeof (header), &header, 1, 512, workbook->xls) != 512)
+ {
+ *err_code = FREEXL_CFBF_READ_ERROR;
+ return NULL;
+@@ -1670,8 +1688,9 @@ read_mini_stream (biff_workbook * workbo
+ *errcode = FREEXL_CFBF_SEEK_ERROR;
+ return 0;
+ }
+- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (buf), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ {
+ *errcode = FREEXL_CFBF_READ_ERROR;
+ return 0;
+@@ -2003,7 +2022,7 @@ legacy_emergency_dimension (biff_workboo
+ /* looping on BIFF records */
+ if (!first)
+ {
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2029,9 +2048,9 @@ legacy_emergency_dimension (biff_workboo
+ /* INTEGER marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2056,9 +2075,9 @@ legacy_emergency_dimension (biff_workboo
+ /* NUMBER marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2083,9 +2102,9 @@ legacy_emergency_dimension (biff_workboo
+ /* BOOLERR marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2108,9 +2127,9 @@ legacy_emergency_dimension (biff_workboo
+ /* RK marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2135,9 +2154,9 @@ legacy_emergency_dimension (biff_workboo
+ /* LABEL marker found */
+ biff_word16 word16;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2214,7 +2233,7 @@ read_legacy_biff (biff_workbook * workbo
+
+ /* attempting to get the main BOF */
+ rewind (workbook->xls);
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2250,7 +2269,7 @@ read_legacy_biff (biff_workbook * workbo
+ {
+ /* looping on BIFF records */
+
+- if (fread (&buf, 1, 4, workbook->xls) != 4)
++ if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4)
+ return 0;
+ memcpy (record_type.bytes, buf, 2);
+ memcpy (record_size.bytes, buf + 2, 2);
+@@ -2263,7 +2282,7 @@ read_legacy_biff (biff_workbook * workbo
+
+ if (record_type.value == BIFF_SHEETSOFFSET)
+ {
+-/* unsupported BIFF4W format */
++ /* unsupported BIFF4W format */
+ return 0;
+ }
+
+@@ -2276,9 +2295,9 @@ read_legacy_biff (biff_workbook * workbo
+ if (record_type.value == BIFF_CODEPAGE)
+ {
+ /* CODEPAGE marker found */
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ memcpy (word16.bytes, workbook->record, 2);
+ if (swap)
+@@ -2294,9 +2313,9 @@ read_legacy_biff (biff_workbook * workbo
+ if (record_type.value == BIFF_DATEMODE)
+ {
+ /* DATEMODE marker found */
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ memcpy (word16.bytes, workbook->record, 2);
+ if (swap)
+@@ -2328,9 +2347,9 @@ read_legacy_biff (biff_workbook * workbo
+ int is_date = 0;
+ int is_datetime = 0;
+ int is_time = 0;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ if (workbook->biff_version == FREEXL_BIFF_VER_2
+@@ -2396,9 +2415,9 @@ read_legacy_biff (biff_workbook * workbo
+ /* XF [Extended Format] marker found */
+ unsigned char format;
+ unsigned short s_format;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+ switch (workbook->biff_version)
+ {
+@@ -2428,9 +2447,9 @@ read_legacy_biff (biff_workbook * workbo
+ unsigned int rows;
+ unsigned short columns;
+ char *utf8_name;
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record + 2, 2);
+@@ -2478,9 +2497,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2546,9 +2565,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2625,9 +2644,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2678,9 +2697,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -2779,9 +2798,9 @@ read_legacy_biff (biff_workbook * workbo
+ (workbook, swap, record_type.value, record_size.value))
+ return 0;
+
+- if (fread
+- (workbook->record, 1, record_size.value,
+- workbook->xls) != record_size.value)
++ if (xls_fread
++ (sizeof (workbook->record), workbook->record, 1,
++ record_size.value, workbook->xls) != record_size.value)
+ return 0;
+
+ memcpy (word16.bytes, workbook->record, 2);
+@@ -3646,8 +3665,9 @@ read_cfbf_sector (biff_workbook * workbo
+ long where = (workbook->current_sector + 1) * workbook->fat->sector_size;
+ if (fseek (workbook->xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+- if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (biff_workbook), buf, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ return FREEXL_OK;
+ }
+@@ -3769,6 +3789,14 @@ read_biff_next_record (biff_workbook * w
+ if (record_type.value == 0x0000 && record_size.value == 0)
+ return -1;
+
++/*
++/ Sandro 2017-09-07
++/ fixing a security issue reported by
++/ Cisco [TALOS-2017-430]
++*/
++ if (record_size.value > sizeof (workbook->record))
++ return -1;
++
+ /* saving the current record */
+ workbook->record_type = record_type.value;
+ workbook->record_size = record_size.value;
+@@ -3948,8 +3976,9 @@ get_workbook_stream (biff_workbook * wor
+ if (fseek (workbook->xls, where, SEEK_SET) != 0)
+ return FREEXL_CFBF_SEEK_ERROR;
+ /* reading a FAT Directory block [sector] */
+- if (fread (dir_block, 1, workbook->fat->sector_size, workbook->xls) !=
+- workbook->fat->sector_size)
++ if (xls_fread
++ (sizeof (dir_block), dir_block, 1, workbook->fat->sector_size,
++ workbook->xls) != workbook->fat->sector_size)
+ return FREEXL_CFBF_READ_ERROR;
+ workbook_start = 0xFFFFFFFF;
+ for (i_entry = 0; i_entry < max_entries; i_entry++)
diff -Nru freexl-1.0.2/debian/patches/series freexl-1.0.2/debian/patches/series
--- freexl-1.0.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ freexl-1.0.2/debian/patches/series 2017-09-16 23:11:29.000000000 +0200
@@ -0,0 +1 @@
+CVE-2017-2923_CVE-2017-2924.patch
More information about the Pkg-grass-devel
mailing list