[freexl] 01/02: Add upstream patch to fix various heap-buffer-overflows.

Bas Couwenberg sebastic at debian.org
Fri Feb 23 10:28:25 UTC 2018 

This is an automated email from the git hooks/post-receive script.

sebastic pushed a commit to branch jessie
in repository freexl.

commit e5b6913315f8ec5b7a90e4f8687a33484bf471a3
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date:   Fri Feb 23 10:57:09 2018 +0100

    Add upstream patch to fix various heap-buffer-overflows.
    
    - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
      https://bugzilla.redhat.com/show_bug.cgi?id=1547879
    - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
      https://bugzilla.redhat.com/show_bug.cgi?id=1547883
    - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
      https://bugzilla.redhat.com/show_bug.cgi?id=1547885
    - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4
      https://bugzilla.redhat.com/show_bug.cgi?id=1547889
    - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 1.0.4
      https://bugzilla.redhat.com/show_bug.cgi?id=1547892
---
 debian/changelog                          |  18 +++++
 debian/patches/security-fixes-1.0.5.patch | 122 ++++++++++++++++++++++++++++++
 debian/patches/series                     |   1 +
 3 files changed, 141 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 07745f5..0206647 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+freexl (1.0.0g-1+deb8u5) UNRELEASED; urgency=medium
+
+  * Add upstream patch to fix various heap-buffer-overflows.
+    - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+      https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+    - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+      https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+    - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+      https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+    - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
+      1.0.4
+      https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+    - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
+      FreeXL 1.0.4
+      https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+
+ -- Bas Couwenberg <sebastic at debian.org>  Fri, 23 Feb 2018 10:55:00 +0100
+
 freexl (1.0.0g-1+deb8u4) jessie-security; urgency=high
 
   * Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
diff --git a/debian/patches/security-fixes-1.0.5.patch b/debian/patches/security-fixes-1.0.5.patch
new file mode 100644
index 0000000..41cb7e7
--- /dev/null
+++ b/debian/patches/security-fixes-1.0.5.patch
@@ -0,0 +1,122 @@
+Description: Security fixes from FreeXL 1.0.5.
+ heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ .
+ heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ .
+ heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ .
+ heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ .
+ heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+ .
+ Reported upstream in:
+ https://groups.google.com/d/topic/spatialite-users/b-d9iB5TDPE/discussion
+Author: Alessandro Furieri <a.furieri at lqt.it>
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/1f00f424a24b355e?sbs=0
+        https://www.gaia-gis.it/fossil/freexl/ci/97c9f43cea4fcd54?sbs=0
+        https://www.gaia-gis.it/fossil/freexl/ci/9907dcec7fc34a91?sbs=0
+
+--- a/headers/freexl.h
++++ b/headers/freexl.h
+@@ -292,6 +292,11 @@ extern "C"
+ #define FREEXL_CFBF_ILLEGAL_MINI_FAT_ENTRY	-25 /**< The MiniFAT stream 
+                                                      contains an invalid entry.
+                                                      Possibly a corrupt file. */
++#define FREEXL_CRAFTED_FILE			-26 /**< A severely corrupted file
++                                                 (may be purposely crafted for 
++                                                 malicious purposes) has been 
++                                                 detected. */
++
+ 
+     /**
+      Container for a cell value
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -1098,6 +1098,11 @@ allocate_cells (biff_workbook * workbook
+ 	return FREEXL_INSUFFICIENT_MEMORY;
+ 
+ /* allocating the cell values array */
++    if (workbook->active_sheet->rows * workbook->active_sheet->columns <= 0)
++      {
++	  workbook->active_sheet->cell_values = NULL;
++	  return FREEXL_OK;
++      }
+     workbook->active_sheet->cell_values =
+ 	malloc (sizeof (biff_cell_value) *
+ 		(workbook->active_sheet->rows *
+@@ -1788,6 +1793,12 @@ parse_SST (biff_workbook * workbook, int
+ 		      unsigned int i;
+ 		      for (i = 0; i < len; i++)
+ 			{
++			    if (p_string - workbook->record >=
++				workbook->record_size)
++			      {
++				  /* buffer overflow: it's a preasumable crafted file intended to crash FreeXL */
++				  return FREEXL_CRAFTED_FILE;
++			      }
+ 			    *(utf16_buf + (utf16_off * 2) + (i * 2)) =
+ 				*p_string;
+ 			    p_string++;
+@@ -1888,6 +1899,11 @@ parse_SST (biff_workbook * workbook, int
+ 		return FREEXL_OK;
+ 	    }
+ 
++	  if (len <= 0)
++	    {
++		/* zero length - it's a preasumable crafted file intended to crash FreeXL */
++		return FREEXL_CRAFTED_FILE;
++	    }
+ 	  if (!parse_unicode_string
+ 	      (workbook->utf16_converter, len, utf16, p_string, &utf8_string))
+ 	      return FREEXL_INVALID_CHARACTER;
+@@ -3041,6 +3057,11 @@ parse_biff_record (biff_workbook * workb
+ 	  if (swap)
+ 	      swap32 (&offset);
+ 	  len = workbook->record[6];
++	  if (len <= 0)
++	    {
++		/* zero length - it's a preasumable crafted file intended to crash FreeXL */
++		return FREEXL_CRAFTED_FILE;
++	    }
+ 	  if (workbook->biff_version == FREEXL_BIFF_VER_5)
+ 	    {
+ 		/* BIFF5: codepage text */
+@@ -3200,6 +3221,11 @@ parse_biff_record (biff_workbook * workb
+ 		get_unicode_params (p_string, swap, &start_offset, &utf16,
+ 				    &extra_skip);
+ 		p_string += start_offset;
++		if (len <= 0)
++		  {
++		      /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++		      return FREEXL_CRAFTED_FILE;
++		  }
+ 		if (!parse_unicode_string
+ 		    (workbook->utf16_converter, len, utf16, p_string,
+ 		     &utf8_string))
+@@ -3594,6 +3620,11 @@ parse_biff_record (biff_workbook * workb
+ 		get_unicode_params (p_string, swap, &start_offset, &utf16,
+ 				    &extra_skip);
+ 		p_string += start_offset;
++		if (len <= 0)
++		  {
++		      /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++		      return FREEXL_CRAFTED_FILE;
++		  }
+ 		if (!parse_unicode_string
+ 		    (workbook->utf16_converter, len, utf16, p_string,
+ 		     &utf8_string))
+@@ -3876,6 +3907,9 @@ read_mini_biff_next_record (biff_workboo
+     workbook->record_type = record_type.value;
+     workbook->record_size = record_size.value;
+ 
++    if (workbook->record_size >= 8192)
++	return 0;		/* malformed or crafted file */
++
+     if ((workbook->p_in - workbook->fat->miniStream) + workbook->record_size >
+         (int) workbook->size)
+         return 0;		/* unexpected EOF */
diff --git a/debian/patches/series b/debian/patches/series
index c920916..91b6eaa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ afl-vulnerabilitities.patch
 32bit-multiplication-overflow.patch
 afl-vulnerabilitities-regression.patch
 CVE-2017-2923_CVE-2017-2924.patch
+security-fixes-1.0.5.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-grass/freexl.git

More information about the Pkg-grass-devel mailing list