[Git][debian-gis-team/freexl][wheezy] 2 commits: Add upstream patch to fix various heap-buffer-overflows.
Bas Couwenberg
gitlab at salsa.debian.org
Fri Feb 23 10:28:43 UTC 2018
Bas Couwenberg pushed to branch wheezy at Debian GIS Project / freexl
Commits:
03821798 by Bas Couwenberg at 2018-02-23T11:19:05+01:00
Add upstream patch to fix various heap-buffer-overflows.
- heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547879
- heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
https://bugzilla.redhat.com/show_bug.cgi?id=1547883
- heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547885
- heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547889
- heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547892
- - - - -
367d36f2 by Bas Couwenberg at 2018-02-23T11:19:05+01:00
Set distribution to wheezy-security.
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/security-fixes-1.0.5.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+freexl (1.0.0b-1+deb7u5) wheezy-security; urgency=high
+
+ * Add upstream patch to fix various heap-buffer-overflows.
+ - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
+ 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
+ FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+
+ -- Bas Couwenberg <sebastic at debian.org> Fri, 23 Feb 2018 11:04:45 +0100
+
freexl (1.0.0b-1+deb7u4) wheezy-security; urgency=high
* Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
=====================================
debian/patches/security-fixes-1.0.5.patch
=====================================
--- /dev/null
+++ b/debian/patches/security-fixes-1.0.5.patch
@@ -0,0 +1,122 @@
+Description: Security fixes from FreeXL 1.0.5.
+ heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ .
+ heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ .
+ heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ .
+ heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ .
+ heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+ .
+ Reported upstream in:
+ https://groups.google.com/d/topic/spatialite-users/b-d9iB5TDPE/discussion
+Author: Alessandro Furieri <a.furieri at lqt.it>
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/1f00f424a24b355e?sbs=0
+ https://www.gaia-gis.it/fossil/freexl/ci/97c9f43cea4fcd54?sbs=0
+ https://www.gaia-gis.it/fossil/freexl/ci/9907dcec7fc34a91?sbs=0
+
+--- a/headers/freexl.h
++++ b/headers/freexl.h
+@@ -292,6 +292,11 @@ extern "C"
+ #define FREEXL_CFBF_ILLEGAL_MINI_FAT_ENTRY -25 /**< The MiniFAT stream
+ contains an invalid entry.
+ Possibly a corrupt file. */
++#define FREEXL_CRAFTED_FILE -26 /**< A severely corrupted file
++ (may be purposely crafted for
++ malicious purposes) has been
++ detected. */
++
+
+ /**
+ Container for a cell value
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -1092,6 +1092,11 @@ allocate_cells (biff_workbook * workbook
+ return FREEXL_INSUFFICIENT_MEMORY;
+
+ /* allocating the cell values array */
++ if (workbook->active_sheet->rows * workbook->active_sheet->columns <= 0)
++ {
++ workbook->active_sheet->cell_values = NULL;
++ return FREEXL_OK;
++ }
+ workbook->active_sheet->cell_values =
+ malloc (sizeof (biff_cell_value) *
+ (workbook->active_sheet->rows *
+@@ -1782,6 +1787,12 @@ parse_SST (biff_workbook * workbook, int
+ unsigned int i;
+ for (i = 0; i < len; i++)
+ {
++ if (p_string - workbook->record >=
++ workbook->record_size)
++ {
++ /* buffer overflow: it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ *(utf16_buf + (utf16_off * 2) + (i * 2)) =
+ *p_string;
+ p_string++;
+@@ -1882,6 +1893,11 @@ parse_SST (biff_workbook * workbook, int
+ return FREEXL_OK;
+ }
+
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string, &utf8_string))
+ return FREEXL_INVALID_CHARACTER;
+@@ -2960,6 +2976,11 @@ parse_biff_record (biff_workbook * workb
+ if (swap)
+ swap32 (&offset);
+ len = workbook->record[6];
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (workbook->biff_version == FREEXL_BIFF_VER_5)
+ {
+ /* BIFF5: codepage text */
+@@ -3119,6 +3140,11 @@ parse_biff_record (biff_workbook * workb
+ get_unicode_params (p_string, swap, &start_offset, &utf16,
+ &extra_skip);
+ p_string += start_offset;
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string,
+ &utf8_string))
+@@ -3479,6 +3505,11 @@ parse_biff_record (biff_workbook * workb
+ get_unicode_params (p_string, swap, &start_offset, &utf16,
+ &extra_skip);
+ p_string += start_offset;
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string,
+ &utf8_string))
+@@ -3761,6 +3792,9 @@ read_mini_biff_next_record (biff_workboo
+ workbook->record_type = record_type.value;
+ workbook->record_size = record_size.value;
+
++ if (workbook->record_size >= 8192)
++ return 0; /* malformed or crafted file */
++
+ if ((workbook->p_in - workbook->fat->miniStream) + workbook->record_size >
+ (int) workbook->size)
+ return 0; /* unexpected EOF */
=====================================
debian/patches/series
=====================================
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ afl-vulnerabilitities.patch
32bit-multiplication-overflow.patch
afl-vulnerabilitities-regression.patch
CVE-2017-2923_CVE-2017-2924.patch
+security-fixes-1.0.5.patch
View it on GitLab: https://salsa.debian.org/debian-gis-team/freexl/compare/5d5e3377d28d21964b9aecf938842ad2d109b56c...367d36f285788444e1c3e00ba521735d23f6efff
---
View it on GitLab: https://salsa.debian.org/debian-gis-team/freexl/compare/5d5e3377d28d21964b9aecf938842ad2d109b56c...367d36f285788444e1c3e00ba521735d23f6efff
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-grass-devel/attachments/20180223/90a54835/attachment-0001.html>
More information about the Pkg-grass-devel
mailing list