Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package unrtf
It fixes two security holes reported in #772811, CVE-2014-9274 and
CVE-2014-9275. Additionally, it fixes an access to already freed memory (these
two patches, 0004 and 0005 have to go together).
debdiff attached.
unblock unrtf/0.21.5-2
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (990, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru unrtf-0.21.5/debian/changelog unrtf-0.21.5/debian/changelog
--- unrtf-0.21.5/debian/changelog 2013-11-30 12:30:28.000000000 +0100
+++ unrtf-0.21.5/debian/changelog 2014-12-22 20:20:50.000000000 +0100
@@ -1,3 +1,14 @@
+unrtf (0.21.5-2) unstable; urgency=medium
+
+ * Security fixes, closes: #772811
+ - Fix CVE-2014-9274: check that accesses to color table stay within bounds
+ - Fix CVE-2014-9275: various crashes
+ * possible security fixes:
+ - Fix Invalid read of size 4 in attr_get_param
+ - attr_get_param(): Silence a warning message again
+
+ -- Willi Mann <wi...@debian.org> Mon, 22 Dec 2014 20:20:33 +0100
+
unrtf (0.21.5-1) unstable; urgency=low
* Imported Upstream version 0.21.5
diff -Nru unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch
--- unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch 1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0001-check-that-accesses-to-color-table-stay-within-bound.patch 2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,55 @@
+From: Jean-Francois Dockes <j...@recoll.org>
+Date: Sun, 21 Dec 2014 10:08:26 +0100
+Subject: check that accesses to color table stay within bounds,
+ esp that the color number is positive. This fixes {\cb-999} crashing
+ unrtf
+
+This fixes CVE-2014-9274, according to http://www.openwall.com/lists/oss-security/2014/12/04/15
+
+Origin: https://bitbucket.org/medoc/unrtf-int/commits/b0cef89a170a66bc48f8dd288ce562ea8ca91f7a/raw/
+Bug-Debian: http://bugs.debian.org/772811
+---
+ src/convert.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/convert.c b/src/convert.c
+index e563473..96bf438 100644
+--- a/src/convert.c
++++ b/src/convert.c
+@@ -868,6 +868,9 @@ process_color_table (Word *w)
+ r=g=b=0;
+
+ while(w) {
++ if (total_colors >= MAX_COLORS) {
++ break;
++ }
+ char *s = word_string (w);
+
+ if (!strncmp("\\red",s,4)) {
+@@ -921,7 +924,7 @@ static int
+ cmd_cf (Word *w, int align, char has_param, int num) {
+ char str[40];
+
+- if (!has_param || num>=total_colors) {
++ if (!has_param || num < 0 || num>=total_colors) {
+ warning_handler ("font color change attempted is invalid");
+ }
+ else
+@@ -948,7 +951,7 @@ static int
+ cmd_cb (Word *w, int align, char has_param, int num) {
+ char str[40];
+
+- if (!has_param || num>=total_colors) {
++ if (!has_param || num < 0 || num>=total_colors) {
+ warning_handler ("font color change attempted is invalid");
+ }
+ else
+@@ -1153,7 +1156,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
+ {
+ char str[40];
+
+- if (!has_param || num>=total_colors) {
++ if (!has_param || num < 0 || num>=total_colors) {
+ warning_handler ("font background color change attempted is invalid");
+ }
+ else
diff -Nru unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch
--- unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch 1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch 2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,29 @@
+From: Jean-Francois Dockes <j...@recoll.org>
+Date: Sun, 21 Dec 2014 10:47:03 +0100
+Subject: Need to process word chars as unsigned. Else char with hi bit set
+ can crash program
+
+Partially fixes CVE-2014-9275, according to
+https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html
+
+Origin: https://bitbucket.org/medoc/unrtf-int/commits/1df886f2e65f7c512a6217588ae8d94d4bcbc63d/raw/
+Bug-Debian: http://bugs.debian.org/772811
+---
+ src/hash.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/hash.c b/src/hash.c
+index b886d1e..67c6a25 100644
+--- a/src/hash.c
++++ b/src/hash.c
+@@ -133,8 +133,8 @@ hashitem_new (char *str)
+
+ hi->str = my_strdup(str);
+
+- i = *str;
+- if (i=='\\') i=str[1];
++ i = (unsigned char)*str;
++ if (i=='\\') i=(unsigned char)str[1];
+ i <<= 24;
+ hi->value = i | (hash_value++ & 0xffffff);
+ hi->next = NULL;
diff -Nru unrtf-0.21.5/debian/patches/0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch unrtf-0.21.5/debian/patches/0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch
--- unrtf-0.21.5/debian/patches/0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch 1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch 2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,128 @@
+From: Jean-Francois Dockes <j...@recoll.org>
+Date: Sun, 21 Dec 2014 10:51:47 +0100
+Subject: Fix a number of possible crashes caused by a bad format causing
+ word_string() to return NULL
+
+Second fix for CVE-2014-9275, according to
+https://lists.gnu.org/archive/html/bug-unrtf/2014-12/msg00001.html
+
+Origin: https://bitbucket.org/medoc/unrtf-int/commits/3c7ff3f888de0f0d957fe67b6bd4bec9c0d475f3/raw/
+Bug-Debian: http://bugs.debian.org/772811
+---
+ src/convert.c | 28 +++++++++++++++++-----------
+ 1 file changed, 17 insertions(+), 11 deletions(-)
+
+diff --git a/src/convert.c b/src/convert.c
+index 96bf438..bd84398 100644
+--- a/src/convert.c
++++ b/src/convert.c
+@@ -278,6 +278,8 @@ word_dump_date (Word *w)
+ CHECK_PARAM_NOT_NULL(w);
+ while (w) {
+ char *s = word_string (w);
++ if (!s)
++ return;
+ if (*s == '\\') {
+ ++s;
+ if (!strncmp (s, "yr", 2) && isdigit(s[2])) {
+@@ -524,6 +526,8 @@ process_font_table (Word *w)
+
+ if ((w2 = w->child)) {
+ tmp = word_string(w2);
++ if (!tmp)
++ break;
+ if (!strncmp("\\f", tmp, 2)) {
+ num = atoi(&tmp[2]);
+ name[0] = 0;
+@@ -704,7 +708,8 @@ process_info_group (Word *w)
+ char *s;
+
+ s = word_string(child);
+-
++ if (!s)
++ return;
+ if (!inline_mode) {
+ if (!strcmp("\\title", s)) {
+
+@@ -712,11 +717,11 @@ process_info_group (Word *w)
+ w2=child->next;
+ while (w2) {
+ char *s2 = word_string(w2);
+- if (s2[0] != '\\')
++ if (s2 && s2[0] != '\\')
+ {
+ print_with_special_exprs (s2);
+ }
+- else
++ else if (s2)
+ {
+ if (s2[1] == '\'')
+ {
+@@ -735,7 +740,7 @@ process_info_group (Word *w)
+ w2=child->next;
+ while (w2) {
+ char *s2 = word_string(w2);
+- if (s2[0] != '\\')
++ if (s2 && s2[0] != '\\')
+ printf("%s,", s2);
+ w2 = w2->next;
+ }
+@@ -746,7 +751,7 @@ process_info_group (Word *w)
+ w2=child->next;
+ while (w2) {
+ char *s2 = word_string(w2);
+- if (s2[0] != '\\')
++ if (s2 && s2[0] != '\\')
+ printf("%s", s2);
+ w2 = w2->next;
+ }
+@@ -758,7 +763,7 @@ process_info_group (Word *w)
+ w2=child->next;
+ while (w2) {
+ char *s2 = word_string(w2);
+- if (s2[0] != '\\')
++ if (s2 && s2[0] != '\\')
+ printf("%s", s2);
+ w2 = w2->next;
+ }
+@@ -868,11 +873,10 @@ process_color_table (Word *w)
+ r=g=b=0;
+
+ while(w) {
+- if (total_colors >= MAX_COLORS) {
++ char *s = word_string (w);
++ if (s == 0 || total_colors >= MAX_COLORS) {
+ break;
+ }
+- char *s = word_string (w);
+-
+ if (!strncmp("\\red",s,4)) {
+ r = atoi(&s[4]);
+ while(r>255) r>>=8;
+@@ -1010,6 +1014,8 @@ cmd_field (Word *w, int align, char has_param, int num) {
+ char *s;
+
+ s = word_string(child);
++ if (!s)
++ return FALSE;
+ #if 1 /* daved experimenting with fldrslt */
+ if(!strcmp("\\fldrslt", s))
+ return FALSE;
+@@ -1033,7 +1039,7 @@ cmd_field (Word *w, int align, char has_param, int num) {
+ if (s && !strcmp(s, "SYMBOL") )
+ {
+ w4=w3->next;
+- while(w4 && !strcmp(word_string(w4), " "))
++ while(w4 && word_string(w4) && !strcmp(word_string(w4), " "))
+ w4 = w4->next;
+ s4 = word_string(w4);
+ if (s4)
+@@ -1061,7 +1067,7 @@ cmd_field (Word *w, int align, char has_param, int num) {
+ Word *w4;
+ char *s4;
+ w4=w3->next;
+- while (w4 && !strcmp(" ", word_string(w4)))
++ while (w4 && word_string(w4) && !strcmp(" ", word_string(w4)))
+ w4=w4->next;
+ if (w4) {
+ s4=word_string(w4);
diff -Nru unrtf-0.21.5/debian/patches/0004-attrstack_drop-Properly-drop-the-last-stack-element.patch unrtf-0.21.5/debian/patches/0004-attrstack_drop-Properly-drop-the-last-stack-element.patch
--- unrtf-0.21.5/debian/patches/0004-attrstack_drop-Properly-drop-the-last-stack-element.patch 1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0004-attrstack_drop-Properly-drop-the-last-stack-element.patch 2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,37 @@
+From: Fabian Keil <f...@fabiankeil.de>
+Date: Thu, 4 Dec 2014 18:15:29 +0100
+Subject: attrstack_drop(): Properly drop the last stack element
+
+Previously stack_of_stacks_top would point to free'd memory,
+resulting in:
+
+==38960== Invalid read of size 4
+==38960== at 0x402853: attr_get_param (attr.c:355)
+==38960== by 0x40818A: word_print_core (convert.c:3412)
+==38960== by 0x406DBC: word_print (convert.c:3451)
+==38960== by 0x40CA27: main (main.c:267)
+==38960== Address 0x1e065e0 is 90,000 bytes inside a block of size 90,016 free'd
+==38960== at 0x1068498: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
+==38960== by 0x40CBD3: my_free (malloc.c:91)
+==38960== by 0x402E8C: attrstack_drop (attr.c:582)
+==38960== by 0x40812F: word_print_core (convert.c:3403)
+==38960== by 0x406DBC: word_print (convert.c:3451)
+==38960== by 0x40CA27: main (main.c:267)
+==38960==
+---
+ src/attr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index bc19b6c..2c2552b 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -571,7 +571,7 @@ attrstack_drop ()
+ while(prev_stack && prev_stack->next && prev_stack->next != stack)
+ prev_stack = prev_stack->next;
+
+- if (prev_stack) {
++ if (prev_stack && (prev_stack != stack_of_stacks_top)) {
+ stack_of_stacks_top = prev_stack;
+ prev_stack->next = NULL;
+ } else {
diff -Nru unrtf-0.21.5/debian/patches/0005-attr_get_param-Silence-a-warning-message-again.patch unrtf-0.21.5/debian/patches/0005-attr_get_param-Silence-a-warning-message-again.patch
--- unrtf-0.21.5/debian/patches/0005-attr_get_param-Silence-a-warning-message-again.patch 1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/0005-attr_get_param-Silence-a-warning-message-again.patch 2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,32 @@
+From: Fabian Keil <f...@fabiankeil.de>
+Date: Thu, 4 Dec 2014 18:20:12 +0100
+Subject: attr_get_param(): Silence a warning message again
+
+attr_get_param(ATTR_ENCODING) is always called once without a stack
+being available, but previously the use-after-free prevented the
+warning.
+---
+ src/attr.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/attr.c b/src/attr.c
+index 2c2552b..0337fd0 100644
+--- a/src/attr.c
++++ b/src/attr.c
+@@ -348,8 +348,14 @@ attr_get_param(int attr)
+ int i;
+ AttrStack *stack = stack_of_stacks_top;
+ if (!stack) {
+- warning_handler("No stack to get attribute from");
+- return;
++ if (attr != ATTR_ENCODING) {
++ /*
++ * attr_get_param(ATTR_ENCODING) is always called
++ * called once without a stack being available.
++ */
++ warning_handler("No stack to get attribute from");
++ }
++ return NULL;
+ }
+
+ i=stack->tos;
diff -Nru unrtf-0.21.5/debian/patches/series unrtf-0.21.5/debian/patches/series
--- unrtf-0.21.5/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ unrtf-0.21.5/debian/patches/series 2014-12-21 22:04:20.000000000 +0100
@@ -0,0 +1,5 @@
+0001-check-that-accesses-to-color-table-stay-within-bound.patch
+0002-Need-to-process-word-chars-as-unsigned.-Else-char-wi.patch
+0003-Fix-a-number-of-possible-crashes-caused-by-a-bad-for.patch
+0004-attrstack_drop-Properly-drop-the-last-stack-element.patch
+0005-attr_get_param-Silence-a-warning-message-again.patch
