[Petter Reinholdtsen] > I will. But the comment below seem to indicate that the update in > Wheezy was incomplete?
Looking at the code, I am quite sure the Wheezy fix missed the change in <URL: https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7 >. Who should be notified about this? > I'll prepare a new patch and package. OK to push it to the collab-maint > git repo before upload, or should I wait until it is accepted? Attached is a new patch with -1 changed to +1 as instructed by the above commit. -- Happy hacking Petter Reinholdtsen
diff --git a/debian/changelog b/debian/changelog index 4f1e009..db765aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +dosfstools (3.0.27-1+deb8u1) unstable; urgency=medium + + * Non-maintainer upload to fix security issue. + * Added d/gbp.conf to document git branch used for Jessie updates. + * [CVE-2015-8872] Invalid memory read in fsck.vfat + * [CVE-2016-4804] Heap overflow in function read_fat() + + -- Petter Reinholdtsen <p...@debian.org> Mon, 13 Jun 2016 08:17:24 +0200 + dosfstools (3.0.27-1) unstable; urgency=medium * New upstream version 3.0.27 diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..3926a07 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = debian/jessie +pristine-tar = True diff --git a/debian/patches/CVE-2015-8872.diff b/debian/patches/CVE-2015-8872.diff new file mode 100644 index 0000000..8709cc4 --- /dev/null +++ b/debian/patches/CVE-2015-8872.diff @@ -0,0 +1,33 @@ +Description: Fix CVE-2015-8872 using patches from upstream. + + The patch is based on file used to update the CVE in Wheezy. It + contained the fix in + https://github.com/dosfstools/dosfstools/commit/39ce90fe75661ed8842551cd44ea7fec278a60a1 + Then the dosfstools maintainer noticed the patch in + https://github.com/dosfstools/dosfstools/commit/07908124838afcc99c577d1d3e84cef2dbd39cb7 + was missing. It is included here (off by one error, fixed by using + +1 instead of -1. + + See also https://bugs.debian.org/827160 . + +Index: dosfstools-collab/src/fat.c +=================================================================== +--- dosfstools-collab.orig/src/fat.c 2016-06-13 08:07:44.669688617 +0200 ++++ dosfstools-collab/src/fat.c 2016-06-13 08:07:44.665688587 +0200 +@@ -197,10 +197,12 @@ + data[1] = new >> 4; + } else { + FAT_ENTRY subseqEntry; +- get_fat(&subseqEntry, fs->fat, cluster + 1, fs); ++ if (cluster != fs->clusters + 1) ++ get_fat(&subseqEntry, fs->fat, cluster + 1, fs); ++ else ++ subseqEntry.value = 0; + data[0] = new & 0xff; +- data[1] = (new >> 8) | (cluster == fs->clusters - 1 ? 0 : +- (0xff & subseqEntry.value) << 4); ++ data[1] = (new >> 8) | ((0xff & subseqEntry.value) << 4); + } + size = 2; + break; + diff --git a/debian/patches/CVE-2016-4804.diff b/debian/patches/CVE-2016-4804.diff new file mode 100644 index 0000000..d28174c --- /dev/null +++ b/debian/patches/CVE-2016-4804.diff @@ -0,0 +1,64 @@ +https://github.com/dosfstools/dosfstools/commit/e8eff147e9da1185f9afd5b25948153a3b97cf52 + +Index: dosfstools-collab/src/boot.c +=================================================================== +--- dosfstools-collab.orig/src/boot.c 2016-06-13 07:59:10.337694024 +0200 ++++ dosfstools-collab/src/boot.c 2016-06-13 08:00:46.290436480 +0200 +@@ -101,8 +101,8 @@ + (unsigned long long)fs->fat_start, + (unsigned long long)fs->fat_start / lss); + printf("%10d FATs, %d bit entries\n", b->fats, fs->fat_bits); +- printf("%10d bytes per FAT (= %u sectors)\n", fs->fat_size, +- fs->fat_size / lss); ++ printf("%10lld bytes per FAT (= %llu sectors)\n", (long long)fs->fat_size, ++ (long long)fs->fat_size / lss); + if (!fs->root_cluster) { + printf("Root directory starts at byte %llu (sector %llu)\n", + (unsigned long long)fs->root_start, +@@ -326,7 +326,7 @@ + struct boot_sector b; + unsigned total_sectors; + unsigned short logical_sector_size, sectors; +- unsigned fat_length; ++ off_t fat_length; + loff_t data_size; + + fs_read(0, sizeof(b), &b); +@@ -354,8 +354,12 @@ + /* Can't access last odd sector anyway, so round down */ + fs_test((loff_t) ((total_sectors & ~1) - 1) * (loff_t) logical_sector_size, + logical_sector_size); ++ + fat_length = le16toh(b.fat_length) ? + le16toh(b.fat_length) : le32toh(b.fat32_length); ++ if (!fat_length) ++ die("FAT size is zero."); ++ + fs->fat_start = (loff_t) le16toh(b.reserved) * logical_sector_size; + fs->root_start = ((loff_t) le16toh(b.reserved) + b.fats * fat_length) * + logical_sector_size; +@@ -363,7 +367,11 @@ + fs->data_start = fs->root_start + ROUND_TO_MULTIPLE(fs->root_entries << + MSDOS_DIR_BITS, + logical_sector_size); ++ + data_size = (loff_t) total_sectors *logical_sector_size - fs->data_start; ++ if (data_size < fs->cluster_size) ++ die("Filesystem has no space for any data clusters"); ++ + fs->clusters = data_size / fs->cluster_size; + fs->root_cluster = 0; /* indicates standard, pre-FAT32 root dir */ + fs->fsinfo_start = 0; /* no FSINFO structure */ +diff --git a/src/fsck.fat.h b/src/fsck.fat.h +index e5ade5b..639b569 100644 +--- a/src/fsck.fat.h ++++ b/src/fsck.fat.h +@@ -158,7 +158,7 @@ typedef struct { + typedef struct { + int nfats; + loff_t fat_start; +- unsigned int fat_size; /* unit is bytes */ ++ off_t fat_size; /* unit is bytes */ + unsigned int fat_bits; /* size of a FAT entry */ + unsigned int eff_fat_bits; /* # of used bits in a FAT entry */ + uint32_t root_cluster; /* 0 for old-style root dir */ diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..014ae4e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +CVE-2016-4804.diff +CVE-2015-8872.diff
