Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hello, Bug#880621 reports that Jessie is affected by CVE-2014-8184. I'm proposing to upload there the RedHat fix plus a fix for that fix (it didn't actually take care of issues in the strncpy call). Debdiff is attached. Samuel -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500, 'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru liblouis-2.5.3/debian/changelog liblouis-2.5.3/debian/changelog --- liblouis-2.5.3/debian/changelog 2014-06-24 23:33:27.000000000 +0200 +++ liblouis-2.5.3/debian/changelog 2017-11-03 01:14:02.000000000 +0100 @@ -1,3 +1,10 @@ +liblouis (2.5.3-3+deb8u1) jessie; urgency=medium + + * Apply RedHat's patch to fix CVE-2014-8184 (Closes: Bug#880621). + * Fix RedHat's patch. + + -- Samuel Thibault <sthiba...@debian.org> Fri, 03 Nov 2017 01:14:02 +0100 + liblouis (2.5.3-3) unstable; urgency=low [ Samuel Thibault ] diff -Nru liblouis-2.5.3/debian/patches/CVE-2014-8184 liblouis-2.5.3/debian/patches/CVE-2014-8184 --- liblouis-2.5.3/debian/patches/CVE-2014-8184 1970-01-01 01:00:00.000000000 +0100 +++ liblouis-2.5.3/debian/patches/CVE-2014-8184 2017-11-03 01:14:02.000000000 +0100 @@ -0,0 +1,99 @@ +https://github.com/liblouis/liblouis/issues/425 +https://bugzilla.redhat.com/show_bug.cgi?id=1492701 +https://access.redhat.com/errata/RHSA-2017:3111 + +From 2fe2b279994e3ed70bae461e284702cc1c7d4665 Mon Sep 17 00:00:00 2001 +From: Raphael Sanchez Prudencio <rspruden...@redhat.com> +Date: Mon, 18 Sep 2017 18:44:31 +0200 +Subject: [PATCH 5/7] Fix multiple stack-based buffer overflows in findTable(). + +Fixes CVE-2014-8184. +--- + liblouis/compileTranslationTable.c | 35 +++++++++++------------------------ + 1 file changed, 11 insertions(+), 24 deletions(-) + +diff --git a/liblouis/compileTranslationTable.c b/liblouis/compileTranslationTable.c +index ec4963f0..25c0208f 100644 +--- a/liblouis/compileTranslationTable.c ++++ b/liblouis/compileTranslationTable.c +@@ -4502,8 +4502,7 @@ findTable (const char *tableName) + char trialPath[MAXSTRING]; + if (tableName == NULL || tableName[0] == 0) + return NULL; +- strcpy (trialPath, tablePath); +- strcat (trialPath, tableName); ++ snprintf (trialPath, MAXSTRING-1, "%s%s", tablePath, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + return tableFile; + pathEnd[0] = DIR_SEP; +@@ -4522,18 +4521,15 @@ findTable (const char *tableName) + break; + if (k == listLength || k == 0) + { /* Only one file */ +- strcpy (trialPath, pathList); +- strcat (trialPath, pathEnd); +- strcat (trialPath, tableName); ++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", pathList, pathEnd, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + break; + } + else + { /* Compile a list of files */ +- strncpy (trialPath, pathList, k); +- trialPath[k] = 0; +- strcat (trialPath, pathEnd); +- strcat (trialPath, tableName); ++ char path[MAXSTRING]; ++ strncpy (path, pathList, k); ++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName); + currentListPos = k + 1; + if ((tableFile = fopen (trialPath, "rb"))) + break; +@@ -4542,11 +4538,8 @@ findTable (const char *tableName) + for (k = currentListPos; k < listLength; k++) + if (pathList[k] == ',') + break; +- strncpy (trialPath, +- &pathList[currentListPos], k - currentListPos); +- trialPath[k - currentListPos] = 0; +- strcat (trialPath, pathEnd); +- strcat (trialPath, tableName); ++ strncpy (path, &pathList[currentListPos], k - currentListPos); ++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + currentListPos = k + 1; + break; +@@ -4564,26 +4557,20 @@ findTable (const char *tableName) + pathList = lou_getDataPath (); + if (pathList) + { +- strcpy (trialPath, pathList); +- strcat (trialPath, pathEnd); + #ifdef _WIN32 +- strcat (trialPath, "liblouis\\tables\\"); ++ snprintf (trialPath, MAXSTRING-1, "%s%sliblouis\\tables\\%s", pathList, pathEnd, tableName); + #else +- strcat (trialPath, "liblouis/tables/"); ++ snprintf (trialPath, MAXSTRING-1, "%s%sliblouis/tables/%s", pathList, pathEnd, tableName); + #endif +- strcat (trialPath, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + return tableFile; + } + /* See if table on installed or program path. */ + #ifdef _WIN32 +- strcpy (trialPath, lou_getProgramPath ()); +- strcat (trialPath, "\\share\\liblouss\\tables\\"); ++ snprintf (trialPath, MAXSTRING-1, "%s\\share\\liblouss\\tables\\%s", lou_getProgramPath(), tableName); + #else +- strcpy (trialPath, TABLESDIR); +- strcat (trialPath, pathEnd); ++ snprintf (trialPath, MAXSTRING-1, "%s%s%s", TABLESDIR, pathEnd, tableName); + #endif +- strcat (trialPath, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + return tableFile; + return NULL; +-- +2.13.5 + diff -Nru liblouis-2.5.3/debian/patches/CVE-2014-8184-fix liblouis-2.5.3/debian/patches/CVE-2014-8184-fix --- liblouis-2.5.3/debian/patches/CVE-2014-8184-fix 1970-01-01 01:00:00.000000000 +0100 +++ liblouis-2.5.3/debian/patches/CVE-2014-8184-fix 2017-11-03 01:14:02.000000000 +0100 @@ -0,0 +1,33 @@ +The RedHat CVE-2014-8184 patch did not fix the potential buffer overruns +and missing trailing \0 from the strncpy call. +--- + liblouis/compileTranslationTable.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/liblouis/compileTranslationTable.c ++++ b/liblouis/compileTranslationTable.c +@@ -4534,6 +4534,8 @@ findTable (const char *tableName) + int listLength; + int currentListPos = 0; + listLength = strlen (pathList); ++ if (listLength >= MAXSTRING) ++ listLength = MAXSTRING-1; + for (k = 0; k < listLength; k++) + if (pathList[k] == ',') + break; +@@ -4547,6 +4549,7 @@ findTable (const char *tableName) + { /* Compile a list of files */ + char path[MAXSTRING]; + strncpy (path, pathList, k); ++ path[k] = 0; + snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName); + currentListPos = k + 1; + if ((tableFile = fopen (trialPath, "rb"))) +@@ -4557,6 +4560,7 @@ findTable (const char *tableName) + if (pathList[k] == ',') + break; + strncpy (path, &pathList[currentListPos], k - currentListPos); ++ path[k - currentListPos] = 0; + snprintf (trialPath, MAXSTRING-1, "%s%s%s", path, pathEnd, tableName); + if ((tableFile = fopen (trialPath, "rb"))) + currentListPos = k + 1; diff -Nru liblouis-2.5.3/debian/patches/series liblouis-2.5.3/debian/patches/series --- liblouis-2.5.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ liblouis-2.5.3/debian/patches/series 2017-11-03 01:14:02.000000000 +0100 @@ -0,0 +1,2 @@ +CVE-2014-8184 +CVE-2014-8184-fix
