Bug#987246: buster-pu: package tnef/1.4.12-1.2

Tue, 20 Apr 2021 04:33:18 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

The attached debdiff for tnef fixes CVE-2019-18849 in Buster.

It is marked as no-dsa by the security team.
The fix has been uploaded to Jessie long time ago and nobody complained up to now. 

  Thorsten
diff -Nru tnef-1.4.12/debian/changelog tnef-1.4.12/debian/changelog
--- tnef-1.4.12/debian/changelog        2017-05-29 15:03:02.000000000 +0200
+++ tnef-1.4.12/debian/changelog        2021-04-18 10:03:02.000000000 +0200
@@ -1,3 +1,12 @@
+tnef (1.4.12-1.2+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2019-18849 (Closes: #944851)
+    Using emails with a crafted winmail.dat application/ms-tnef attachment
+    might allow to change .ssh/authorized_keys.
+
+ -- Thorsten Alteholz <deb...@alteholz.de>  Sun, 18 Apr 2021 10:03:02 +0200
+
 tnef (1.4.12-1.2) unstable; urgency=medium
 
   * Non-maintainer upload by the Wheezy LTS Team. (Closes: #862442)
diff -Nru tnef-1.4.12/debian/patches/CVE-2019-18849.patch 
tnef-1.4.12/debian/patches/CVE-2019-18849.patch
--- tnef-1.4.12/debian/patches/CVE-2019-18849.patch     1970-01-01 
01:00:00.000000000 +0100
+++ tnef-1.4.12/debian/patches/CVE-2019-18849.patch     2021-04-18 
10:03:02.000000000 +0200
@@ -0,0 +1,147 @@
+Index: tnef-1.4.12/src/alloc.c
+===================================================================
+--- tnef-1.4.12.orig/src/alloc.c       2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/alloc.c    2021-04-16 09:49:11.063016905 +0200
+@@ -72,13 +72,14 @@
+ 
+ /* attempts to malloc memory, if fails print error and call abort */
+ void*
+-xmalloc (size_t num, size_t size)
++xmalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+-
+-    void *ptr = malloc (res);
++    if (res + extra < res)
++        abort();
++    void *ptr = malloc (res + extra);
+     if (!ptr
+         && (size != 0))         /* some libc don't like size == 0 */
+     {
+@@ -90,41 +91,44 @@
+ 
+ /* Allocates memory but only up to a limit */
+ void*
+-checked_xmalloc (size_t num, size_t size)
++checked_xmalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+-
++    if (res + extra < res)
++        abort();
+     alloc_limit_assert ("checked_xmalloc", res);
+-    return xmalloc (num, size);
++    return xmalloc (num, size, extra);
+ }
+ 
+ /* xmallocs memory and clears it out */
+ void*
+-xcalloc (size_t num, size_t size)
++xcalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+ 
+     void *ptr;
+-    ptr = malloc(res);
++    if (res + extra < res)
++        abort();
++    ptr = malloc(res + extra);
+     if (ptr)
+     {
+-        memset (ptr, '\0', (res));
++        memset (ptr, '\0', (res + extra));
+     }
+     return ptr;
+ }
+ 
+ /* xcallocs memory but only up to a limit */
+ void*
+-checked_xcalloc (size_t num, size_t size)
++checked_xcalloc (size_t num, size_t size, size_t extra)
+ {
+     size_t res;
+     if (check_mul_overflow(num, size, &res))
+         abort();
+ 
+     alloc_limit_assert ("checked_xcalloc", (res));
+-    return xcalloc (num, size);
++    return xcalloc (num, size, extra);
+ }
+Index: tnef-1.4.12/src/alloc.h
+===================================================================
+--- tnef-1.4.12.orig/src/alloc.h       2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/alloc.h    2021-04-16 09:49:11.063016905 +0200
+@@ -35,19 +35,23 @@
+ extern void set_alloc_limit (size_t size);
+ extern size_t get_alloc_limit();
+ extern void alloc_limit_assert (char *fn_name, size_t size);
+-extern void* checked_xmalloc (size_t num, size_t size);
+-extern void* xmalloc (size_t num, size_t size);
+-extern void* checked_xcalloc (size_t num, size_t size);
+-extern void* xcalloc (size_t num, size_t size);
++extern void* checked_xmalloc (size_t num, size_t size, size_t extra);
++extern void* xmalloc (size_t num, size_t size, size_t extra);
++extern void* checked_xcalloc (size_t num, size_t size, size_t extra);
++extern void* xcalloc (size_t num, size_t size, size_t extra);
+ 
+ #define XMALLOC(_type,_num)                                   \
+-        ((_type*)xmalloc((_num), sizeof(_type)))
++  ((_type*)xmalloc((_num), sizeof(_type), 0))
+ #define XCALLOC(_type,_num)                                   \
+-        ((_type*)xcalloc((_num), sizeof (_type)))
++  ((_type*)xcalloc((_num), sizeof (_type), 0))
+ #define CHECKED_XMALLOC(_type,_num)                           \
+-        ((_type*)checked_xmalloc((_num),sizeof(_type)))
+-#define CHECKED_XCALLOC(_type,_num)                           \
+-        ((_type*)checked_xcalloc((_num),sizeof(_type)))
++  ((_type*)checked_xmalloc((_num),sizeof(_type),0))
++#define CHECKED_XMALLOC_ADDNULL(_type,_num)                           \
++  ((_type*)checked_xmalloc((_num),sizeof(_type),1))
++#define CHECKED_XCALLOC(_type,_num)                   \
++  ((_type*)checked_xcalloc((_num),sizeof(_type),0))
++#define CHECKED_XCALLOC_ADDNULL(_type,_num)           \
++  ((_type*)checked_xcalloc((_num),sizeof(_type),1))
+ #define XFREE(_ptr)                                           \
+         do { if (_ptr) { free (_ptr); _ptr = 0; } } while (0)
+ 
+Index: tnef-1.4.12/src/attr.c
+===================================================================
+--- tnef-1.4.12.orig/src/attr.c        2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/attr.c     2021-04-16 09:49:59.640149076 +0200
+@@ -244,7 +244,11 @@
+     attr->type = (type_and_name >> 16);
+     attr->name = ((type_and_name << 16) >> 16);
+     attr->len = geti32(in);
+-    attr->buf = CHECKED_XCALLOC (unsigned char, attr->len);
++    /* Allocate an extra byte for the null terminator,
++       in case the input lacks it,
++       this avoids strdup() being invoked on possibly non-terminated
++       input later (file.c, file_add_attr()). */
++    attr->buf = CHECKED_XCALLOC_ADDNULL(unsigned char, attr->len);
+     
+     (void)getbuf(in, attr->buf, attr->len);
+     
+Index: tnef-1.4.12/src/mapi_attr.c
+===================================================================
+--- tnef-1.4.12.orig/src/mapi_attr.c   2021-04-16 09:49:11.067016999 +0200
++++ tnef-1.4.12/src/mapi_attr.c        2021-04-16 09:51:07.653589451 +0200
+@@ -314,8 +314,11 @@
+               }
+               else
+               {
+-                  v->data.buf = CHECKED_XMALLOC(unsigned char, v->len);
+-                  memmove (v->data.buf, buf+idx, v->len);
++                 /* add space for a null terminator, in case of evil input */
++                    v->data.buf = CHECKED_XMALLOC_ADDNULL(unsigned char, 
v->len);
++                    memmove (v->data.buf, buf+idx, v->len);
++                    v->data.buf[v->len] = '\0';
++
+               }
+ 
+               idx += pad_to_4byte(v->len);
diff -Nru tnef-1.4.12/debian/patches/series tnef-1.4.12/debian/patches/series
--- tnef-1.4.12/debian/patches/series   2017-05-29 15:03:02.000000000 +0200
+++ tnef-1.4.12/debian/patches/series   2021-04-18 10:03:02.000000000 +0200
@@ -4,3 +4,5 @@
 fix-regression-1.patch
 fix-regression-2.patch
 CVE-2017-8911.patch
+
+CVE-2019-18849.patch

Reply via email to