I've actually NMUed xloadimage twice, since after the first NMU for CAN-2005-0638 I got a patch to also fix CAN-2005-0639. The attached diff is the combined patch for both NMUs.
-- see shy jo
Only in xloadimage-4.1: .zio.c.swp
Only in old/xloadimage-4.1/: Makefile
diff -ur old/xloadimage-4.1/debian/changelog xloadimage-4.1/debian/changelog
--- old/xloadimage-4.1/debian/changelog 2005-03-18 15:24:03.000000000 -0500
+++ xloadimage-4.1/debian/changelog 2005-03-18 15:21:47.000000000 -0500
@@ -1,3 +1,21 @@
+xloadimage (4.1-14.2) unstable; urgency=HIGH
+
+ * NMU
+ * Apply patch from Debian security team to fix integer overflows in new.c
+ (CAN-2005-0639).
+
+ -- Joey Hess <[EMAIL PROTECTED]> Fri, 18 Mar 2005 15:19:53 -0500
+
+xloadimage (4.1-14.1) unstable; urgency=HIGH
+
+ * NMU
+ * Apply patch from bug #298926 to fix shell metacharacters vulnerability
+ that could be used to execute arbitrary commands by using shell
+ metachaacters in filenames for compressed images. (CAN-2005-0638)
+ Closes: #298926
+
+ -- Joey Hess <[EMAIL PROTECTED]> Wed, 16 Mar 2005 18:24:55 -0500
+
xloadimage (4.1-14) unstable; urgency=low
* debian/control (Build-Depends): s/libtiff3g-dev/libtiff4-dev/.
Only in old/xloadimage-4.1/jpeg: testorig.jpg
diff -ur old/xloadimage-4.1/new.c xloadimage-4.1/new.c
--- old/xloadimage-4.1/new.c 1993-10-28 13:24:14.000000000 -0400
+++ xloadimage-4.1/new.c 2005-03-18 15:18:20.000000000 -0500
@@ -63,6 +63,18 @@
}
+static unsigned int ovmul(unsigned int a, unsigned int b)
+{
+ unsigned int r;
+
+ r = a * b;
+ if (r / a != b) {
+ memoryExhausted();
+ }
+
+ return r;
+}
+
void goodImage(image, func)
Image *image;
char *func;
@@ -128,7 +140,7 @@
image->height= height;
image->depth= 1;
linelen= (width / 8) + (width % 8 ? 1 : 0); /* thanx [EMAIL PROTECTED] */
- image->data= (unsigned char *)lcalloc(linelen * height);
+ image->data= (unsigned char *)lcalloc(ovmul(linelen, height));
return(image);
}
@@ -149,7 +161,7 @@
image->height= height;
image->depth= depth;
image->pixlen= pixlen;
- image->data= (unsigned char *)lmalloc(width * height * pixlen);
+ image->data= (unsigned char *)lmalloc(ovmul(ovmul(width, height), pixlen));
return(image);
}
@@ -165,6 +177,7 @@
image->height= height;
image->depth= 24;
image->pixlen= 3;
+ image->data= (unsigned char *)lmalloc(ovmul(ovmul(width, height), 3));
image->data= (unsigned char *)lmalloc(width * height * 3);
return(image);
}
diff -ur old/xloadimage-4.1/zio.c xloadimage-4.1/zio.c
--- old/xloadimage-4.1/zio.c 1993-10-28 13:10:02.000000000 -0400
+++ xloadimage-4.1/zio.c 2005-03-16 18:23:52.000000000 -0500
@@ -210,9 +210,30 @@
if ((strlen(name) > strlen(filter->extension)) &&
!strcmp(filter->extension,
name + (strlen(name) - strlen(filter->extension)))) {
- debug(("Filtering image through '%s'\n", filter->filter));
- zf->type= ZPIPE;
- sprintf(buf, "%s %s", filter->filter, name);
+ char *fname, *t, *s;
+
+ /* meta-char protection from xli.
+ *
+ * protect in single quotes, replacing single quotes
+ * with '"'"', so worst-case expansion is 5x
+ */
+
+ s = fname = (char *) lmalloc(1 + (5 * strlen(name)) + 1 + 1);
+ *s++ = '\'';
+ for (t = name; *t; ++t) {
+ if ('\'' == *t) {
+ /* 'foo'bar' -> 'foo'"'"'bar' */
+ strcpy(s, "'\"'\"'");
+ s += strlen(s);
+ } else {
+ *s++ = *t;
+ }
+ }
+ strcpy (s, "'");
+ debug(("Filtering image through '%s'\n", filter->filter));
+ zf->type= ZPIPE;
+ sprintf(buf, "%s %s", filter->filter, fname);
+ lfree (fname);
if (! (zf->stream= popen(buf, "r"))) {
lfree((byte *)zf->filename);
zf->filename= NULL;
signature.asc
Description: Digital signature
