Attached please find the patches we're using for the update of the
package in woody.
Please
. update the package in sid
. mention the corresponding CVE ids in the changelog
. tell me the version number of the fixed package
. use priority=high
. no need to upload into sarge directly, except if the version in
sid is not meant to go into testing
Regards,
Joey
--
The only stupid question is the unasked one.
Please always Cc to me when replying to me on the lists.
diff -u xli-1.17.0/debian/changelog xli-1.17.0/debian/changelog
--- xli-1.17.0/debian/changelog
+++ xli-1.17.0/debian/changelog
@@ -1,3 +1,14 @@
+xli (1.17.0-11woody1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied patch from DSA 069 to fix buffer overflow in faces decoder
+ [faces.c, CAN-2001-0775]
+
+ -- Martin Schulze <[EMAIL PROTECTED]> Fri, 18 Mar 2005 12:46:39 +0100
+
xli (1.17.0-11) unstable; urgency=low
* xli.1: eliminate mention of xsetbg and xview since they are not
only in patch2:
unchanged:
--- xli-1.17.0.orig/faces.c
+++ xli-1.17.0/faces.c
@@ -54,9 +54,15 @@
if (! strcmp(buf, "\n"))
break;
if (!strncmp(buf, "FirstName:", 10))
- strcpy(fname, buf + 11);
+ {
+ strncpy(fname, buf + 11, BUFSIZ - 1);
+ fname[BUFSIZ - 1] = '\0';
+ }
else if (!strncmp(buf, "LastName:", 9))
- strcpy(lname, buf + 10);
+ {
+ strncpy(lname, buf + 10, BUFSIZ - 1);
+ lname[BUFSIZ - 1] = '\0';
+ }
else if (!strncmp(buf, "Image:", 6)) {
if (sscanf(buf + 7, "%d%d%d", &iw, &ih, &id) != 3) {
fprintf(stderr,"facesLoad: %s - Bad image\n", name);
@@ -117,7 +123,7 @@
znocache(zf);
image= newRGBImage(w, h, d);
fname[strlen(fname) - 1]= ' ';
- strcat(fname, lname);
+ strncat(fname, lname, BUFSIZ - strlen(fname) -1);
fname[strlen(fname) - 1]= '\0';
image->title= dupString(fname);
diff -u xli-1.17.0/debian/changelog xli-1.17.0/debian/changelog
--- xli-1.17.0/debian/changelog
+++ xli-1.17.0/debian/changelog
@@ -1,3 +1,14 @@
+xli (1.17.0-11woody1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Backported upstream patch to add quoting protection to filenames when
+ uncompressing files [zio.c, CAN-2005-0638]
+
+ -- Martin Schulze <[EMAIL PROTECTED]> Fri, 18 Mar 2005 12:46:39 +0100
+
xli (1.17.0-11) unstable; urgency=low
* xli.1: eliminate mention of xsetbg and xview since they are not
only in patch2:
unchanged:
--- xli-1.17.0.orig/zio.c
+++ xli-1.17.0/zio.c
@@ -340,8 +340,9 @@
boolean
_zopen(ZFILE *zf)
{
- char buf[BUFSIZ];
+ char cmd[BUFSIZ];
char *name = zf->filename;
+ char *buf, *s, *t;
char uuibuf[UULEN], uudest[UULEN], uudummy[UULEN];
int uumode, uutry = UUSTARTLEN;
@@ -370,15 +371,41 @@
#ifdef HAVE_GUNZIP
else if ((strlen(name) > 3 && !strcasecmp(".gz", name + (strlen(name) -
3)))
|| (strlen(name) > 2 && !strcasecmp(".Z", name + (strlen(name)
- 2)))) {
- sprintf(buf, "gunzip -c %s", name);
+ sprintf(cmd, "gunzip -c ");
#else /* #else its a unix compressed file, so use
uncompress */
else if ((strlen(name) > (unsigned) 2) && !strcmp(".Z", name +
(strlen(name) - 2))) {
- sprintf(buf, "uncompress -c %s", name);
+ sprintf(cmd, "uncompress -c ");
#endif
+
+ /* protect in single quotes, replacing single quotes
+ * with '"'"', so worst-case expansion is 5x
+ */
+ buf = (char *) lmalloc(strlen(cmd) + 1 + 5 * strlen(name) + 1 +
1);
+
+ if (buf == NULL)
+ return (FALSE);
+
+ strcpy(buf, cmd);
+ s = buf + strlen(buf);
+ *s++ = '\'';
+
+ for (t = name; *t; ++t) {
+ if ('\'' == *t) {
+ strcpy(s, "'\"'\"'");
+ s += strlen(s);
+ } else {
+ *s++ = *t;
+ }
+ }
+ *s++ = '\'';
+ *s = '\0';
+
zf->type = ZPIPE;
if (!(zf->stream = popen(buf, "r"))) {
+ lfree(buf);
return (FALSE);
}
+ lfree(buf);
}
#endif
diff -u xli-1.17.0/debian/changelog xli-1.17.0/debian/changelog
--- xli-1.17.0/debian/changelog
+++ xli-1.17.0/debian/changelog
@@ -1,3 +1,14 @@
+xli (1.17.0-11woody1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Applied upstream patch to fix integer overflows [new.c, CAN-2005-0639]
+
+ -- Martin Schulze <[EMAIL PROTECTED]> Fri, 18 Mar 2005 12:46:39 +0100
+
xli (1.17.0-11) unstable; urgency=low
* xli.1: eliminate mention of xsetbg and xview since they are not
only in patch2:
unchanged:
--- xli-1.17.0.orig/new.c
+++ xli-1.17.0/new.c
@@ -104,6 +104,18 @@
lfree((byte *) rgb->blue);
}
+static unsigned int ovmul(unsigned int a, unsigned int b)
+{
+ unsigned int r;
+
+ r = a * b;
+ if (r / a != b) {
+ memoryExhausted();
+ }
+
+ return r;
+}
+
static Image *newImage(unsigned width, unsigned height)
{
Image *image;
@@ -133,7 +145,7 @@
image->rgb.used = 2;
image->depth = 1;
linelen = ((width + 7) / 8);
- image->data = (unsigned char *) lcalloc(linelen * height);
+ image->data = (unsigned char *) lcalloc(ovmul(linelen, height));
return image;
}
@@ -157,7 +169,8 @@
newRGBMapData(&(image->rgb), numcolors);
image->depth = depth;
image->pixlen = pixlen;
- image->data = (unsigned char *) lmalloc(width * height * pixlen);
+ image->data =
+ (unsigned char *) lmalloc(ovmul(ovmul(width, height), pixlen));
return image;
}
@@ -172,7 +185,8 @@
image->rgb.used = image->rgb.size = 0;
image->depth = 24;
image->pixlen = 3;
- image->data = (unsigned char *) lmalloc(width * height * 3);
+ image->data =
+ (unsigned char *) lmalloc(ovmul(ovmul(width, height), 3));
return image;
}
