Florian Ernst wrote: > On Thu, Jun 02, 2005 at 07:57:06PM +0200, Martin Schulze wrote: > > I've looked at the patch you've provided and I must say that I believe > > that it is utterly broken with regards to the "integer overflow". I > > don't think that I've discovered a single integer overflow that's > > been prevented. Attached is what was left over after the investigation. > > [...] > > Please correct me if I'm wrong. > > Please run a diff agains the interdiff between the stable > > package and the "fixed" packages.
Below please find the real patch and ensure it is applied to the
version in unstable as well (or a similar patch). This one was
even missing from your patchset so I'm not sure if you've got it
already. If not, please tell me which version in sid will fix
the problem and let me know if the version for sarge should go
via security or proposed-updates/sid - and which version if you
take care of it.
Regards,
Joey
--
Those who don't understand Unix are condemned to reinvent it, poorly.
Please always Cc to me when replying to me on the lists.
diff -u ht-0.5.0/debian/changelog ht-0.5.0/debian/changelog
--- ht-0.5.0/debian/changelog
+++ ht-0.5.0/debian/changelog
@@ -1,3 +1,13 @@
+ht (0.5.0-1woody1) stable-security; urgency=high
+
+ * Non-maintainer upload by the Security Team
+ * Added two integer overflow precautions in the ELF parser [htelfshs.cc,
+ CAN-2005-1545]
+
+ -- Martin Schulze <[EMAIL PROTECTED]> Sat, 4 Jun 2005 18:46:18 +0200
+
ht (0.5.0-1) unstable; urgency=low
* New upstream version.
only in patch2:
unchanged:
--- ht-0.5.0.orig/htelfshs.cc
+++ ht-0.5.0/htelfshs.cc
@@ -26,6 +26,7 @@
#include "formats.h"
#include <stdlib.h>
+#include <limits.h>
ht_mask_ptable elfsectionheader32[]=
{
@@ -115,6 +116,10 @@
v->insertsub(m);
+ if (elf_shared->sheaders.count == 0
+ || (elf_shared->sheaders.count >= INT_MAX / sizeof
*elf_shared->shnames))
+ return NULL;
+
elf_shared->shnames = (char**)malloc(elf_shared->sheaders.count
* sizeof *elf_shared->shnames);
FILEOFS
so=elf_shared->sheaders.sheaders32[elf_shared->header32.e_shstrndx].sh_offset;
for (UINT i=0; i<elf_shared->sheaders.count; i++) {
@@ -154,6 +159,10 @@
v->insertsub(m);
+ if (elf_shared->sheaders.count == 0
+ || (elf_shared->sheaders.count >= INT_MAX / sizeof
*elf_shared->shnames))
+ return NULL;
+
elf_shared->shnames=(char**)malloc(elf_shared->sheaders.count *
sizeof *elf_shared->shnames);
/* FIXME: 64-bit */
FILEOFS
so=elf_shared->sheaders.sheaders64[elf_shared->header64.e_shstrndx].sh_offset.lo;
signature.asc
Description: Digital signature
