On Sat, Jun 04, 2005 at 07:04:42PM +0200, Martin Schulze wrote: > Below please find the real patch and ensure it is applied to the > version in unstable as well (or a similar patch). This one was > even missing from your patchset so I'm not sure if you've got it > already. If not, please tell me which version in sid will fix > the problem and let me know if the version for sarge should go > via security or proposed-updates/sid - and which version if you > take care of it.
Thanks a lot, I have applied your patch in ht_0.8.0-3 which I uploaded at around midnight UTC. katie started processing it, but the archive was already closed, so it looks like I have to check again later. All in all I have to say I felt very nicely treated despite my apparent lack of appropriate action. Thanks for first giving me the benefit of doubt before hitting me with a cluebat. Please continue applying this courtesy, it was much appreciated. Nonetheless this all made me think hard, and sadly I had to realize I'm not quite up to the task (yet?), so it's better to hand over the package into more knowledgable hands: RFA just sent. Until this happens, I'll try to sort out all the remaining issues, of course, so please keep me in line. This paragraph is just so you know what you are up to. Cheers, Flo PS: debdiff between ht_0.8.0-2 (in Sarge / Sid) and ht_0.8.0-3 attached
diff -u ht-0.8.0/debian/changelog ht-0.8.0/debian/changelog
--- ht-0.8.0/debian/changelog
+++ ht-0.8.0/debian/changelog
@@ -1,3 +1,11 @@
+ht (0.8.0-3) unstable; urgency=high
+
+ * Urgency high due to security fix
+ * Added two integer overflow precautions in the ELF parser [htelfshs.cc,
+ CAN-2005-1545], thanks to Martin 'Joey' Schulze and the Security Team!
+
+ -- Florian Ernst <[EMAIL PROTECTED]> Sun, 05 Jun 2005 01:52:24 +0200
+
ht (0.8.0-2) unstable; urgency=high
* Urgency high due to security fix
only in patch2:
unchanged:
--- ht-0.8.0.orig/htelfshs.cc
+++ ht-0.8.0/htelfshs.cc
@@ -25,6 +25,7 @@
#include "httag.h"
#include "formats.h"
#include "snprintf.h"
+#include <limits.h>
static ht_mask_ptable elfsectionheader32[]=
{
@@ -115,6 +116,10 @@
v->insertsub(m);
+ if (elf_shared->sheaders.count == 0
+ || (elf_shared->sheaders.count >= INT_MAX / sizeof
*elf_shared->shnames))
+ return NULL;
+
elf_shared->shnames = (char**)malloc(elf_shared->sheaders.count
* sizeof *elf_shared->shnames);
FILEOFS
so=elf_shared->sheaders.sheaders32[elf_shared->header32.e_shstrndx].sh_offset;
for (UINT i=0; i<elf_shared->sheaders.count; i++) {
@@ -155,6 +160,10 @@
v->insertsub(m);
+ if (elf_shared->sheaders.count == 0
+ || (elf_shared->sheaders.count >= INT_MAX / sizeof
*elf_shared->shnames))
+ return NULL;
+
elf_shared->shnames=(char**)malloc(elf_shared->sheaders.count *
sizeof *elf_shared->shnames);
/* FIXME: 64-bit */
FILEOFS
so=elf_shared->sheaders.sheaders64[elf_shared->header64.e_shstrndx].sh_offset.lo;
signature.asc
Description: Digital signature
