Control: tags -1 + patch Hi,
I have prepared packages for squeeze and wheezy based on attached debdiff for the older versions. Attached debdiff is for unstable. Regards, Salvatore
diff -Nru torque-2.4.16+dfsg/debian/changelog torque-2.4.16+dfsg/debian/changelog --- torque-2.4.16+dfsg/debian/changelog 2013-11-12 22:14:05.000000000 +0100 +++ torque-2.4.16+dfsg/debian/changelog 2014-05-21 20:56:41.000000000 +0200 @@ -1,3 +1,13 @@ +torque (2.4.16+dfsg-1.4) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Add CVE-2014-0749.patch patch. + CVE-2014-0749: Fix stack-based buffer overflow vulnerability which can + be exploited in order to remotely execute code from an unauthenticated + perspective. (Closes: #748827) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 21 May 2014 20:56:21 +0200 + torque (2.4.16+dfsg-1.3) unstable; urgency=high * Non-maintainer upload by the Security Team. diff -Nru torque-2.4.16+dfsg/debian/patches/CVE-2014-0749.patch torque-2.4.16+dfsg/debian/patches/CVE-2014-0749.patch --- torque-2.4.16+dfsg/debian/patches/CVE-2014-0749.patch 1970-01-01 01:00:00.000000000 +0100 +++ torque-2.4.16+dfsg/debian/patches/CVE-2014-0749.patch 2014-05-21 20:56:41.000000000 +0200 @@ -0,0 +1,40 @@ +Description: Fix stack-based buffer overflow in disrsi_.c + CVE-2014-0749: The file disrsi_.c fails to ensure that the length of + count (which is read from the request packet) is less than dis_umaxd + prior to being used in a later memcpy(). As a result a specially + crafted request can smuggle through a count value which is later + decremented and becomes the ct value in a memcpy() made from within + tcp_gets(): + . + memcpy((char *)str, tp->tdis_leadp, ct); + . + This failure to validate count allows control over the size of the + memcpy() to be leveraged and as a result control over the amount of + data read from the remainder of the packet. If this value is large the + memcpy() will overwrite the stack and so can be leveraged in order to + gain control over the execution of the program. +Origin: upstream, https://github.com/adaptivecomputing/torque/commit/3ed749263abe3d69fa3626d142a5789dcb5a5684 +Bug: https://github.com/adaptivecomputing/torque/pull/171 +Bug-Debian: https://bugs.debian.org/748827 +Forwarded: not-needed +Author: David Beer <db...@adaptivecomputing.com> +Last-Update: 2014-05-21 + +--- a/src/lib/Libdis/disrsi_.c ++++ b/src/lib/Libdis/disrsi_.c +@@ -112,6 +112,15 @@ int disrsi_( + if (dis_umaxd == 0) + disiui_(); + ++ if (count >= dis_umaxd) ++ { ++ if (count > dis_umaxd) ++ goto overflow; ++ ++ if (memcmp(scratch, dis_umax, dis_umaxd) > 0) ++ goto overflow; ++ } ++ + switch (c = (*dis_getc)(stream)) + { + diff -Nru torque-2.4.16+dfsg/debian/patches/series torque-2.4.16+dfsg/debian/patches/series --- torque-2.4.16+dfsg/debian/patches/series 2013-11-12 22:14:05.000000000 +0100 +++ torque-2.4.16+dfsg/debian/patches/series 2014-05-21 20:56:41.000000000 +0200 @@ -7,3 +7,4 @@ CVE-2013-4319.patch fix-FTBFS-on-kfreebsd.patch CVE-2013-4495.patch +CVE-2014-0749.patch
