Control: tags -1 pending
Hi,
On Fri, 26 May 2017 18:18:59 +0200 Emilio Pozuelo Monfort <po...@debian.org>
wrote:
> Control: tags -1 patch
>
> Hi,
>
> On Mon, 01 May 2017 16:14:08 +0200 Salvatore Bonaccorso <car...@debian.org>
> wrote:
> > Source: rzip
> > Version: 2.1-1
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> >
> > Hi,
> >
> > the following vulnerability was published for rzip, filled with RC
> > severity due to the heap overflow write, but no further investigation
> > done so far.
> >
> > CVE-2017-8364[0]:
> > | The read_buf function in stream.c in rzip 2.1 allows remote attackers
> > | to cause a denial of service (heap-based buffer overflow and
> > | application crash) or possibly have unspecified other impact via a
> > | crafted archive.
>
> openSUSE applied the attached patch, taken from the openSUSE leap 42.2
> package [1].
I have verified the patch works fine (by testing with an asan build). I have
uploaded the attached debdiff to DELAYED/5. Let me know if I should delay it
further.
Cheers,
Emilio
diff -Nru rzip-2.1/debian/changelog rzip-2.1/debian/changelog
--- rzip-2.1/debian/changelog 2016-12-07 18:44:06.000000000 +0100
+++ rzip-2.1/debian/changelog 2017-05-26 18:40:30.000000000 +0200
@@ -1,3 +1,12 @@
+rzip (2.1-4.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * 80-CVE-2017-8364-fill-buffer.patch: fix heap buffer overflow write by
+ allocating a properly sized buffer. Patch taken from openSUSE.
+ (CVE-2017-8364). Closes: 861614.
+
+ -- Emilio Pozuelo Monfort <po...@debian.org> Fri, 26 May 2017 18:40:30 +0200
+
rzip (2.1-4) unstable; urgency=medium
* New maintainer. Thanks to all previous people that have helped
diff -Nru rzip-2.1/debian/patches/80-CVE-2017-8364-fill-buffer.patch
rzip-2.1/debian/patches/80-CVE-2017-8364-fill-buffer.patch
--- rzip-2.1/debian/patches/80-CVE-2017-8364-fill-buffer.patch 1970-01-01
01:00:00.000000000 +0100
+++ rzip-2.1/debian/patches/80-CVE-2017-8364-fill-buffer.patch 2017-05-26
18:39:09.000000000 +0200
@@ -0,0 +1,35 @@
+Patch taken from the OpenSUSE leap 42.2 package
+
+Index: rzip-2.1/stream.c
+===================================================================
+--- rzip-2.1.orig/stream.c
++++ rzip-2.1/stream.c
+@@ -147,16 +147,16 @@ static int write_u32(int f, u32 v)
+ return 0;
+ }
+
+-static int read_buf(int f, uchar *p, int len)
++static int read_buf(int f, uchar *p, unsigned int len)
+ {
+ int ret;
+ ret = read(f, p, len);
+ if (ret == -1) {
+- err_msg("Read of length %d failed - %s\n", len,
strerror(errno));
++ err_msg("Read of length %u failed - %s\n", len,
strerror(errno));
+ return -1;
+ }
+ if (ret != len) {
+- err_msg("Partial read!? asked for %d bytes but got %d\n", len,
ret);
++ err_msg("Partial read!? asked for %u bytes but got %d\n", len,
ret);
+ return -1;
+ }
+ return 0;
+@@ -399,7 +399,7 @@ static int fill_buffer(struct stream_inf
+ if (sinfo->s[stream].buf) {
+ free(sinfo->s[stream].buf);
+ }
+- sinfo->s[stream].buf = malloc(u_len);
++ sinfo->s[stream].buf = malloc(c_len > u_len ? c_len : u_len);
+ if (!sinfo->s[stream].buf) {
+ return -1;
+ }
diff -Nru rzip-2.1/debian/patches/series rzip-2.1/debian/patches/series
--- rzip-2.1/debian/patches/series 2016-03-07 22:36:29.000000000 +0100
+++ rzip-2.1/debian/patches/series 2017-05-26 18:40:30.000000000 +0200
@@ -5,3 +5,4 @@
50_fhs.patch
60_fix_manpage.patch
70_hardeningflags.patch
+80-CVE-2017-8364-fill-buffer.patch
