Control: tags 1084056 + patch Control: tags 1084056 + pending
Dear Dmitry, I've prepared an NMU for libgsf (versioned as 1.14.52-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru libgsf-1.14.52/debian/changelog libgsf-1.14.52/debian/changelog --- libgsf-1.14.52/debian/changelog 2024-05-02 10:06:47.000000000 +0200 +++ libgsf-1.14.52/debian/changelog 2024-10-05 15:02:44.000000000 +0200 @@ -1,3 +1,11 @@ +libgsf (1.14.52-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * OLE2: Fix allocation problems (CVE-2024-42415, CVE-2024-36474) + (Closes: #1084056) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 05 Oct 2024 15:02:44 +0200 + libgsf (1.14.52-1) unstable; urgency=medium * New upstream release. diff -Nru libgsf-1.14.52/debian/patches/OLE2-Fix-allocation-problems.patch libgsf-1.14.52/debian/patches/OLE2-Fix-allocation-problems.patch --- libgsf-1.14.52/debian/patches/OLE2-Fix-allocation-problems.patch 1970-01-01 01:00:00.000000000 +0100 +++ libgsf-1.14.52/debian/patches/OLE2-Fix-allocation-problems.patch 2024-10-05 15:02:26.000000000 +0200 @@ -0,0 +1,112 @@ +From: Morten Welinder <te...@gnome.org> +Date: Mon, 30 Sep 2024 20:47:29 -0400 +Subject: OLE2: Fix allocation problems. +Origin: https://gitlab.gnome.org/GNOME/libgsf/-/commit/06d0cb92a4c02e7126ef2ff6f5e29fd74b4be9e0 +Bug: https://gitlab.gnome.org/GNOME/libgsf/-/issues/34 +Bug-Debian: https://bugs.debian.org/1084056 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-42415 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-36474 + +--- + ChangeLog | 9 +++++++++ + NEWS | 1 + + gsf/gsf-infile-msole.c | 27 +++++++++++++++++---------- + 3 files changed, 27 insertions(+), 10 deletions(-) + +diff --git a/gsf/gsf-infile-msole.c b/gsf/gsf-infile-msole.c +index e0a1cc52252b..b1f1c229712a 100644 +--- a/gsf/gsf-infile-msole.c ++++ b/gsf/gsf-infile-msole.c +@@ -302,7 +302,7 @@ datetime_from_filetime (guint64 ft) + * parent is optional. */ + static MSOleDirent * + ole_dirent_new (GsfInfileMSOle *ole, guint32 entry, MSOleDirent *parent, +- guint8 *seen_before) ++ GByteArray *seen_before) + { + MSOleDirent *dirent; + guint32 block, next, prev, child, size; +@@ -315,12 +315,13 @@ ole_dirent_new (GsfInfileMSOle *ole, guint32 entry, MSOleDirent *parent, + return NULL; + + g_return_val_if_fail (entry <= G_MAXUINT / DIRENT_SIZE, NULL); ++ g_return_val_if_fail (entry < seen_before->len, NULL); + + block = OLE_BIG_BLOCK (entry * DIRENT_SIZE, ole); + g_return_val_if_fail (block < ole->bat.num_blocks, NULL); + +- g_return_val_if_fail (!seen_before[entry], NULL); +- seen_before[entry] = TRUE; ++ g_return_val_if_fail (!seen_before->data[entry], NULL); ++ seen_before->data[entry] = TRUE; + + data = ole_get_block (ole, ole->bat.block [block], NULL); + if (data == NULL) +@@ -494,13 +495,14 @@ ole_init_info (GsfInfileMSOle *ole, GError **err) + { + static guint8 const signature[] = + { 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 }; +- guint8 *seen_before; ++ GByteArray *seen_before; + guint8 const *header, *tmp; + guint32 *metabat = NULL; + MSOleInfo *info; + guint32 bb_shift, sb_shift, num_bat, num_sbat, num_metabat, threshold, last, dirent_start; + guint32 metabat_block, *ptr; + gboolean fail; ++ size_t num_blocks, isize; + + /* check the header */ + if (gsf_input_seek (ole->input, 0, G_SEEK_SET) || +@@ -536,8 +538,9 @@ ole_init_info (GsfInfileMSOle *ole, GError **err) + * 2) It makes no sense to have a block larger than 2^31 for now. + * Maybe relax this later, but not much. + */ ++ isize = gsf_input_size (ole->input); + if (6 > bb_shift || bb_shift >= 31 || sb_shift > bb_shift || +- (gsf_input_size (ole->input) >> bb_shift) < 1) { ++ (isize >> bb_shift) < 1) { + if (err != NULL) + *err = g_error_new (gsf_input_error_id (), 0, + _("Unreasonable block sizes")); +@@ -557,7 +560,7 @@ ole_init_info (GsfInfileMSOle *ole, GError **err) + info->threshold = threshold; + info->sbat_start = GSF_LE_GET_GUINT32 (header + OLE_HEADER_SBAT_START); + info->num_sbat = num_sbat; +- info->max_block = (gsf_input_size (ole->input) - OLE_HEADER_SIZE + info->bb.size -1) / info->bb.size; ++ info->max_block = (isize - OLE_HEADER_SIZE + info->bb.size -1) / info->bb.size; + info->sb_file = NULL; + + if (info->num_sbat == 0 && +@@ -566,9 +569,11 @@ ole_init_info (GsfInfileMSOle *ole, GError **err) + g_warning ("There are not supposed to be any blocks in the small block allocation table, yet there is a link to some. Ignoring it."); + } + ++ num_blocks = num_bat * (info->bb.size / BAT_INDEX_SIZE); ++ + /* very rough heuristic, just in case */ +- if (num_bat < info->max_block && info->num_sbat < info->max_block) { +- info->bb.bat.num_blocks = num_bat * (info->bb.size / BAT_INDEX_SIZE); ++ if (num_bat < info->max_block && info->num_sbat < info->max_block && num_blocks < G_MAXINT) { ++ info->bb.bat.num_blocks = num_blocks; + info->bb.bat.block = g_new0 (guint32, info->bb.bat.num_blocks); + + metabat = g_try_new (guint32, MAX (info->bb.size, OLE_HEADER_SIZE)); +@@ -648,10 +653,12 @@ ole_init_info (GsfInfileMSOle *ole, GError **err) + } + + /* Read the directory */ +- seen_before = g_malloc0 ((ole->bat.num_blocks << info->bb.shift) * DIRENT_SIZE + 1); ++ seen_before = g_byte_array_new (); ++ g_byte_array_set_size (seen_before, ((size_t)(ole->bat.num_blocks) << info->bb.shift) / DIRENT_SIZE + 1); ++ memset (seen_before->data, 0, seen_before->len); + ole->dirent = info->root_dir = + ole_dirent_new (ole, 0, NULL, seen_before); +- g_free (seen_before); ++ g_byte_array_unref (seen_before); + if (ole->dirent == NULL) { + if (err != NULL) + *err = g_error_new (gsf_input_error_id (), 0, +-- +2.45.2 + diff -Nru libgsf-1.14.52/debian/patches/series libgsf-1.14.52/debian/patches/series --- libgsf-1.14.52/debian/patches/series 2018-04-29 05:49:09.000000000 +0200 +++ libgsf-1.14.52/debian/patches/series 2024-10-05 15:01:29.000000000 +0200 @@ -0,0 +1 @@ +OLE2-Fix-allocation-problems.patch
