FreeBSD Mail Archives

Date:      Thu, 5 Mar 2015 22:56:33 +0000 (UTC)
From:      Rodrigo Osorio <rodrigo@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org
Subject:   svn commit: r380566 - in branches/2015Q1/archivers/unace: . files
Message-ID:  <201503052256.t25MuXLa033900@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: rodrigo
Date: Thu Mar  5 22:56:33 2015
New Revision: 380566
URL: https://svnweb.freebsd.org/changeset/ports/380566
QAT: https://qat.redports.org/buildarchive/r380566/

Log:
  MFH: r380498
  
  Add a patch to fix buffer overrun (CVE-2015-2063)
  Bump port revision
  Take the port maintenership
  
  PR:		198314
  Submitted by:	rodrigo
  Obtained from:	debian
  Security:	CVE-2015-2063
  Approved by:	ports-secteam

Added:
  branches/2015Q1/archivers/unace/files/patch-CVE-2015-2063
     - copied unchanged from r380498, head/archivers/unace/files/patch-CVE-2015-2063
Modified:
  branches/2015Q1/archivers/unace/Makefile
Directory Properties:
  branches/2015Q1/   (props changed)

Modified: branches/2015Q1/archivers/unace/Makefile
==============================================================================
--- branches/2015Q1/archivers/unace/Makefile	Thu Mar  5 22:52:30 2015	(r380565)
+++ branches/2015Q1/archivers/unace/Makefile	Thu Mar  5 22:56:33 2015	(r380566)
@@ -3,12 +3,12 @@
 
 PORTNAME=	unace
 PORTVERSION=	1.2b
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	archivers
 MASTER_SITES=	${MASTER_SITE_SUNSITE}
 MASTER_SITE_SUBDIR=	utils/compress
 
-MAINTAINER=	ports@FreeBSD.org
+MAINTAINER=	rodrigo@FreeBSD.org
 COMMENT=	Extract, view & test ACE archives
 
 MAKE_JOBS_UNSAFE=	yes

Copied: branches/2015Q1/archivers/unace/files/patch-CVE-2015-2063 (from r380498, head/archivers/unace/files/patch-CVE-2015-2063)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ branches/2015Q1/archivers/unace/files/patch-CVE-2015-2063	Thu Mar  5 22:56:33 2015	(r380566, copy of r380498, head/archivers/unace/files/patch-CVE-2015-2063)
@@ -0,0 +1,88 @@
+Description: Fixes a buffer overflow when reading bogus file headers
+ The header parser was not checking if it had read enough data when trying
+ to parse the header from memory, causing it to accept files with headers
+ smaller than expected.
+ .
+ Fixes CVE-2015-2063.
+Author: Guillem Jover <guillem@debian.org>
+Origin: vendor
+Bug-Debian: https://bugs.debian.org/775003
+Forwarded: no
+Last-Update: 2015-02-24
+
+---
+ unace.c |   25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- unace.c
++++ unace.c
+@@ -113,6 +113,7 @@ INT  read_header(INT print_err)
+ {
+    USHORT rd,
+         head_size,
++        need_size,
+         crc_ok;
+    LONG crc;
+    UCHAR *tp=readbuf;
+@@ -128,6 +129,9 @@ INT  read_header(INT print_err)
+ #endif
+                                         // read size_headrdb bytes into 
+    head_size = head.HEAD_SIZE;          // header structure 
++   need_size = 3;
++   if (need_size > head.HEAD_SIZE)
++      return 0;
+    rd = (head_size > size_headrdb) ? size_headrdb : head_size;
+    if (read(archan, readbuf, rd) < rd)
+       return 0;
+@@ -147,7 +151,12 @@ INT  read_header(INT print_err)
+    head.HEAD_FLAGS=BUFP2WORD(tp);
+ 
+    if (head.HEAD_FLAGS & ACE_ADDSIZE)
++   {
++      need_size += 4;
++      if (need_size > head.HEAD_SIZE)
++         return 0;
+       skipsize = head.ADDSIZE = BUF2LONG(tp);   // get ADDSIZE
++   }
+    else
+       skipsize = 0;
+ 
+@@ -158,6 +167,9 @@ INT  read_header(INT print_err)
+    switch (head.HEAD_TYPE)              // specific buffer to head conversion
+    {
+       case MAIN_BLK:
++         need_size += 24;
++         if (need_size > head.HEAD_SIZE)
++            return 0;
+          memcpy(mhead.ACESIGN, tp, acesign_len); tp+=acesign_len;
+          mhead.VER_MOD=*tp++;
+          mhead.VER_CR =*tp++;
+@@ -168,9 +180,15 @@ INT  read_header(INT print_err)
+          mhead.RES2   =BUFP2WORD(tp);
+          mhead.RES    =BUFP2LONG(tp);
+          mhead.AV_SIZE=*tp++;
+-         memcpy(mhead.AV, tp, rd-(USHORT)(tp-readbuf));
++         if (mhead.AV_SIZE > sizeof(mhead.AV) ||
++             mhead.AV_SIZE + need_size > head.HEAD_SIZE)
++            return 0;
++         memcpy(mhead.AV, tp, mhead.AV_SIZE);
+          break;
+       case FILE_BLK:
++         need_size += 28;
++         if (need_size > head.HEAD_SIZE)
++            return 0;
+          fhead.PSIZE     =BUFP2LONG(tp);
+          fhead.SIZE      =BUFP2LONG(tp);
+          fhead.FTIME     =BUFP2LONG(tp);
+@@ -181,7 +199,10 @@ INT  read_header(INT print_err)
+          fhead.TECH.PARM =BUFP2WORD(tp);
+          fhead.RESERVED  =BUFP2WORD(tp);
+          fhead.FNAME_SIZE=BUFP2WORD(tp);
+-         memcpy(fhead.FNAME, tp, rd-(USHORT)(tp-readbuf));
++         if (fhead.FNAME_SIZE > sizeof(fhead.FNAME) ||
++             fhead.FNAME_SIZE + need_size > head.HEAD_SIZE)
++            return 0;
++         memcpy(fhead.FNAME, tp, fhead.FNAME_SIZE);
+          break;
+ //    default: (REC_BLK and future things): 
+ //              do nothing 'cause isn't needed for extraction

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201503052256.t25MuXLa033900>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation