From owner-svn-ports-head@FreeBSD.ORG Thu Mar 5 14:31:10 2015 Return-Path: Delivered-To: svn-ports-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CBBDB923; Thu, 5 Mar 2015 14:31:10 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B5885F58; Thu, 5 Mar 2015 14:31:10 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t25EVAZr082615; Thu, 5 Mar 2015 14:31:10 GMT (envelope-from rodrigo@FreeBSD.org) Received: (from rodrigo@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t25EVAI6082613; Thu, 5 Mar 2015 14:31:10 GMT (envelope-from rodrigo@FreeBSD.org) Message-Id: <201503051431.t25EVAI6082613@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: rodrigo set sender to rodrigo@FreeBSD.org using -f From: Rodrigo Osorio Date: Thu, 5 Mar 2015 14:31:10 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r380498 - in head/archivers/unace: . files X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Mar 2015 14:31:10 -0000 Author: rodrigo Date: Thu Mar 5 14:31:09 2015 New Revision: 380498 URL: https://svnweb.freebsd.org/changeset/ports/380498 QAT: https://qat.redports.org/buildarchive/r380498/ Log: Add a patch to fix buffer overrun (CVE-2015-2063) Bump port revision Take the port maintenership PR: 198314 Submitted by: rodrigo Obtained from: debian MFH: 2015Q1 Security: CVE-2015-2063 Added: head/archivers/unace/files/patch-CVE-2015-2063 (contents, props changed) Modified: head/archivers/unace/Makefile Modified: head/archivers/unace/Makefile ============================================================================== --- head/archivers/unace/Makefile Thu Mar 5 14:22:53 2015 (r380497) +++ head/archivers/unace/Makefile Thu Mar 5 14:31:09 2015 (r380498) @@ -3,12 +3,12 @@ PORTNAME= unace PORTVERSION= 1.2b -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= archivers MASTER_SITES= ${MASTER_SITE_SUNSITE} MASTER_SITE_SUBDIR= utils/compress -MAINTAINER= ports@FreeBSD.org +MAINTAINER= rodrigo@FreeBSD.org COMMENT= Extract, view & test ACE archives MAKE_JOBS_UNSAFE= yes Added: head/archivers/unace/files/patch-CVE-2015-2063 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/archivers/unace/files/patch-CVE-2015-2063 Thu Mar 5 14:31:09 2015 (r380498) @@ -0,0 +1,88 @@ +Description: Fixes a buffer overflow when reading bogus file headers + The header parser was not checking if it had read enough data when trying + to parse the header from memory, causing it to accept files with headers + smaller than expected. + . + Fixes CVE-2015-2063. +Author: Guillem Jover +Origin: vendor +Bug-Debian: https://bugs.debian.org/775003 +Forwarded: no +Last-Update: 2015-02-24 + +--- + unace.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- unace.c ++++ unace.c +@@ -113,6 +113,7 @@ INT read_header(INT print_err) + { + USHORT rd, + head_size, ++ need_size, + crc_ok; + LONG crc; + UCHAR *tp=readbuf; +@@ -128,6 +129,9 @@ INT read_header(INT print_err) + #endif + // read size_headrdb bytes into + head_size = head.HEAD_SIZE; // header structure ++ need_size = 3; ++ if (need_size > head.HEAD_SIZE) ++ return 0; + rd = (head_size > size_headrdb) ? size_headrdb : head_size; + if (read(archan, readbuf, rd) < rd) + return 0; +@@ -147,7 +151,12 @@ INT read_header(INT print_err) + head.HEAD_FLAGS=BUFP2WORD(tp); + + if (head.HEAD_FLAGS & ACE_ADDSIZE) ++ { ++ need_size += 4; ++ if (need_size > head.HEAD_SIZE) ++ return 0; + skipsize = head.ADDSIZE = BUF2LONG(tp); // get ADDSIZE ++ } + else + skipsize = 0; + +@@ -158,6 +167,9 @@ INT read_header(INT print_err) + switch (head.HEAD_TYPE) // specific buffer to head conversion + { + case MAIN_BLK: ++ need_size += 24; ++ if (need_size > head.HEAD_SIZE) ++ return 0; + memcpy(mhead.ACESIGN, tp, acesign_len); tp+=acesign_len; + mhead.VER_MOD=*tp++; + mhead.VER_CR =*tp++; +@@ -168,9 +180,15 @@ INT read_header(INT print_err) + mhead.RES2 =BUFP2WORD(tp); + mhead.RES =BUFP2LONG(tp); + mhead.AV_SIZE=*tp++; +- memcpy(mhead.AV, tp, rd-(USHORT)(tp-readbuf)); ++ if (mhead.AV_SIZE > sizeof(mhead.AV) || ++ mhead.AV_SIZE + need_size > head.HEAD_SIZE) ++ return 0; ++ memcpy(mhead.AV, tp, mhead.AV_SIZE); + break; + case FILE_BLK: ++ need_size += 28; ++ if (need_size > head.HEAD_SIZE) ++ return 0; + fhead.PSIZE =BUFP2LONG(tp); + fhead.SIZE =BUFP2LONG(tp); + fhead.FTIME =BUFP2LONG(tp); +@@ -181,7 +199,10 @@ INT read_header(INT print_err) + fhead.TECH.PARM =BUFP2WORD(tp); + fhead.RESERVED =BUFP2WORD(tp); + fhead.FNAME_SIZE=BUFP2WORD(tp); +- memcpy(fhead.FNAME, tp, rd-(USHORT)(tp-readbuf)); ++ if (fhead.FNAME_SIZE > sizeof(fhead.FNAME) || ++ fhead.FNAME_SIZE + need_size > head.HEAD_SIZE) ++ return 0; ++ memcpy(fhead.FNAME, tp, fhead.FNAME_SIZE); + break; + // default: (REC_BLK and future things): + // do nothing 'cause isn't needed for extraction