Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: haavard_aa...@yahoo.no
Added patch to fix CVE-2019-18849, bug #944851. The patch is identical to that applied in jessie, but I also controlled it against the upstream commit, to make sure nothing had changed and everything is included. [ Reason ] Fix: CVE-2019-18849 and bug: #944851 In tnef before 1.4.18, an attacker may be able to write to the victim's .ssh/authorized_keys file via an e-mail message with a crafted winmail.dat application/ms-tnef attachment, because of a heap-based buffer over-read involving strdup. [ Impact ] [ Tests ] None, but the original patch is from upstream. This exact patch has also been included in jessie since late 2019 [ Risks ] I consider the risk to be small since the code has been implemented by upstream and has been included in jessie. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The changes is to prevent the possibility of not terminating strings with strdup() Regards, Håvard
diff -Nru tnef-1.4.12/debian/changelog tnef-1.4.12/debian/changelog --- tnef-1.4.12/debian/changelog 2017-05-29 15:03:02.000000000 +0200 +++ tnef-1.4.12/debian/changelog 2021-05-14 11:14:22.000000000 +0200 @@ -1,3 +1,15 @@ +tnef (1.4.12-1.2+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * CVE-2019-18849 + In tnef before 1.4.18, an attacker may be able to write to the + victim's .ssh/authorized_keys file via an e-mail message with a + crafted winmail.dat application/ms-tnef attachment, because of + a heap-based buffer over-read involving strdup. + Closes: #944851 + + -- Håvard Flaget Aasen <haavard_aa...@yahoo.no> Fri, 14 May 2021 11:14:22 +0200 + tnef (1.4.12-1.2) unstable; urgency=medium * Non-maintainer upload by the Wheezy LTS Team. (Closes: #862442) diff -Nru tnef-1.4.12/debian/patches/CVE-2019-18849.patch tnef-1.4.12/debian/patches/CVE-2019-18849.patch --- tnef-1.4.12/debian/patches/CVE-2019-18849.patch 1970-01-01 01:00:00.000000000 +0100 +++ tnef-1.4.12/debian/patches/CVE-2019-18849.patch 2021-05-14 11:11:07.000000000 +0200 @@ -0,0 +1,146 @@ +Description: This patch fixes CVE-2019-18849. + Fix strdup() on possibly unterminated string. +Author: Paul Dreik +Author: Utkarsh Gupta <guptautkarsh2...@gmail.com> +Origin: https://github.com/verdammelt/tnef/pull/40 +Bug-Debian: https://bugs.debian.org/944851 +Reviewed-by: Håvard Flaget Aasen <haavard_aa...@yahoo.no> +Last-Update: 2021-05-14 + +--- a/src/alloc.c ++++ b/src/alloc.c +@@ -72,13 +72,14 @@ + + /* attempts to malloc memory, if fails print error and call abort */ + void* +-xmalloc (size_t num, size_t size) ++xmalloc (size_t num, size_t size, size_t extra) + { + size_t res; + if (check_mul_overflow(num, size, &res)) + abort(); +- +- void *ptr = malloc (res); ++ if (res + extra < res) ++ abort(); ++ void *ptr = malloc (res + extra); + if (!ptr + && (size != 0)) /* some libc don't like size == 0 */ + { +@@ -90,41 +91,44 @@ + + /* Allocates memory but only up to a limit */ + void* +-checked_xmalloc (size_t num, size_t size) ++checked_xmalloc (size_t num, size_t size, size_t extra) + { + size_t res; + if (check_mul_overflow(num, size, &res)) + abort(); +- ++ if (res + extra < res) ++ abort(); + alloc_limit_assert ("checked_xmalloc", res); +- return xmalloc (num, size); ++ return xmalloc (num, size, extra); + } + + /* xmallocs memory and clears it out */ + void* +-xcalloc (size_t num, size_t size) ++xcalloc (size_t num, size_t size, size_t extra) + { + size_t res; + if (check_mul_overflow(num, size, &res)) + abort(); + + void *ptr; +- ptr = malloc(res); ++ if (res + extra < res) ++ abort(); ++ ptr = malloc(res + extra); + if (ptr) + { +- memset (ptr, '\0', (res)); ++ memset (ptr, '\0', (res + extra)); + } + return ptr; + } + + /* xcallocs memory but only up to a limit */ + void* +-checked_xcalloc (size_t num, size_t size) ++checked_xcalloc (size_t num, size_t size, size_t extra) + { + size_t res; + if (check_mul_overflow(num, size, &res)) + abort(); + + alloc_limit_assert ("checked_xcalloc", (res)); +- return xcalloc (num, size); ++ return xcalloc (num, size, extra); + } +--- a/src/alloc.h ++++ b/src/alloc.h +@@ -35,19 +35,23 @@ + extern void set_alloc_limit (size_t size); + extern size_t get_alloc_limit(); + extern void alloc_limit_assert (char *fn_name, size_t size); +-extern void* checked_xmalloc (size_t num, size_t size); +-extern void* xmalloc (size_t num, size_t size); +-extern void* checked_xcalloc (size_t num, size_t size); +-extern void* xcalloc (size_t num, size_t size); ++extern void* checked_xmalloc (size_t num, size_t size, size_t extra); ++extern void* xmalloc (size_t num, size_t size, size_t extra); ++extern void* checked_xcalloc (size_t num, size_t size, size_t extra); ++extern void* xcalloc (size_t num, size_t size, size_t extra); + + #define XMALLOC(_type,_num) \ +- ((_type*)xmalloc((_num), sizeof(_type))) ++ ((_type*)xmalloc((_num), sizeof(_type), 0)) + #define XCALLOC(_type,_num) \ +- ((_type*)xcalloc((_num), sizeof (_type))) ++ ((_type*)xcalloc((_num), sizeof (_type), 0)) + #define CHECKED_XMALLOC(_type,_num) \ +- ((_type*)checked_xmalloc((_num),sizeof(_type))) +-#define CHECKED_XCALLOC(_type,_num) \ +- ((_type*)checked_xcalloc((_num),sizeof(_type))) ++ ((_type*)checked_xmalloc((_num),sizeof(_type),0)) ++#define CHECKED_XMALLOC_ADDNULL(_type,_num) \ ++ ((_type*)checked_xmalloc((_num),sizeof(_type),1)) ++#define CHECKED_XCALLOC(_type,_num) \ ++ ((_type*)checked_xcalloc((_num),sizeof(_type),0)) ++#define CHECKED_XCALLOC_ADDNULL(_type,_num) \ ++ ((_type*)checked_xcalloc((_num),sizeof(_type),1)) + #define XFREE(_ptr) \ + do { if (_ptr) { free (_ptr); _ptr = 0; } } while (0) + +--- a/src/attr.c ++++ b/src/attr.c +@@ -244,7 +244,11 @@ + attr->type = (type_and_name >> 16); + attr->name = ((type_and_name << 16) >> 16); + attr->len = geti32(in); +- attr->buf = CHECKED_XCALLOC (unsigned char, attr->len); ++ /* Allocate an extra byte for the null terminator, ++ in case the input lacks it, ++ this avoids strdup() being invoked on possibly non-terminated ++ input later (file.c, file_add_attr()). */ ++ attr->buf = CHECKED_XCALLOC_ADDNULL(unsigned char, attr->len); + + (void)getbuf(in, attr->buf, attr->len); + +--- a/src/mapi_attr.c ++++ b/src/mapi_attr.c +@@ -314,8 +314,10 @@ + } + else + { +- v->data.buf = CHECKED_XMALLOC(unsigned char, v->len); ++ /* add space for a null terminator, in case of evil input */ ++ v->data.buf = CHECKED_XMALLOC_ADDNULL(unsigned char, v->len); + memmove (v->data.buf, buf+idx, v->len); ++ v->data.buf[v->len] = '\0'; + } + + idx += pad_to_4byte(v->len); diff -Nru tnef-1.4.12/debian/patches/series tnef-1.4.12/debian/patches/series --- tnef-1.4.12/debian/patches/series 2017-05-29 15:03:02.000000000 +0200 +++ tnef-1.4.12/debian/patches/series 2021-05-14 10:54:30.000000000 +0200 @@ -4,3 +4,4 @@ fix-regression-1.patch fix-regression-2.patch CVE-2017-8911.patch +CVE-2019-18849.patch
