tags 684078 + patch tags 684078 + pending thanks Dear maintainer,
I've prepared an NMU for wv2 (versioned as 0.4.2.dfsg.1-9.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards. -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Willi Resetarits + Stubnblues: alanech fia dii
diff -Nru wv2-0.4.2.dfsg.1/debian/changelog wv2-0.4.2.dfsg.1/debian/changelog --- wv2-0.4.2.dfsg.1/debian/changelog 2012-03-25 06:15:20.000000000 +0200 +++ wv2-0.4.2.dfsg.1/debian/changelog 2012-08-26 15:21:08.000000000 +0200 @@ -1,3 +1,12 @@ +wv2 (0.4.2.dfsg.1-9.1) unstable; urgency=low + + * Non-maintainer upload. + * [SECURITY] Fix "Buffer overflow": + add patch buffer-overflow.patch, taken from calligra git. + (Closes: #684078) + + -- gregor herrmann <[email protected]> Sun, 26 Aug 2012 15:20:51 +0200 + wv2 (0.4.2.dfsg.1-9) unstable; urgency=low * Apply hardening to CFLAGS too (patch from Simon Ruderich in private mail). diff -Nru wv2-0.4.2.dfsg.1/debian/patches/buffer-overflow.patch wv2-0.4.2.dfsg.1/debian/patches/buffer-overflow.patch --- wv2-0.4.2.dfsg.1/debian/patches/buffer-overflow.patch 1970-01-01 01:00:00.000000000 +0100 +++ wv2-0.4.2.dfsg.1/debian/patches/buffer-overflow.patch 2012-08-26 15:22:03.000000000 +0200 @@ -0,0 +1,25 @@ +Description: Make sure not to write behind the allocated memory + Validate the input data to not write behind the allocated memory. This + fixes a buffer overflow found by Charlie Miller. +Origin: https://projects.kde.org/projects/calligra/repository/revisions/8652ab672eaaa145dfb3782f5011de58aa4cc046 +Author: Thorsten Zachmann +Comment: change to original patch: + s/endl/std::endl/ +Bug-Debian: http://bugs.debian.org/684078 +Reviewed-by: gregor herrmann <[email protected]> +Last-Update: 2012-08-26 + +--- a/src/styles.cpp ++++ b/src/styles.cpp +@@ -188,6 +188,11 @@ bool STD::read( U16 baseSize, U16 totalS + #ifdef WV2_DEBUG_STYLESHEET + wvlog << "cbUPX: " << cbUPX << std::endl; + #endif ++ // do not overflow the allocated buffer grupx ++ if (offset + cbUPX > grupxLen) { ++ wvlog << "====> Error: grupx would overflow!" << std::endl; ++ return false; ++ } + for ( U16 j = 0; j < cbUPX; ++j ) { + grupx[ offset + j ] = stream->readU8(); // read the whole UPX + #ifdef WV2_DEBUG_STYLESHEET diff -Nru wv2-0.4.2.dfsg.1/debian/patches/series wv2-0.4.2.dfsg.1/debian/patches/series --- wv2-0.4.2.dfsg.1/debian/patches/series 2012-03-25 06:11:21.000000000 +0200 +++ wv2-0.4.2.dfsg.1/debian/patches/series 2012-08-26 14:49:44.000000000 +0200 @@ -4,3 +4,4 @@ avoid-writing-after-structures.patch fix-nan-and-inf-for-mips.patch glib-2.32-compat.patch +buffer-overflow.patch
signature.asc
Description: Digital signature
