CVE-2017-15955

Markus Koschany Thu, 02 Nov 2017 15:34:05 -0700

Control: tags -1 patch

Hi,


upstream has released two patches to address the issue. I have verified
that they work by testing against the provided poc files. They are
attached to the upstream bug reports, for example here:

https://github.com/extramaster/bchunk/issues/3

Please find attached the debdiff against the version in Sid. I have
already released a security update for Wheezy and could also get in
contact with the security team to do the same for Jessie and Stretch.

Please note that CVE-2017-15954 was also fixed with these two patches.

Regards,

Markus

diff -Nru bchunk-1.2.0/debian/changelog bchunk-1.2.0/debian/changelog
--- bchunk-1.2.0/debian/changelog       2012-03-27 08:44:45.000000000 +0200
+++ bchunk-1.2.0/debian/changelog       2017-11-02 15:59:38.000000000 +0100
@@ -1,3 +1,13 @@
+bchunk (1.2.0-12.1) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2017-15953, CVE-2017-15954 and CVE-2017-15955.
+    bchunk was vulnerable to a heap-based buffer overflow with an resultant
+    invalid free when processing a malformed CUE (.cue) file that may lead to
+    the execution of arbitrary code or a application crash.
+
+ -- Markus Koschany <a...@debian.org>  Thu, 02 Nov 2017 15:59:38 +0100
+
 bchunk (1.2.0-12) unstable; urgency=low
 
   * New maintainer. (Closes: #540585)
diff -Nru bchunk-1.2.0/debian/patches/CVE-2017-15953.patch 
bchunk-1.2.0/debian/patches/CVE-2017-15953.patch
--- bchunk-1.2.0/debian/patches/CVE-2017-15953.patch    1970-01-01 
01:00:00.000000000 +0100
+++ bchunk-1.2.0/debian/patches/CVE-2017-15953.patch    2017-11-02 
15:59:38.000000000 +0100
@@ -0,0 +1,36 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 2 Nov 2017 15:52:01 +0100
+Subject: CVE-2017-15953
+
+Bug-Debian: https://bugs.debian.org/880116
+Origin: 
https://github.com/rydnr/nixpkgs/blob/5643fd19cf46ae516c69b625cd09f5a6a8774b6f/pkgs/tools/cd-dvd/bchunk/CVE-2017-15953.patch
+---
+ bchunk.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/bchunk.c b/bchunk.c
+index 48c694b..733cfd1 100644
+--- a/bchunk.c
++++ b/bchunk.c
+@@ -18,6 +18,7 @@
+   *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+   */
+ 
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -271,11 +272,10 @@ int writetrack(FILE *bf, struct track_t *track, char 
*bname)
+       int16_t i;
+       float fl;
+       
+-      if (!(fname = malloc(strlen(bname) + 8))) {
+-              fprintf(stderr, "main(): malloc() failed, out of memory\n");
++      if (asprintf(&fname, "%s%2.2d.%s", bname, track->num, track->extension) 
== -1) {
++              fprintf(stderr, "writetrack(): asprintf() failed, out of 
memory\n");
+               exit(4);
+       }
+-      sprintf(fname, "%s%2.2d.%s", bname, track->num, track->extension);
+       
+       printf("%2d: %s ", track->num, fname);
+       
diff -Nru bchunk-1.2.0/debian/patches/CVE-2017-15955.patch 
bchunk-1.2.0/debian/patches/CVE-2017-15955.patch
--- bchunk-1.2.0/debian/patches/CVE-2017-15955.patch    1970-01-01 
01:00:00.000000000 +0100
+++ bchunk-1.2.0/debian/patches/CVE-2017-15955.patch    2017-11-02 
15:59:38.000000000 +0100
@@ -0,0 +1,44 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 2 Nov 2017 15:54:51 +0100
+Subject: CVE-2017-15955
+
+Bug-Debian: https://bugs.debian.org/880116
+Origin: 
https://github.com/rydnr/nixpkgs/blob/5643fd19cf46ae516c69b625cd09f5a6a8774b6f/pkgs/tools/cd-dvd/bchunk/CVE-2017-15955.patch
+---
+ bchunk.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/bchunk.c b/bchunk.c
+index 733cfd1..60d3000 100644
+--- a/bchunk.c
++++ b/bchunk.c
+@@ -426,12 +426,12 @@ int main(int argc, char **argv)
+                       printf("\nTrack ");
+                       if (!(p = strchr(p, ' '))) {
+                               fprintf(stderr, "... ouch, no space after 
TRACK.\n");
+-                              continue;
++                              exit(3);
+                       }
+                       p++;
+                       if (!(t = strchr(p, ' '))) {
+                               fprintf(stderr, "... ouch, no space after track 
number.\n");
+-                              continue;
++                              exit(3);
+                       }
+                       *t = '\0';
+                       
+@@ -460,12 +460,12 @@ int main(int argc, char **argv)
+               } else if ((p = strstr(s, "INDEX"))) {
+                       if (!(p = strchr(p, ' '))) {
+                               printf("... ouch, no space after INDEX.\n");
+-                              continue;
++                              exit(3);
+                       }
+                       p++;
+                       if (!(t = strchr(p, ' '))) {
+                               printf("... ouch, no space after index 
number.\n");
+-                              continue;
++                              exit(3);
+                       }
+                       *t = '\0';
+                       t++;
diff -Nru bchunk-1.2.0/debian/patches/series bchunk-1.2.0/debian/patches/series
--- bchunk-1.2.0/debian/patches/series  2012-03-11 06:27:44.000000000 +0100
+++ bchunk-1.2.0/debian/patches/series  2017-11-02 15:59:38.000000000 +0100
@@ -1,2 +1,4 @@
 01-track-size.patch
 02-clarify-formats-in-help.patch
+CVE-2017-15953.patch
+CVE-2017-15955.patch

signature.asc
Description: OpenPGP digital signature

Bug#880116: CVE-2017-15953 / CVE-2017-15954 / CVE-2017-15955

Reply via email to