Dear Security Team, The patch to fix multiple vulnerabilities identified by American Fuzzy Lop reported in #781228 caused a regressed as reported in the GDAL issue tracker:
https://trac.osgeo.org/gdal/ticket/6200 The change to fix this regression was included in freexl (1.0.1-1~exp1), but not in the security updates for jessie (1.0.0g-1+deb8u1) & wheezy (1.0.0b-1+deb7u1). I've prepared updates to fix this regression for jessie & wheezy, see the attached debdiffs. Are these regression fixes appropriate for upload to {wheezy,jessie}-security or should they be uploaded to proposed-updates instead? Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
diff -Nru freexl-1.0.0b/debian/changelog freexl-1.0.0b/debian/changelog --- freexl-1.0.0b/debian/changelog 2015-07-19 12:21:54.000000000 +0200 +++ freexl-1.0.0b/debian/changelog 2015-11-12 22:24:56.000000000 +0100 @@ -1,3 +1,9 @@ +freexl (1.0.0b-1+deb7u3) UNRELEASED; urgency=medium + + * Add patch to fix regression introduced by afl-vulnerabilitities.patch. + + -- Bas Couwenberg <[email protected]> Thu, 12 Nov 2015 22:04:49 +0100 + freexl (1.0.0b-1+deb7u2) wheezy-security; urgency=high * Add patch to fix 32 bit multiplication overflow. diff -Nru freexl-1.0.0b/debian/patches/afl-vulnerabilitities-regression.patch freexl-1.0.0b/debian/patches/afl-vulnerabilitities-regression.patch --- freexl-1.0.0b/debian/patches/afl-vulnerabilitities-regression.patch 1970-01-01 01:00:00.000000000 +0100 +++ freexl-1.0.0b/debian/patches/afl-vulnerabilitities-regression.patch 2015-11-12 22:25:21.000000000 +0100 @@ -0,0 +1,18 @@ +Description: Fix regression introduced by afl-vulnerabilitities.patch. + Initially reported as a bug in GDAL and traced to FreeXL, see: + https://trac.osgeo.org/gdal/ticket/6200 +Origin: https://www.gaia-gis.it/fossil/freexl/fdiff?v1=61618ce51a9b0c15&v2=4f9408c216ead322&sbs=1 +Author: Alessandro Furieri <[email protected]> +Bug-Debian: https://bugs.debian.org/781228 + +--- a/src/freexl.c ++++ b/src/freexl.c +@@ -3655,7 +3655,7 @@ read_biff_next_record (biff_workbook * w + unsigned int already_done; + unsigned int chunk = + workbook->sector_end - (workbook->p_in - workbook->sector_buf); +- if (workbook->sector_end <= (workbook->p_in - workbook->sector_buf)) ++ if (workbook->sector_end < (workbook->p_in - workbook->sector_buf)) + return -1; + memcpy (workbook->record, workbook->p_in, chunk); + workbook->p_in += chunk; diff -Nru freexl-1.0.0b/debian/patches/series freexl-1.0.0b/debian/patches/series --- freexl-1.0.0b/debian/patches/series 2015-07-19 12:10:15.000000000 +0200 +++ freexl-1.0.0b/debian/patches/series 2015-11-12 22:23:41.000000000 +0100 @@ -1,2 +1,3 @@ afl-vulnerabilitities.patch 32bit-multiplication-overflow.patch +afl-vulnerabilitities-regression.patch
diff -Nru freexl-1.0.0g/debian/changelog freexl-1.0.0g/debian/changelog --- freexl-1.0.0g/debian/changelog 2015-07-19 13:45:38.000000000 +0200 +++ freexl-1.0.0g/debian/changelog 2015-11-12 22:10:04.000000000 +0100 @@ -1,3 +1,9 @@ +freexl (1.0.0g-1+deb8u3) UNRELEASED; urgency=medium + + * Add patch to fix regression introduced by afl-vulnerabilitities.patch. + + -- Bas Couwenberg <[email protected]> Thu, 12 Nov 2015 22:04:49 +0100 + freexl (1.0.0g-1+deb8u2) jessie-security; urgency=high * Add patch to fix 32 bit multiplication overflow. diff -Nru freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch --- freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch 1970-01-01 01:00:00.000000000 +0100 +++ freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch 2015-11-12 21:59:43.000000000 +0100 @@ -0,0 +1,18 @@ +Description: Fix regression introduced by afl-vulnerabilitities.patch. + Initially reported as a bug in GDAL and traced to FreeXL, see: + https://trac.osgeo.org/gdal/ticket/6200 +Origin: https://www.gaia-gis.it/fossil/freexl/fdiff?v1=61618ce51a9b0c15&v2=4f9408c216ead322&sbs=1 +Author: Alessandro Furieri <[email protected]> +Bug-Debian: https://bugs.debian.org/781228 + +--- a/src/freexl.c ++++ b/src/freexl.c +@@ -3770,7 +3770,7 @@ read_biff_next_record (biff_workbook * w + unsigned int already_done; + unsigned int chunk = + workbook->sector_end - (workbook->p_in - workbook->sector_buf); +- if (workbook->sector_end <= (workbook->p_in - workbook->sector_buf)) ++ if (workbook->sector_end < (workbook->p_in - workbook->sector_buf)) + return -1; + memcpy (workbook->record, workbook->p_in, chunk); + workbook->p_in += chunk; diff -Nru freexl-1.0.0g/debian/patches/series freexl-1.0.0g/debian/patches/series --- freexl-1.0.0g/debian/patches/series 2015-07-19 13:45:38.000000000 +0200 +++ freexl-1.0.0g/debian/patches/series 2015-11-12 21:51:03.000000000 +0100 @@ -1,2 +1,3 @@ afl-vulnerabilitities.patch 32bit-multiplication-overflow.patch +afl-vulnerabilitities-regression.patch
