Bug#866517: marked as done (jessie-pu: package unrar-nonfree/1:5.2.7-0.1+deb8u1)

[Debian Bug Tracking System]

Your message dated Sat, 22 Jul 2017 13:18:56 +0100
with message-id <1500725936.14212.4.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 8.9 fixes
has caused the Debian Bug report #866517,
regarding jessie-pu: package unrar-nonfree/1:5.2.7-0.1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
866517: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866517
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

I'd like to fix CVE-2012-6706 in jessie, see #865461 for details.
debdiff is attached.

The same request for stretch is at #866516

Cheers,
Felix

diff -Nru unrar-nonfree-5.2.7/debian/changelog 
unrar-nonfree-5.2.7/debian/changelog
--- unrar-nonfree-5.2.7/debian/changelog        2015-03-27 22:54:31.000000000 
+0100
+++ unrar-nonfree-5.2.7/debian/changelog        2017-06-22 20:47:18.000000000 
+0200
@@ -1,3 +1,12 @@
+unrar-nonfree (1:5.2.7-0.1+deb8u1) jessie; urgency=medium
+
+  * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters.
+    - Backported from 5.5.5
+    - CVE-2012-6706
+    - Closes #865461
+
+ -- Felix Geyer <fge...@debian.org>  Thu, 22 Jun 2017 20:47:18 +0200
+
 unrar-nonfree (1:5.2.7-0.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Nru unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706 
unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706
--- unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706    1970-01-01 
01:00:00.000000000 +0100
+++ unrar-nonfree-5.2.7/debian/patches/CVE-2012-6706    2017-06-22 
20:46:24.000000000 +0200
@@ -0,0 +1,44 @@
+--- unrar-nonfree-5.3.2.org/rarvm.cpp
++++ unrar-nonfree-5.3.2/rarvm.cpp
+@@ -965,7 +965,7 @@
+       {
+         int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || 
(uint)Channels>MAX3_UNPACK_CHANNELS || Channels==0)
+           break;
+ 
+         // Bytes from same channels are grouped to continual data blocks,
+@@ -984,7 +984,7 @@
+         byte *SrcData=Mem,*DestData=SrcData+DataSize;
+         const int Channels=3;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0 || 
DataSize<3 || Width>DataSize || PosR>2)
+           break;
+         for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+         {
+@@ -1029,7 +1029,7 @@
+         int DataSize=R[4],Channels=R[0];
+         byte *SrcData=Mem,*DestData=SrcData+DataSize;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>128 || 
Channels==0)
+           break;
+         for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+         {
+--- unrar-nonfree-5.3.2.orig/unpack.hpp
++++ unrar-nonfree-5.3.2/unpack.hpp
+@@ -7,6 +7,12 @@
+ // Maximum number of filters per entire data block.
+ #define MAX_UNPACK_FILTERS       8192
+ 
++// Limit maximum number of channels in RAR3 delta filter to some reasonable
++// value to prevent too slow processing of corrupt archives with invalid
++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS.
++// No need to provide it for RAR5, which uses only 5 bits to store channels.
++#define MAX3_UNPACK_CHANNELS      1024
++
+ // Maximum number of filters per entire data block for RAR3 unpack.
+ #define MAX3_FILTERS             1024
+ 
diff -Nru unrar-nonfree-5.2.7/debian/patches/series 
unrar-nonfree-5.2.7/debian/patches/series
--- unrar-nonfree-5.2.7/debian/patches/series   2013-08-15 16:56:10.000000000 
+0200
+++ unrar-nonfree-5.2.7/debian/patches/series   2017-06-22 20:46:33.000000000 
+0200
@@ -1 +1,2 @@
 fix-buildflags
+CVE-2012-6706

--- End Message ---

--- Begin Message ---

Version: 8.9

Hi,

These bugs all relate for updates which were included in today's jessie
point release.

Regards,

Adam

--- End Message ---