Bug#866516: marked as done (stretch-pu: package unrar-nonfree/1:5.3.2-1+deb9u1)

Sat, 22 Jul 2017 05:28:19 -0700 

Your message dated Sat, 22 Jul 2017 13:17:18 +0100
with message-id <1500725838.14212.3.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 9.1 p-u fixes
has caused the Debian Bug report #866516,
regarding stretch-pu: package unrar-nonfree/1:5.3.2-1+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
866516: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866516
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hi,

I'd like to fix CVE-2012-6706 in stretch, see #865461 for details.
debdiff is attached.

Cheers,
Felix

diff -Nru unrar-nonfree-5.3.2/debian/changelog 
unrar-nonfree-5.3.2/debian/changelog
--- unrar-nonfree-5.3.2/debian/changelog        2015-08-10 14:58:20.000000000 
+0200
+++ unrar-nonfree-5.3.2/debian/changelog        2017-06-28 00:10:20.000000000 
+0200
@@ -1,3 +1,12 @@
+unrar-nonfree (1:5.3.2-1+deb9u1) stretch; urgency=medium
+
+  * Add bound checks for VMSF_DELTA, VMSF_RGB and VMSF_AUDIO paramters.
+    - Backported from 5.5.5
+    - CVE-2012-6706
+    - Closes #865461
+
+ -- Felix Geyer <fge...@debian.org>  Wed, 28 Jun 2017 00:10:20 +0200
+
 unrar-nonfree (1:5.3.2-1) unstable; urgency=medium
 
   * New upstream release (Closes: #759586)
diff -Nru unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706 
unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706
--- unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706    1970-01-01 
01:00:00.000000000 +0100
+++ unrar-nonfree-5.3.2/debian/patches/CVE-2012-6706    2017-06-22 
20:25:06.000000000 +0200
@@ -0,0 +1,44 @@
+--- unrar-nonfree-5.3.2.org/rarvm.cpp
++++ unrar-nonfree-5.3.2/rarvm.cpp
+@@ -965,7 +965,7 @@
+       {
+         int DataSize=R[4],Channels=R[0],SrcPos=0,Border=DataSize*2;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || 
(uint)Channels>MAX3_UNPACK_CHANNELS || Channels==0)
+           break;
+ 
+         // Bytes from same channels are grouped to continual data blocks,
+@@ -984,7 +984,7 @@
+         byte *SrcData=Mem,*DestData=SrcData+DataSize;
+         const int Channels=3;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || Width<0 || PosR<0 || 
DataSize<3 || Width>DataSize || PosR>2)
+           break;
+         for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+         {
+@@ -1029,7 +1029,7 @@
+         int DataSize=R[4],Channels=R[0];
+         byte *SrcData=Mem,*DestData=SrcData+DataSize;
+         SET_VALUE(false,&Mem[VM_GLOBALMEMADDR+0x20],DataSize);
+-        if ((uint)DataSize>=VM_GLOBALMEMADDR/2)
++        if ((uint)DataSize>=VM_GLOBALMEMADDR/2 || (uint)Channels>128 || 
Channels==0)
+           break;
+         for (int CurChannel=0;CurChannel<Channels;CurChannel++)
+         {
+--- unrar-nonfree-5.3.2.orig/unpack.hpp
++++ unrar-nonfree-5.3.2/unpack.hpp
+@@ -13,6 +13,12 @@
+ // from two data blocks.
+ #define MAX3_UNPACK_FILTERS      8192
+ 
++// Limit maximum number of channels in RAR3 delta filter to some reasonable
++// value to prevent too slow processing of corrupt archives with invalid
++// channels number. Must be equal or larger than v3_MAX_FILTER_CHANNELS.
++// No need to provide it for RAR5, which uses only 5 bits to store channels.
++#define MAX3_UNPACK_CHANNELS      1024
++
+ // Write data in 4 MB or smaller blocks. Must not exceed PACK_MAX_WRITE,
+ // so we keep number of buffered filter in unpacker reasonable.
+ #define UNPACK_MAX_WRITE     0x400000
diff -Nru unrar-nonfree-5.3.2/debian/patches/series 
unrar-nonfree-5.3.2/debian/patches/series
--- unrar-nonfree-5.3.2/debian/patches/series   2013-08-15 16:56:10.000000000 
+0200
+++ unrar-nonfree-5.3.2/debian/patches/series   2017-06-22 20:20:22.000000000 
+0200
@@ -1 +1,2 @@
 fix-buildflags
+CVE-2012-6706

--- End Message ---
--- Begin Message --- 
Version: 9.1

Hi,

These bugs all relate to updates which were included in today's stretch
point release.

Regards,

Adam

--- End Message ---

Reply via email to