Bug#868459: marked as done (stretch-pu: package libquicktime/2:1.2.4-10+deb9u1)

Sat, 22 Jul 2017 05:32:28 -0700 

Your message dated Sat, 22 Jul 2017 13:17:18 +0100
with message-id <1500725838.14212.3.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 9.1 p-u fixes
has caused the Debian Bug report #868459,
regarding stretch-pu: package libquicktime/2:1.2.4-10+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
868459: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868459
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hi,
some minor security fixes for libquicktime, identical to what's
already in unstable and also tested with reverse deps on stretch.

If it's too late for 9.1, 9.2 is also just fine.

Cheers,
        Moritz

diff -Nru libquicktime-1.2.4/debian/changelog 
libquicktime-1.2.4/debian/changelog
--- libquicktime-1.2.4/debian/changelog 2017-02-27 23:15:35.000000000 +0100
+++ libquicktime-1.2.4/debian/changelog 2017-07-13 18:31:44.000000000 +0200
@@ -1,3 +1,10 @@
+libquicktime (2:1.2.4-10+deb9u1) stretch; urgency=medium
+
+  * Fix CVE-2017-9122 to CVE-2017-9128, patch from 1.2.4-11 in unstable
+    (Closes: #864664)
+
+ -- Moritz Mühlenhoff <j...@debian.org>  Thu, 13 Jul 2017 20:29:10 +0200
+
 libquicktime (2:1.2.4-10) unstable; urgency=medium
 
   * Fix integer overflow in the quicktime_read_pascal function (CVE-2016-2399)
diff -Nru libquicktime-1.2.4/debian/patches/CVE-2017-9122_et_al.patch 
libquicktime-1.2.4/debian/patches/CVE-2017-9122_et_al.patch
--- libquicktime-1.2.4/debian/patches/CVE-2017-9122_et_al.patch 1970-01-01 
01:00:00.000000000 +0100
+++ libquicktime-1.2.4/debian/patches/CVE-2017-9122_et_al.patch 2017-07-13 
18:28:48.000000000 +0200
@@ -0,0 +1,151 @@
+From: Burkhard Plaum <pl...@ipf.uni-stuttgart.de>
+Origin: 
https://sourceforge.net/p/libquicktime/mailman/libquicktime-devel/?viewmonth=201706
+
+Hi,
+
+I committed some (mostly trivial) updates to CVS. The following CVE's
+are fixed and/or no longer reproducible:
+
+CVE-2017-9122
+CVE-2017-9123
+CVE-2017-9124
+CVE-2017-9125
+CVE-2017-9126
+CVE-2017-9127
+CVE-2017-9128
+
+I was a bit surprised that one simple sanity check fixes a whole bunch of 
files.
+
+So it could be, that the problems are still there, but better hidden since the
+critical code isn't executed anymore with the sample files I got.
+
+If someone encounters more crashes, feel free to report them.
+
+Burkhard
+
+--- a/include/lqt_funcprotos.h
++++ b/include/lqt_funcprotos.h
+@@ -1345,9 +1345,9 @@ int quicktime_write_int32_le(quicktime_t
+ int quicktime_write_char32(quicktime_t *file, char *string);
+ float quicktime_read_fixed16(quicktime_t *file);
+ int quicktime_write_fixed16(quicktime_t *file, float number);
+-unsigned long quicktime_read_uint32(quicktime_t *file);
+-long quicktime_read_int32(quicktime_t *file);
+-long quicktime_read_int32_le(quicktime_t *file);
++uint32_t quicktime_read_uint32(quicktime_t *file);
++int32_t quicktime_read_int32(quicktime_t *file);
++int32_t quicktime_read_int32_le(quicktime_t *file);
+ int64_t quicktime_read_int64(quicktime_t *file);
+ int64_t quicktime_read_int64_le(quicktime_t *file);
+ long quicktime_read_int24(quicktime_t *file);
+--- a/src/atom.c
++++ b/src/atom.c
+@@ -131,6 +131,9 @@ int quicktime_atom_read_header(quicktime
+                       atom->size = read_size64(header);
+                       atom->end = atom->start + atom->size;
+               }
++/* Avoid broken files */
++        if(atom->end > file->total_length)
++          result = 1;
+       }
+ 
+ 
+--- a/src/lqt_quicktime.c
++++ b/src/lqt_quicktime.c
+@@ -1788,8 +1788,8 @@ int quicktime_read_info(quicktime_t *fil
+                 quicktime_set_position(file, start_position);
+                 free(temp);
+ 
+-                quicktime_read_moov(file, &file->moov, &leaf_atom);
+-                got_header = 1;
++                if(!quicktime_read_moov(file, &file->moov, &leaf_atom))
++                  got_header = 1;
+                 }
+               else
+                 quicktime_atom_skip(file, &leaf_atom);
+--- a/src/moov.c
++++ b/src/moov.c
+@@ -218,7 +218,8 @@ int quicktime_read_moov(quicktime_t *fil
+               if(quicktime_atom_is(&leaf_atom, "trak"))
+               {
+                       quicktime_trak_t *trak = quicktime_add_trak(file);
+-                      quicktime_read_trak(file, trak, &leaf_atom);
++                      if(quicktime_read_trak(file, trak, &leaf_atom))
++                          return 1;
+               }
+               else
+               if(quicktime_atom_is(&leaf_atom, "udta"))
+--- a/src/trak.c
++++ b/src/trak.c
+@@ -269,6 +269,14 @@ int quicktime_read_trak(quicktime_t *fil
+     else quicktime_atom_skip(file, &leaf_atom);
+     } while(quicktime_position(file) < trak_atom->end);
+ 
++  /* Do some sanity checks to prevent later crashes */
++  if(trak->mdia.minf.is_video || trak->mdia.minf.is_video)
++    {
++    if(!trak->mdia.minf.stbl.stsc.table ||
++       !trak->mdia.minf.stbl.stco.table)
++      return 1;
++    }
++
+ #if 1 
+   if(trak->mdia.minf.is_video &&
+      quicktime_match_32(trak->mdia.minf.stbl.stsd.table[0].format, "drac"))
+--- a/src/util.c
++++ b/src/util.c
+@@ -647,10 +647,10 @@ int quicktime_write_fixed16(quicktime_t
+       return quicktime_write_data(file, data, 2);
+ }
+ 
+-unsigned long quicktime_read_uint32(quicktime_t *file)
++uint32_t quicktime_read_uint32(quicktime_t *file)
+ {
+-      unsigned long result;
+-      unsigned long a, b, c, d;
++      uint32_t result;
++      uint32_t a, b, c, d;
+       uint8_t data[4];
+ 
+       quicktime_read_data(file, data, 4);
+@@ -663,10 +663,10 @@ unsigned long quicktime_read_uint32(quic
+       return result;
+ }
+ 
+-long quicktime_read_int32(quicktime_t *file)
++int32_t quicktime_read_int32(quicktime_t *file)
+ {
+-      unsigned long result;
+-      unsigned long a, b, c, d;
++      uint32_t result;
++      uint32_t a, b, c, d;
+       uint8_t data[4];
+ 
+       quicktime_read_data(file, data, 4);
+@@ -676,13 +676,13 @@ long quicktime_read_int32(quicktime_t *f
+       d = data[3];
+ 
+       result = (a << 24) | (b << 16) | (c << 8) | d;
+-      return (long)result;
++      return (int32_t)result;
+ }
+ 
+-long quicktime_read_int32_le(quicktime_t *file)
++int32_t quicktime_read_int32_le(quicktime_t *file)
+ {
+-      unsigned long result;
+-      unsigned long a, b, c, d;
++      uint32_t result;
++      uint32_t a, b, c, d;
+       uint8_t data[4];
+ 
+       quicktime_read_data(file, data, 4);
+@@ -692,7 +692,7 @@ long quicktime_read_int32_le(quicktime_t
+       d = data[3];
+ 
+       result = (d << 24) | (c << 16) | (b << 8) | a;
+-      return (long)result;
++      return (int32_t)result;
+ }
+ 
+ int64_t quicktime_read_int64(quicktime_t *file)
diff -Nru libquicktime-1.2.4/debian/patches/series 
libquicktime-1.2.4/debian/patches/series
--- libquicktime-1.2.4/debian/patches/series    2017-02-27 23:15:35.000000000 
+0100
+++ libquicktime-1.2.4/debian/patches/series    2017-07-13 18:29:03.000000000 
+0200
@@ -3,3 +3,4 @@
 libav10.patch
 ffmpeg_2.9.patch
 CVE-2016-2399.patch
+CVE-2017-9122_et_al.patch

--- End Message ---
--- Begin Message --- 
Version: 9.1

Hi,

These bugs all relate to updates which were included in today's stretch
point release.

Regards,

Adam

--- End Message ---

Reply via email to