--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hello,
Several CVEs have been reported against liblouis in Bug#874302. The
upstream fixes have been tested for 6 days in Debian unstable then 5
days in Debian testing.
I propose to upload them to stable too, as attached debdiff shows.
Samuel
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500,
'testing-debug'), (500, 'stable-debug'), (500, 'oldoldstable'), (500,
'buildd-unstable'), (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1,
'experimental-debug'), (1, 'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru liblouis-3.0.0/debian/changelog liblouis-3.0.0/debian/changelog
--- liblouis-3.0.0/debian/changelog 2016-09-14 00:46:35.000000000 +0200
+++ liblouis-3.0.0/debian/changelog 2017-09-25 01:16:30.000000000 +0200
@@ -1,3 +1,14 @@
+liblouis (3.0.0-3+deb9u1) stretch; urgency=medium
+
+ * debian/patches/CVE-2017-13738-and-2017-13744.patch: New patch.
+ * debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch: New
+ patch
+ * debian/patches/CVE-2017-13741.patch: New patch.
+ * debian/patches/CVE-2017-13741-2.patch: New patch.
+ * debian/patches/CVE-2017-13743.patch: New patch.
+
+ -- Samuel Thibault <sthiba...@debian.org> Mon, 25 Sep 2017 01:16:30 +0200
+
liblouis (3.0.0-3) unstable; urgency=medium
* Upload to unstable.
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch
liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch
1970-01-01 01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch
2017-09-25 01:14:10.000000000 +0200
@@ -0,0 +1,19 @@
+From edf8ee00197e5a9b062554bdca00fe1617d257a4 Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgo...@suse.com>
+Date: Tue, 29 Aug 2017 16:55:29 -0500
+Subject: [PATCH] Fix possible out-of-bounds write from a \ followed by
+ multiple newlines
+
+Fixes CVE-2017-13738 and CVE-2017-13744.
+Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
+===================================================================
+--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
++++ liblouis-3.0.0/liblouis/compileTranslationTable.c
+@@ -573,6 +573,7 @@ getALine (FileInfo * nested)
+ if (pch == '\\' && ch == 10)
+ {
+ nested->linelen--;
++ pch = ch;
+ continue;
+ }
+ if (ch == 10 || nested->linelen >= MAXSTRING)
diff -Nru
liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
---
liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
1970-01-01 01:00:00.000000000 +0100
+++
liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
2017-09-25 01:14:10.000000000 +0200
@@ -0,0 +1,28 @@
+From d8cfdf1ab64a4c9c6685efe45bc735f68dac618c Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgo...@suse.com>
+Date: Wed, 30 Aug 2017 12:53:02 -0500
+Subject: [PATCH] resolveSubtable: Fix buffer overflow parsing a malformed
+ table
+
+The subtable's name can theoretically be up to MAXSTRING characters long.
+The base name is then copied into a buffer, and the subtable's name is
+appended, so we should allocate more than MAXSTRING bytes for the buffer.
+
+Fixes CVE-2017-13739, CVE-2017-13740, and CVE-2017-13742.
+---
+ liblouis/compileTranslationTable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
+===================================================================
+--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
++++ liblouis-3.0.0/liblouis/compileTranslationTable.c
+@@ -4899,7 +4899,7 @@ resolveSubtable (const char *table, cons
+
+ if (table == NULL || table[0] == '\0')
+ return NULL;
+- tableFile = (char *) malloc (MAXSTRING * sizeof(char));
++ tableFile = (char *) malloc (MAXSTRING * sizeof(char) * 2);
+
+ //
+ // First try to resolve against base
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch
liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch 1970-01-01
01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/CVE-2017-13741-2.patch 2017-09-25
01:14:10.000000000 +0200
@@ -0,0 +1,26 @@
+commit 1e36af516478e6c07fbc919541df226aac911fd7
+Author: Christian Egli <christian.e...@sbs.ch>
+Date: Thu Aug 31 13:41:23 2017 +0200
+
+ Fix a tiny problem in the CVE patches
+
+---
+ liblouis/compileTranslationTable.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -3814,11 +3814,11 @@ doOpcode:
+ case CTO_Locale:
+ break;
+ case CTO_Undefined:
++ tmp_offset = table->undefined;
+ ok =
+- tmp_offset = table->undefined;
+ compileBrailleIndicator (nested, "undefined character opcode",
+ CTO_Undefined, &tmp_offset);
+- table->undefined = tmp_offset;
++ table->undefined = tmp_offset;
+ break;
+
+ case CTO_Match:
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13741.patch
liblouis-3.0.0/debian/patches/CVE-2017-13741.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13741.patch 1970-01-01
01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/CVE-2017-13741.patch 2017-09-25
01:14:10.000000000 +0200
@@ -0,0 +1,269 @@
+commit af5791ea792acc0a9707738001aa1df3daff7a66
+Author: Mike Gorse <mgo...@suse.com>
+Date: Wed Aug 30 15:13:09 2017 -0500
+
+ Fix possible use after free when calling compileBrailleIndicator
+
+ CompileBrailleIndicator calls addRule, which may realloc the table header,
+ so it is unsafe to pass an out parameter under the assumption that the
+ value of table will not change.
+
+ Fixes CVE-2017-13741.
+
+---
+ liblouis/compileTranslationTable.c | 89
+++++++++++++++++++++++++++----------
+ 1 file changed, 67 insertions(+), 22 deletions(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -3782,6 +3782,7 @@ compileRule (FileInfo * nested)
+ int k, i;
+
+ noback = nofor = 0;
++ TranslationTableOffset tmp_offset;
+ doOpcode:
+ if (!getToken (nested, &token, NULL))
+ return 1; /*blank line */
+@@ -3814,8 +3815,10 @@ doOpcode:
+ break;
+ case CTO_Undefined:
+ ok =
++ tmp_offset = table->undefined;
+ compileBrailleIndicator (nested, "undefined character opcode",
+- CTO_Undefined, &table->undefined);
++ CTO_Undefined, &tmp_offset);
++ table->undefined = tmp_offset;
+ break;
+
+ case CTO_Match:
+@@ -3933,9 +3936,11 @@ doOpcode:
+ }
+
+ case CTO_BegCapsPhrase:
++ tmp_offset = table->emphRules[capsRule][begPhraseOffset];
+ ok =
+ compileBrailleIndicator (nested, "first word capital sign",
+- CTO_BegCapsPhraseRule,
&table->emphRules[capsRule][begPhraseOffset]);
++ CTO_BegCapsPhraseRule, &tmp_offset);
++ table->emphRules[capsRule][begPhraseOffset] = tmp_offset;
+ break;
+ case CTO_EndCapsPhrase:
+ switch (compileBeforeAfter(nested)) {
+@@ -3945,9 +3950,11 @@ doOpcode:
+ ok = 0;
+ break;
+ }
++ tmp_offset = table->emphRules[capsRule][endPhraseBeforeOffset];
+ ok =
+ compileBrailleIndicator (nested,
"capital sign before last word",
+- CTO_EndCapsPhraseBeforeRule,
&table->emphRules[capsRule][endPhraseBeforeOffset]);
++ CTO_EndCapsPhraseBeforeRule,
&tmp_offset);
++ table->emphRules[capsRule][endPhraseBeforeOffset] = tmp_offset;
+ break;
+ case 2: // after
+ if
(table->emphRules[capsRule][endPhraseBeforeOffset]) {
+@@ -3955,9 +3962,11 @@ doOpcode:
+ ok = 0;
+ break;
+ }
++ tmp_offset = table->emphRules[capsRule][endPhraseAfterOffset];
+ ok =
+ compileBrailleIndicator (nested,
"capital sign after last word",
+- CTO_EndCapsPhraseAfterRule,
&table->emphRules[capsRule][endPhraseAfterOffset]);
++ CTO_EndCapsPhraseAfterRule,
&tmp_offset);
++ table->emphRules[capsRule][endPhraseAfterOffset] = tmp_offset;
+ break;
+ default: // error
+ compileError (nested, "Invalid lastword
indicator location.");
+@@ -3966,28 +3975,38 @@ doOpcode:
+ }
+ break;
+ case CTO_BegCaps:
++ tmp_offset = table->emphRules[capsRule][begOffset];
+ ok =
+ compileBrailleIndicator (nested, "first letter capital sign",
+- CTO_BegCapsRule,
&table->emphRules[capsRule][begOffset]);
++ CTO_BegCapsRule, &tmp_offset);
++ table->emphRules[capsRule][begOffset] = tmp_offset;
+ break;
+ case CTO_EndCaps:
++ tmp_offset = table->emphRules[capsRule][endOffset];
+ ok =
+ compileBrailleIndicator (nested, "last letter capital sign",
+- CTO_EndCapsRule,
&table->emphRules[capsRule][endOffset]);
++ CTO_EndCapsRule, &tmp_offset);
++ table->emphRules[capsRule][endOffset] = tmp_offset;
+ break;
+ case CTO_CapsLetter:
++ tmp_offset = table->emphRules[capsRule][letterOffset];
+ ok =
+ compileBrailleIndicator (nested, "single letter capital sign",
+- CTO_CapsLetterRule,
&table->emphRules[capsRule][letterOffset]);
++ CTO_CapsLetterRule, &tmp_offset);
++ table->emphRules[capsRule][letterOffset] = tmp_offset;
+ break;
+ case CTO_BegCapsWord:
++ tmp_offset = table->emphRules[capsRule][begWordOffset];
+ ok =
+ compileBrailleIndicator (nested, "capital word", CTO_BegCapsWordRule,
+- &table->emphRules[capsRule][begWordOffset]);
++ &tmp_offset);
++ table->emphRules[capsRule][begWordOffset] = tmp_offset;
+ break;
+ case CTO_EndCapsWord:
++ tmp_offset = table->emphRules[capsRule][endWordOffset];
+ ok = compileBrailleIndicator(nested, "capital word stop",
+- CTO_EndCapsWordRule,
&table->emphRules[capsRule][endWordOffset]);
++ CTO_EndCapsWordRule, &tmp_offset);
++ table->emphRules[capsRule][endWordOffset] = tmp_offset;
+ break;
+ case CTO_LenCapsPhrase:
+ ok = table->emphRules[capsRule][lenPhraseOffset] = compileNumber
(nested);
+@@ -4112,19 +4131,25 @@ doOpcode:
+ }
+ i++; // in table->emphRules the first index is used for caps
+ if (opcode == CTO_EmphLetter) {
++ tmp_offset = table->emphRules[i][letterOffset];
+ ok = compileBrailleIndicator (nested, "single letter",
+ CTO_Emph1LetterRule + letterOffset + (8 * i),
+- &table->emphRules[i][letterOffset]);
++ &tmp_offset);
++ table->emphRules[i][letterOffset] = tmp_offset;
+ }
+ else if (opcode == CTO_BegEmphWord) {
++ tmp_offset = table->emphRules[i][begWordOffset];
+ ok = compileBrailleIndicator (nested, "word",
+ CTO_Emph1LetterRule + begWordOffset + (8 * i),
+- &table->emphRules[i][begWordOffset]);
++ &tmp_offset);
++ table->emphRules[i][begWordOffset] = tmp_offset;
+ }
+ else if (opcode == CTO_EndEmphWord) {
++ tmp_offset = table->emphRules[i][endWordOffset];
+ ok = compileBrailleIndicator(nested, "word stop",
+ CTO_Emph1LetterRule + endWordOffset + (8 * i),
+- &table->emphRules[i][endWordOffset]);
++ &tmp_offset);
++ table->emphRules[i][endWordOffset] = tmp_offset;
+ }
+ else if (opcode == CTO_BegEmph) {
+ /* fail if both begemph and any of begemphphrase or
begemphword are defined */
+@@ -4133,9 +4158,11 @@ doOpcode:
+ ok = 0;
+ break;
+ }
++ tmp_offset = table->emphRules[i][begOffset];
+ ok = compileBrailleIndicator (nested, "first letter",
+ CTO_Emph1LetterRule + begOffset + (8 * i),
+- &table->emphRules[i][begOffset]);
++ &tmp_offset);
++ table->emphRules[i][begOffset] = tmp_offset;
+ }
+ else if (opcode == CTO_EndEmph) {
+ if (table->emphRules[i][endWordOffset] ||
table->emphRules[i][endPhraseBeforeOffset] ||
table->emphRules[i][endPhraseAfterOffset]) {
+@@ -4143,14 +4170,18 @@ doOpcode:
+ ok = 0;
+ break;
+ }
++ tmp_offset = table->emphRules[i][endOffset];
+ ok = compileBrailleIndicator (nested, "last letter",
+ CTO_Emph1LetterRule + endOffset + (8 * i),
+- &table->emphRules[i][endOffset]);
++ &tmp_offset);
++ table->emphRules[i][endOffset] = tmp_offset;
+ }
+ else if (opcode == CTO_BegEmphPhrase) {
++ tmp_offset = table->emphRules[i][begPhraseOffset];
+ ok = compileBrailleIndicator (nested, "first word",
+ CTO_Emph1LetterRule + begPhraseOffset + (8 * i),
+- &table->emphRules[i][begPhraseOffset]);
++ &tmp_offset);
++ table->emphRules[i][begPhraseOffset] = tmp_offset;
+ }
+ else if (opcode == CTO_EndEmphPhrase)
+ switch (compileBeforeAfter(nested)) {
+@@ -4160,9 +4191,11 @@ doOpcode:
+ ok = 0;
+ break;
+ }
++ tmp_offset =
table->emphRules[i][endPhraseBeforeOffset];
+ ok = compileBrailleIndicator (nested,
"last word before",
+ CTO_Emph1LetterRule +
endPhraseBeforeOffset + (8 * i),
+-
&table->emphRules[i][endPhraseBeforeOffset]);
++ &tmp_offset);
++
table->emphRules[i][endPhraseBeforeOffset] = tmp_offset;
+ break;
+ case 2: // after
+ if
(table->emphRules[i][endPhraseBeforeOffset]) {
+@@ -4170,9 +4203,11 @@ doOpcode:
+ ok = 0;
+ break;
+ }
++ tmp_offset =
table->emphRules[i][endPhraseAfterOffset];
+ ok = compileBrailleIndicator (nested,
"last word after",
+ CTO_Emph1LetterRule +
endPhraseAfterOffset + (8 * i),
+-
&table->emphRules[i][endPhraseAfterOffset]);
++ &tmp_offset);
++
table->emphRules[i][endPhraseAfterOffset] = tmp_offset;
+ break;
+ default: // error
+ compileError (nested, "Invalid lastword
indicator location.");
+@@ -4186,9 +4221,11 @@ doOpcode:
+ break;
+
+ case CTO_LetterSign:
++ tmp_offset = table->letterSign;
+ ok =
+ compileBrailleIndicator (nested, "letter sign", CTO_LetterRule,
+- &table->letterSign);
++ &tmp_offset);
++ table->letterSign = tmp_offset;
+ break;
+ case CTO_NoLetsignBefore:
+ if (getRuleCharsText (nested, &ruleChars))
+@@ -4232,9 +4269,11 @@ doOpcode:
+ }
+ break;
+ case CTO_NumberSign:
++ tmp_offset = table->numberSign;
+ ok =
+ compileBrailleIndicator (nested, "number sign", CTO_NumberRule,
+- &table->numberSign);
++ &tmp_offset);
++ table->numberSign = tmp_offset;
+ break;
+
+ case CTO_Attribute:
+@@ -4330,8 +4369,10 @@ doOpcode:
+
+ case CTO_NoContractSign:
+
++ tmp_offset = table->noContractSign;
+ ok = compileBrailleIndicator
+- (nested, "no contractions sign", CTO_NoContractRule,
&table->noContractSign);
++ (nested, "no contractions sign", CTO_NoContractRule,
&tmp_offset);
++ table->noContractSign = tmp_offset;
+ break;
+
+ case CTO_SeqDelimiter:
+@@ -4446,14 +4487,18 @@ doOpcode:
+ break;
+
+ case CTO_BegComp:
++ tmp_offset = table->begComp;
+ ok =
+ compileBrailleIndicator (nested, "begin computer braille",
+- CTO_BegCompRule, &table->begComp);
++ CTO_BegCompRule, &tmp_offset);
++ table->begComp = tmp_offset;
+ break;
+ case CTO_EndComp:
++ tmp_offset = table->endComp;
+ ok =
+ compileBrailleIndicator (nested, "end computer braslle",
+- CTO_EndCompRule, &table->endComp);
++ CTO_EndCompRule, &tmp_offset);
++ table->endComp = tmp_offset;
+ break;
+ case CTO_Syllable:
+ table->syllables = 1;
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13743.patch
liblouis-3.0.0/debian/patches/CVE-2017-13743.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13743.patch 1970-01-01
01:00:00.000000000 +0100
+++ liblouis-3.0.0/debian/patches/CVE-2017-13743.patch 2017-09-25
01:14:10.000000000 +0200
@@ -0,0 +1,46 @@
+commit 98eebd7564595b2403a8573c0725a38519546445
+Author: Christian Egli <christian.e...@sbs.ch>
+Date: Fri Sep 1 15:12:30 2017 +0200
+
+ Guard against buffer overflow in _lou_showString
+
+ I believe this fixes #397 and hence CVE-2017-13743
+
+---
+ liblouis/compileTranslationTable.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/liblouis/compileTranslationTable.c
++++ b/liblouis/compileTranslationTable.c
+@@ -351,7 +351,7 @@ showString (widechar const *chars, int l
+ int charPos;
+ int bufPos = 0;
+ scratchBuf[bufPos++] = '\'';
+- for (charPos = 0; charPos < length; charPos++)
++ for (charPos = 0; charPos < length && bufPos < (MAXSTRING-2); charPos++)
+ {
+ if (chars[charPos] >= 32 && chars[charPos] < 127)
+ scratchBuf[bufPos++] = (char) chars[charPos];
+@@ -388,14 +388,14 @@ showString (widechar const *chars, int l
+ leadingZeros = 0;
+ break;
+ }
+- if ((bufPos + leadingZeros + hexLength + 4) >= sizeof (scratchBuf))
+- break;
+- scratchBuf[bufPos++] = '\\';
+- scratchBuf[bufPos++] = escapeLetter;
+- for (hexPos = 0; hexPos < leadingZeros; hexPos++)
+- scratchBuf[bufPos++] = '0';
+- for (hexPos = 0; hexPos < hexLength; hexPos++)
+- scratchBuf[bufPos++] = hexbuf[hexPos];
++ if ((bufPos + leadingZeros + hexLength + 4) < (MAXSTRING-2)) {
++ scratchBuf[bufPos++] = '\\';
++ scratchBuf[bufPos++] = escapeLetter;
++ for (hexPos = 0; hexPos < leadingZeros; hexPos++)
++ scratchBuf[bufPos++] = '0';
++ for (hexPos = 0; hexPos < hexLength; hexPos++)
++ scratchBuf[bufPos++] = hexbuf[hexPos];
++ }
+ }
+ }
+ scratchBuf[bufPos++] = '\'';
diff -Nru liblouis-3.0.0/debian/patches/series
liblouis-3.0.0/debian/patches/series
--- liblouis-3.0.0/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ liblouis-3.0.0/debian/patches/series 2017-09-25 01:14:10.000000000
+0200
@@ -0,0 +1,5 @@
+CVE-2017-13738-and-2017-13744.patch
+CVE-2017-13739-and-2017-13740-and-2017-13742.patch
+CVE-2017-13743.patch
+CVE-2017-13741.patch
+CVE-2017-13741-2.patch
--- End Message ---
