Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package aspell This upload deals with CVE-2019-25051, fixing a buffer overflow. This has been reported in Debian BTS as severity grave #991307, closed by this upload. Package is already built for all arches. 000-objstack-assert-that-the-alloc-size-will-fit-within-.patch is borrowed from upstream (attached along with the debdiff for easier inspection). Pasting from #991307 for further info: --- 8< ------------------------------------------------------------------ The following vulnerability was published for aspell. CVE-2019-25051[0]: | objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in | acommon::ObjStack::dup_top (called from acommon::StringMap::add and | acommon::Config::lookup_list). https://github.com/google/oss-fuzz-vulns/blob/main/vulns/aspell/OSV-2020-521.yaml https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18462 Patch: https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-25051 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25051 Please adjust the affected versions in the BTS as needed. --- 8< ------------------------------------------------------------------ Regards, unblock aspell/0.60.8-3
diff -Nru aspell-0.60.8/debian/changelog aspell-0.60.8/debian/changelog --- aspell-0.60.8/debian/changelog 2020-12-28 15:24:45.000000000 +0100 +++ aspell-0.60.8/debian/changelog 2021-07-20 23:42:34.000000000 +0200 @@ -1,3 +1,11 @@ +aspell (0.60.8-3) unstable; urgency=medium + + * 000-objstack-assert-that-the-alloc-size-will-fit-within-.patch: + Fix CVE-2019-25051: objstack in GNU Aspell 0.60.8 has a heap-based + buffer overflow (Closes: #991307). + + -- Agustin Martin Domingo <agmar...@debian.org> Tue, 20 Jul 2021 23:42:34 +0200 + aspell (0.60.8-2) unstable; urgency=medium [ Debian Janitor ] diff -Nru aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch --- aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch 1970-01-01 01:00:00.000000000 +0100 +++ aspell-0.60.8/debian/patches/1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch 2021-07-20 23:37:07.000000000 +0200 @@ -0,0 +1,102 @@ +From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 +From: Kevin Atkinson <kev...@gnu.org> +Date: Sat, 21 Dec 2019 20:32:47 +0000 +Bug-Debian: https://bugs.debian.org/991307 +Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk + to prevent a buffer overflow + +Bug found using OSS-Fuze. +- +https://security-tracker.debian.org/tracker/CVE-2019-25051 +--- + common/objstack.hpp | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/common/objstack.hpp b/common/objstack.hpp +index 3997bf7..bd97ccd 100644 +--- a/common/objstack.hpp ++++ b/common/objstack.hpp +@@ -5,6 +5,7 @@ + #include "parm_string.hpp" + #include <stdlib.h> + #include <assert.h> ++#include <stddef.h> + + namespace acommon { + +@@ -26,6 +27,12 @@ class ObjStack + byte * temp_end; + void setup_chunk(); + void new_chunk(); ++ bool will_overflow(size_t sz) const { ++ return offsetof(Node,data) + sz > chunk_size; ++ } ++ void check_size(size_t sz) { ++ assert(!will_overflow(sz)); ++ } + + ObjStack(const ObjStack &); + void operator=(const ObjStack &); +@@ -56,7 +63,7 @@ public: + void * alloc_bottom(size_t size) { + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} ++ if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} + return tmp; + } + // This alloc_bottom will insure that the object is aligned based on the +@@ -66,7 +73,7 @@ public: + align_bottom(align); + byte * tmp = bottom; + bottom += size; +- if (bottom > top) {new_chunk(); goto loop;} ++ if (bottom > top) {check_size(size); new_chunk(); goto loop;} + return tmp; + } + char * dup_bottom(ParmString str) { +@@ -79,7 +86,7 @@ public: + // always be aligned as such. + void * alloc_top(size_t size) { + top -= size; +- if (top < bottom) {new_chunk(); top -= size;} ++ if (top < bottom) {check_size(size); new_chunk(); top -= size;} + return top; + } + // This alloc_top will insure that the object is aligned based on +@@ -88,7 +95,7 @@ public: + {loop: + top -= size; + align_top(align); +- if (top < bottom) {new_chunk(); goto loop;} ++ if (top < bottom) {check_size(size); new_chunk(); goto loop;} + return top; + } + char * dup_top(ParmString str) { +@@ -117,6 +124,7 @@ public: + void * alloc_temp(size_t size) { + temp_end = bottom + size; + if (temp_end > top) { ++ check_size(size); + new_chunk(); + temp_end = bottom + size; + } +@@ -131,6 +139,7 @@ public: + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; +@@ -150,6 +159,7 @@ public: + } else { + size_t s = temp_end - bottom; + byte * p = bottom; ++ check_size(size); + new_chunk(); + memcpy(bottom, p, s); + temp_end = bottom + size; +-- +2.32.0 + diff -Nru aspell-0.60.8/debian/patches/series aspell-0.60.8/debian/patches/series --- aspell-0.60.8/debian/patches/series 2020-04-29 11:24:37.000000000 +0200 +++ aspell-0.60.8/debian/patches/series 2021-07-20 23:32:13.000000000 +0200 @@ -5,3 +5,4 @@ 07_filter.diff 08_filters-info-installdir.diff 09_debian-dictdir.diff +1000-objstack-assert-that-the-alloc-size-will-fit-within-.patch
From 0718b375425aad8e54e1150313b862e4c6fd324a Mon Sep 17 00:00:00 2001 From: Kevin Atkinson <kev...@gnu.org> Date: Sat, 21 Dec 2019 20:32:47 +0000 Bug-Debian: https://bugs.debian.org/991307 Subject: [PATCH] objstack: assert that the alloc size will fit within a chunk to prevent a buffer overflow Bug found using OSS-Fuze. - https://security-tracker.debian.org/tracker/CVE-2019-25051 --- common/objstack.hpp | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/common/objstack.hpp b/common/objstack.hpp index 3997bf7..bd97ccd 100644 --- a/common/objstack.hpp +++ b/common/objstack.hpp @@ -5,6 +5,7 @@ #include "parm_string.hpp" #include <stdlib.h> #include <assert.h> +#include <stddef.h> namespace acommon { @@ -26,6 +27,12 @@ class ObjStack byte * temp_end; void setup_chunk(); void new_chunk(); + bool will_overflow(size_t sz) const { + return offsetof(Node,data) + sz > chunk_size; + } + void check_size(size_t sz) { + assert(!will_overflow(sz)); + } ObjStack(const ObjStack &); void operator=(const ObjStack &); @@ -56,7 +63,7 @@ public: void * alloc_bottom(size_t size) { byte * tmp = bottom; bottom += size; - if (bottom > top) {new_chunk(); tmp = bottom; bottom += size;} + if (bottom > top) {check_size(size); new_chunk(); tmp = bottom; bottom += size;} return tmp; } // This alloc_bottom will insure that the object is aligned based on the @@ -66,7 +73,7 @@ public: align_bottom(align); byte * tmp = bottom; bottom += size; - if (bottom > top) {new_chunk(); goto loop;} + if (bottom > top) {check_size(size); new_chunk(); goto loop;} return tmp; } char * dup_bottom(ParmString str) { @@ -79,7 +86,7 @@ public: // always be aligned as such. void * alloc_top(size_t size) { top -= size; - if (top < bottom) {new_chunk(); top -= size;} + if (top < bottom) {check_size(size); new_chunk(); top -= size;} return top; } // This alloc_top will insure that the object is aligned based on @@ -88,7 +95,7 @@ public: {loop: top -= size; align_top(align); - if (top < bottom) {new_chunk(); goto loop;} + if (top < bottom) {check_size(size); new_chunk(); goto loop;} return top; } char * dup_top(ParmString str) { @@ -117,6 +124,7 @@ public: void * alloc_temp(size_t size) { temp_end = bottom + size; if (temp_end > top) { + check_size(size); new_chunk(); temp_end = bottom + size; } @@ -131,6 +139,7 @@ public: } else { size_t s = temp_end - bottom; byte * p = bottom; + check_size(size); new_chunk(); memcpy(bottom, p, s); temp_end = bottom + size; @@ -150,6 +159,7 @@ public: } else { size_t s = temp_end - bottom; byte * p = bottom; + check_size(size); new_chunk(); memcpy(bottom, p, s); temp_end = bottom + size; -- 2.32.0
signature.asc
Description: PGP signature
