Request for patch review (brotli)

2020-10-25 Thread Roberto C . Sánchez 
Hi fellow LTS folks,

I am working on the update for brotli as it relates to CVE-2020-8927.
The upstream Git project contains a commit [0] which fixes the issue
along with several other issues in the same commit.  However, there does
not appear to be any available information regarding the specifics of
the vulnerability nor is there a PoC that can be used to validate the
fix.  There also appears to be no prior iteration of the PR which
contains the changes in separate commits.

That said, I have done my best to exclude the parts of the upstream
commit that do not appear related to CVE-2020-8927 and then to backport
the remainder to brotli as it exists in stretch.  I would like it if
someone else could review the attached patch, comparing it to the
upstream commit, and provide feedback on the completeness of the patch.

Please make sure to follow-up with a reply to the list before reviewing
so that there is not duplicate work on this.

Regards,

-Roberto

[0] 
https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
>From 223d80cfbec8fd346e32906c732c8ede21f0cea6 Mon Sep 17 00:00:00 2001
From: Eugene Kliuchnikov 
Date: Wed, 26 Aug 2020 12:32:27 +0200
Subject: [PATCH] Update (#826)

 * IMPORTANT: decoder: fix potential overflow when input chunk is >2GiB

[rcs: backport; also note that the upstream PR has many additional changes which were excluded from backporting]

---
 common/constants.c |   15 +++
 common/constants.h |   18 ++
 dec/bit_reader.c   |   11 +++
 dec/bit_reader.h   |   19 +++
 dec/decode.c   |9 +
 dec/prefix.h   |   18 --
 setup.py   |1 +
 7 files changed, 57 insertions(+), 34 deletions(-)

--- a/dec/bit_reader.c
+++ b/dec/bit_reader.c
@@ -15,6 +15,17 @@
 extern "C" {
 #endif
 
+const uint32_t kBrotliBitMask[33] = { 0x,
+0x0001, 0x0003, 0x0007, 0x000F,
+0x001F, 0x003F, 0x007F, 0x00FF,
+0x01FF, 0x03FF, 0x07FF, 0x0FFF,
+0x1FFF, 0x3FFF, 0x7FFF, 0x,
+0x0001, 0x0003, 0x0007, 0x000F,
+0x001F, 0x003F, 0x007F, 0x00FF,
+0x01FF, 0x03FF, 0x07FF, 0x0FFF,
+0x1FFF, 0x3FFF, 0x7FFF, 0x
+};
+
 void BrotliInitBitReader(BrotliBitReader* const br) {
   br->val_ = 0;
   br->bit_pos_ = sizeof(br->val_) << 3;
--- a/dec/bit_reader.h
+++ b/dec/bit_reader.h
@@ -11,6 +11,7 @@
 
 #include   /* memcpy */
 
+#include "../common/constants.h"
 #include "../common/types.h"
 #include "./port.h"
 
@@ -26,16 +27,7 @@
 typedef uint32_t reg_t;
 #endif
 
-static const uint32_t kBitMask[33] = { 0x,
-0x0001, 0x0003, 0x0007, 0x000F,
-0x001F, 0x003F, 0x007F, 0x00FF,
-0x01FF, 0x03FF, 0x07FF, 0x0FFF,
-0x1FFF, 0x3FFF, 0x7FFF, 0x,
-0x0001, 0x0003, 0x0007, 0x000F,
-0x001F, 0x003F, 0x007F, 0x00FF,
-0x01FF, 0x03FF, 0x07FF, 0x0FFF,
-0x1FFF, 0x3FFF, 0x7FFF, 0x
-};
+ATTRIBUTE_VISIBILITY_HIDDEN extern const uint32_t kBrotliBitMask[33];
 
 static BROTLI_INLINE uint32_t BitMask(uint32_t n) {
   if (IS_CONSTANT(n) || BROTLI_HAS_UBFX) {
@@ -43,7 +35,7 @@
"Unsigned Bit Field Extract" UBFX instruction on ARM. */
 return ~((0xU) << n);
   } else {
-return kBitMask[n];
+return kBrotliBitMask[n];
   }
 }
 
@@ -92,8 +84,11 @@
 }
 
 /* Returns amount of unread bytes the bit reader still has buffered from the
-   BrotliInput, including whole bytes in br->val_. */
+   BrotliInput, including whole bytes in br->val_. Result is capped with
+   maximal ring-buffer size (larger number won't be utilized anyway). */
 static BROTLI_INLINE size_t BrotliGetRemainingBytes(BrotliBitReader* br) {
+  static const size_t kCap = (size_t)1 << 30;
+  if (br->avail_in > kCap) return kCap;
   return br->avail_in + (BrotliGetAvailableBits(br) >> 3);
 }
 
--- /dev/null
+++ b/common/constants.c
@@ -0,0 +1,15 @@
+/* Copyright 2013 Google Inc. All Rights Reserved.
+
+   Distributed under MIT license.
+   See file LICENSE for detail or copy at https://opensource.org/licenses/MIT
+*/
+
+#include "./constants.h"
+
+const BrotliPrefixCodeRange
+_kBrotliPrefixCodeRanges[BROTLI_NUM_BLOCK_LEN_SYMBOLS] = {
+{1, 2}, {5, 2}, {9, 2},   {13, 2},{17, 3},{25, 3},
+{33, 3},{41, 3},{49, 4},  {65, 4},{81, 4},{97, 4},
+{113, 5},   {145, 5},   {177, 5}, {209, 5},   {241, 6},   {305, 6},
+{369, 7},   {497, 8},   {753, 9}, {1265, 10}, {2289, 11}, {4337, 12},
+{8433, 13}, {16625, 24}};
--- a/common/constants.h
+++ b/common/constants.h
@@ -7,6 +7,9 @@
 #ifndef BROTLI_COMMON_CONSTANTS_H_
 #define BROTLI_COMMON_CONSTANTS_H_
 
+#include "./port.h"
+#include "./types.

Re: phpMyAdmin upload for stretch

2020-10-25 Thread Abhijith PA 
Hi,

On 23/10/20 9:24 pm, Abhijith PA wrote:
> Hi,
> 
> On 23/10/20 8:20 pm, Utkarsh Gupta wrote:
>> Hi Abhijith,
>>
>> William, both upstream and downstream maintainer, CCed here, has
>> prepared an upload for stretch.
>> cf: 
>> https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.6.6-4+deb9u2.dsc
>>
>> I generally sponsor all his upload and he asked me to do this as well.
>> But since you have this claimed in dla-needed.txt, I'd want to know
>> how would you like to proceed here?
> 
> Thanks for pointing it out. I will take care of the upload.


I've uploaded and released DLA as well.

--abhijith



signature.asc
Description: OpenPGP digital signature

Re: phpMyAdmin upload for stretch

2020-10-25 Thread Utkarsh Gupta 
Hi Abhijith,

On Mon, Oct 26, 2020 at 10:15 AM Abhijith PA  wrote:
> I've uploaded and released DLA as well.

Great, thanks for handling this!


- u