Your message dated Sat, 29 Apr 2017 10:53:00 +0000
with message-id <060d457d-918e-6ba9-8bb0-f26e7a9c3...@thykier.net>
and subject line Re: Bug#861449: unblock: radare2/1.1.0+dfsg-5
has caused the Debian Bug report #861449,
regarding unblock: radare2/1.1.0+dfsg-5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
861449: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861449
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Hi

Please unblock package radare2

The upload to unstable fixes CVE-2017-7946, #860962. The changelog
reads as:

>radare2 (1.1.0+dfsg-5) unstable; urgency=high
>
>  * Add upstream patch to fix security bug
>    - CVE-2017-7946 (Closes: #860962)
>      The get_relocs_64 function in libr/bin/format/mach0/mach0.c in
>      radare2 1.3.0 allows remote attackers to cause a denial of service
>      (use-after-free and application crash) via a crafted Mach0 file.
>
> -- Sebastian Reichel <s...@debian.org>  Sun, 23 Apr 2017 23:20:16 +0200

and I'm attaching the full debdiff against the version in testing.

unblock radare2/1.1.0+dfsg-5

Regards,
Salvatore
diff -Nru radare2-1.1.0+dfsg/debian/changelog 
radare2-1.1.0+dfsg/debian/changelog
--- radare2-1.1.0+dfsg/debian/changelog 2017-04-11 15:34:39.000000000 +0200
+++ radare2-1.1.0+dfsg/debian/changelog 2017-04-23 23:20:16.000000000 +0200
@@ -1,3 +1,13 @@
+radare2 (1.1.0+dfsg-5) unstable; urgency=high
+
+  * Add upstream patch to fix security bug
+    - CVE-2017-7946 (Closes: #860962)
+      The get_relocs_64 function in libr/bin/format/mach0/mach0.c in
+      radare2 1.3.0 allows remote attackers to cause a denial of service
+      (use-after-free and application crash) via a crafted Mach0 file.
+
+ -- Sebastian Reichel <s...@debian.org>  Sun, 23 Apr 2017 23:20:16 +0200
+
 radare2 (1.1.0+dfsg-4) unstable; urgency=high
 
   * Add upstream patches to fix security bugs
diff -Nru radare2-1.1.0+dfsg/debian/patches/0008-fix-CVE-2017-7946.patch 
radare2-1.1.0+dfsg/debian/patches/0008-fix-CVE-2017-7946.patch
--- radare2-1.1.0+dfsg/debian/patches/0008-fix-CVE-2017-7946.patch      
1970-01-01 01:00:00.000000000 +0100
+++ radare2-1.1.0+dfsg/debian/patches/0008-fix-CVE-2017-7946.patch      
2017-04-23 23:20:16.000000000 +0200
@@ -0,0 +1,175 @@
+From d1e8ac62c6d978d4662f69116e30230d43033c92 Mon Sep 17 00:00:00 2001
+From: pancake <panc...@nopcode.org>
+Date: Tue, 18 Apr 2017 13:37:33 +0200
+Subject: [PATCH] Fix null deref and uaf in mach0 parser
+
+---
+ libr/bin/format/mach0/mach0.c | 92 ++++++++++++++++++++++++-------------------
+ 1 file changed, 51 insertions(+), 41 deletions(-)
+
+diff --git a/libr/bin/format/mach0/mach0.c b/libr/bin/format/mach0/mach0.c
+index 206ab11..398a44b 100644
+--- a/libr/bin/format/mach0/mach0.c
++++ b/libr/bin/format/mach0/mach0.c
+@@ -1119,7 +1119,7 @@ static int init_items(struct MACH0_(obj_t)* bin) {
+               case LC_LOAD_WEAK_DYLIB:
+                       sdb_set (bin->kv, sdb_fmt (0, "mach0_cmd_%d.cmd", i), 
"load_dylib", 0);
+                       bin->nlibs++;
+-                      if (!parse_dylib(bin, off)){
++                      if (!parse_dylib (bin, off)){
+                               eprintf ("Cannot parse dylib\n");
+                               bin->nlibs--;
+                               return false;
+@@ -1130,30 +1130,31 @@ static int init_items(struct MACH0_(obj_t)* bin) {
+                       {
+                       ut8 dyldi[sizeof (struct dyld_info_command)] = {0};
+                       sdb_set (bin->kv, sdb_fmt (0, "mach0_cmd_%d.cmd", i), 
"dyld_info", 0);
+-                      bin->dyld_info = malloc (sizeof(struct 
dyld_info_command));
+-
+-                      if (off + sizeof (struct dyld_info_command) > 
bin->size){
+-                              eprintf ("Cannot parse dyldinfo\n");
+-                              free (bin->dyld_info);
+-                              return false;
+-                      }
+-                      if (r_buf_read_at (bin->b, off, dyldi, sizeof (struct 
dyld_info_command)) == -1) {
+-                              free (bin->dyld_info);
+-                              bin->dyld_info = NULL;
+-                              eprintf ("Error: read (LC_DYLD_INFO) at 
0x%08"PFMT64x"\n", off);
+-                      } else {
+-                              bin->dyld_info->cmd = r_read_ble32 (&dyldi[0], 
bin->big_endian);
+-                              bin->dyld_info->cmdsize = r_read_ble32 
(&dyldi[4], bin->big_endian);
+-                              bin->dyld_info->rebase_off = r_read_ble32 
(&dyldi[8], bin->big_endian);
+-                              bin->dyld_info->rebase_size = r_read_ble32 
(&dyldi[12], bin->big_endian);
+-                              bin->dyld_info->bind_off = r_read_ble32 
(&dyldi[16], bin->big_endian);
+-                              bin->dyld_info->bind_size = r_read_ble32 
(&dyldi[20], bin->big_endian);
+-                              bin->dyld_info->weak_bind_off = r_read_ble32 
(&dyldi[24], bin->big_endian);
+-                              bin->dyld_info->weak_bind_size = r_read_ble32 
(&dyldi[28], bin->big_endian);
+-                              bin->dyld_info->lazy_bind_off = r_read_ble32 
(&dyldi[32], bin->big_endian);
+-                              bin->dyld_info->lazy_bind_size = r_read_ble32 
(&dyldi[36], bin->big_endian);
+-                              bin->dyld_info->export_off = r_read_ble32 
(&dyldi[40], bin->big_endian);
+-                              bin->dyld_info->export_size = r_read_ble32 
(&dyldi[44], bin->big_endian);
++                      bin->dyld_info = calloc (1, sizeof (struct 
dyld_info_command));
++                      if (bin->dyld_info) {
++                              if (off + sizeof (struct dyld_info_command) > 
bin->size){
++                                      eprintf ("Cannot parse dyldinfo\n");
++                                      R_FREE (bin->dyld_info);
++                                      return false;
++                              }
++                              if (r_buf_read_at (bin->b, off, dyldi, sizeof 
(struct dyld_info_command)) == -1) {
++                                      free (bin->dyld_info);
++                                      bin->dyld_info = NULL;
++                                      eprintf ("Error: read (LC_DYLD_INFO) at 
0x%08"PFMT64x"\n", off);
++                              } else {
++                                      bin->dyld_info->cmd = r_read_ble32 
(&dyldi[0], bin->big_endian);
++                                      bin->dyld_info->cmdsize = r_read_ble32 
(&dyldi[4], bin->big_endian);
++                                      bin->dyld_info->rebase_off = 
r_read_ble32 (&dyldi[8], bin->big_endian);
++                                      bin->dyld_info->rebase_size = 
r_read_ble32 (&dyldi[12], bin->big_endian);
++                                      bin->dyld_info->bind_off = r_read_ble32 
(&dyldi[16], bin->big_endian);
++                                      bin->dyld_info->bind_size = 
r_read_ble32 (&dyldi[20], bin->big_endian);
++                                      bin->dyld_info->weak_bind_off = 
r_read_ble32 (&dyldi[24], bin->big_endian);
++                                      bin->dyld_info->weak_bind_size = 
r_read_ble32 (&dyldi[28], bin->big_endian);
++                                      bin->dyld_info->lazy_bind_off = 
r_read_ble32 (&dyldi[32], bin->big_endian);
++                                      bin->dyld_info->lazy_bind_size = 
r_read_ble32 (&dyldi[36], bin->big_endian);
++                                      bin->dyld_info->export_off = 
r_read_ble32 (&dyldi[40], bin->big_endian);
++                                      bin->dyld_info->export_size = 
r_read_ble32 (&dyldi[44], bin->big_endian);
++                              }
+                       }
+                       }
+                       break;
+@@ -1747,17 +1748,20 @@ struct reloc_t* MACH0_(get_relocs)(struct 
MACH0_(obj_t)* bin) {
+               if ((bind_size + lazy_size)<1) {
+                       return NULL;
+               }
+-              if (bin->dyld_info->bind_off > bin->size || 
bin->dyld_info->bind_off + bind_size > bin->size)
++              if (bin->dyld_info->bind_off > bin->size || 
bin->dyld_info->bind_off + bind_size > bin->size) {
+                       return NULL;
++              }
+               if (bin->dyld_info->lazy_bind_off > bin->size || \
+-                      bin->dyld_info->lazy_bind_off + lazy_size > bin->size)
++                      bin->dyld_info->lazy_bind_off + lazy_size > bin->size) {
+                       return NULL;
+-              if (bin->dyld_info->bind_off+bind_size+lazy_size > bin->size)
++              }
++              if (bin->dyld_info->bind_off+bind_size+lazy_size > bin->size) {
+                       return NULL;
++              }
+               // NOTE(eddyb) it's a waste of memory, but we don't know the 
actual number of relocs.
+-              if (!(relocs = calloc (1, (1 + bind_size + lazy_size) * sizeof 
(struct reloc_t))))
++              if (!(relocs = calloc (1, (1 + bind_size + lazy_size) * sizeof 
(struct reloc_t)))) {
+                       return NULL;
+-
++              }
+               opcodes = calloc (1, bind_size + lazy_size + 1);
+               if (!opcodes) {
+                       free (relocs);
+@@ -1905,12 +1909,14 @@ relocs[i++].last = 0;\
+               free (opcodes);
+       } else {
+               int j;
+-              if (!bin->symtab || !bin->symstr || !bin->sects || 
!bin->indirectsyms)
++              if (!bin->symtab || !bin->symstr || !bin->sects || 
!bin->indirectsyms) {
+                       return NULL;
+-              if (!(relocs = malloc ((bin->dysymtab.nundefsym + 1) * 
sizeof(struct reloc_t))))
++              }
++              if (!(relocs = malloc ((bin->dysymtab.nundefsym + 1) * 
sizeof(struct reloc_t)))) {
+                       return NULL;
++              }
+               for (j = 0; j < bin->dysymtab.nundefsym; j++) {
+-                      if (parse_import_ptr(bin, &relocs[i], 
bin->dysymtab.iundefsym + j)) {
++                      if (parse_import_ptr (bin, &relocs[i], 
bin->dysymtab.iundefsym + j)) {
+                               relocs[i].ord = j;
+                               relocs[i++].last = 0;
+                       }
+@@ -1954,7 +1960,6 @@ struct addr_t* MACH0_(get_entrypoint)(struct 
MACH0_(obj_t)* bin) {
+               }
+               bin->entry = entry->addr;
+       }
+-
+       return entry;
+ }
+ 
+@@ -1962,10 +1967,12 @@ struct lib_t* MACH0_(get_libs)(struct MACH0_(obj_t)* 
bin) {
+       struct lib_t *libs;
+       int i;
+ 
+-      if (!bin->nlibs)
++      if (!bin->nlibs) {
+               return NULL;
+-      if (!(libs = calloc ((bin->nlibs + 1), sizeof(struct lib_t))))
++      }
++      if (!(libs = calloc ((bin->nlibs + 1), sizeof(struct lib_t)))) {
+               return NULL;
++      }
+       for (i = 0; i < bin->nlibs; i++) {
+               strncpy (libs[i].name, bin->libs[i], R_BIN_MACH0_STRING_LENGTH);
+               libs[i].name[R_BIN_MACH0_STRING_LENGTH-1] = '\0';
+@@ -1978,12 +1985,14 @@ struct lib_t* MACH0_(get_libs)(struct MACH0_(obj_t)* 
bin) {
+ ut64 MACH0_(get_baddr)(struct MACH0_(obj_t)* bin) {
+       int i;
+ 
+-      if (bin->hdr.filetype != MH_EXECUTE && bin->hdr.filetype != MH_DYLINKER)
++      if (bin->hdr.filetype != MH_EXECUTE && bin->hdr.filetype != 
MH_DYLINKER) {
+               return 0;
+-
+-      for (i = 0; i < bin->nsegs; ++i)
+-              if (bin->segs[i].fileoff == 0 && bin->segs[i].filesize != 0)
++      }
++      for (i = 0; i < bin->nsegs; ++i) {
++              if (bin->segs[i].fileoff == 0 && bin->segs[i].filesize != 0) {
+                       return bin->segs[i].vmaddr;
++              }
++      }
+       return 0;
+ }
+ 
+@@ -2309,8 +2318,9 @@ ut64 MACH0_(get_main)(struct MACH0_(obj_t)* bin) {
+               ut8 b[128];
+               ut64 entry = addr_to_offset(bin, bin->entry);
+               // XXX: X86 only and hacky!
+-              if (entry > bin->size || entry + sizeof (b) > bin->size)
++              if (entry > bin->size || entry + sizeof (b) > bin->size) {
+                       return 0;
++              }
+               i = r_buf_read_at (bin->b, entry, b, sizeof (b));
+               if (i < 1) {
+                       return 0;
diff -Nru radare2-1.1.0+dfsg/debian/patches/series 
radare2-1.1.0+dfsg/debian/patches/series
--- radare2-1.1.0+dfsg/debian/patches/series    2017-04-11 15:34:39.000000000 
+0200
+++ radare2-1.1.0+dfsg/debian/patches/series    2017-04-23 23:20:13.000000000 
+0200
@@ -5,3 +5,4 @@
 0005-fix-FTBFS-for-as-needed.patch
 0006-fix-CVE-2017-6194.patch
 0007-fix-CVE-2017-6448.patch
+0008-fix-CVE-2017-7946.patch

--- End Message ---
--- Begin Message ---
Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package radare2
> 
> The upload to unstable fixes CVE-2017-7946, #860962. The changelog
> reads as:
> 
>> radare2 (1.1.0+dfsg-5) unstable; urgency=high
>>
>>  * Add upstream patch to fix security bug
>>    - CVE-2017-7946 (Closes: #860962)
>>      The get_relocs_64 function in libr/bin/format/mach0/mach0.c in
>>      radare2 1.3.0 allows remote attackers to cause a denial of service
>>      (use-after-free and application crash) via a crafted Mach0 file.
>>
>> -- Sebastian Reichel <s...@debian.org>  Sun, 23 Apr 2017 23:20:16 +0200
> 
> and I'm attaching the full debdiff against the version in testing.
> 
> unblock radare2/1.1.0+dfsg-5
> 
> Regards,
> Salvatore
> 

Unblocked, thanks.

~Niels

--- End Message ---

Reply via email to