From 11694601be58cc48f9fc4b1c2649265f560c364a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 21 2020 21:30:28 +0000 Subject: import libmspack-0.7-0.3.alpha.el8.4 --- diff --git a/SOURCES/0001-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch b/SOURCES/0001-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch new file mode 100644 index 0000000..2cc17a6 --- /dev/null +++ b/SOURCES/0001-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch @@ -0,0 +1,36 @@ +From b86a2e455cc4d3f586367ab05af1f1be00c6df65 Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Wed, 17 Oct 2018 11:29:03 +0100 +Subject: [PATCH 1/3] Avoid returning CHM file entries that are "blank" because + they have embedded null bytes + +(cherry picked from commit 8759da8db6ec9e866cb8eb143313f397f925bb4f) +--- + libmspack/mspack/chmd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libmspack/mspack/chmd.c b/libmspack/mspack/chmd.c +index b3f7fee..1d198bf 100644 +--- a/libmspack/mspack/chmd.c ++++ b/libmspack/mspack/chmd.c +@@ -447,14 +447,14 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, + while (num_entries--) { + READ_ENCINT(name_len); + if (name_len > (unsigned int) (end - p)) goto chunk_end; +- /* consider blank filenames to be an error */ +- if (name_len == 0) goto chunk_end; + name = p; p += name_len; +- + READ_ENCINT(section); + READ_ENCINT(offset); + READ_ENCINT(length); + ++ /* ignore blank or one-char (e.g. "/") filenames we'd return as blank */ ++ if (name_len < 2 || !name[0] || !name[1]) continue; ++ + /* empty files and directory names are stored as a file entry at + * offset 0 with length 0. We want to keep empty files, but not + * directory names, which end with a "/" */ +-- +2.22.0 + diff --git a/SOURCES/0001-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch b/SOURCES/0001-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch deleted file mode 100644 index fcb0429..0000000 --- a/SOURCES/0001-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c04c748cc922561d4461b2929cbf1b3c1ccd42a3 Mon Sep 17 00:00:00 2001 -From: Stuart Caie -Date: Wed, 17 Oct 2018 11:33:35 +0100 -Subject: [PATCH 1/3] CAB block input buffer is one byte too small for maximal - Quantum block - -(cherry picked from commit 40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2) ---- - libmspack/mspack/cab.h | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/libmspack/mspack/cab.h b/libmspack/mspack/cab.h -index 59cf95e..25cebcb 100644 ---- a/libmspack/mspack/cab.h -+++ b/libmspack/mspack/cab.h -@@ -1,5 +1,5 @@ - /* This file is part of libmspack. -- * (C) 2003-2004 Stuart Caie. -+ * (C) 2003-2018 Stuart Caie. - * - * libmspack is free software; you can redistribute it and/or modify it under - * the terms of the GNU Lesser General Public License (LGPL) version 2.1 -@@ -70,6 +70,14 @@ - #define CAB_BLOCKMAX (32768) - #define CAB_INPUTMAX (CAB_BLOCKMAX+6144) - -+/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block -+ * plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment. -+ * -+ * When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be -+ * up to 65535 bytes, so max input buffer size needed is 65535 + 1 -+ */ -+#define CAB_INPUTBUF (65535 + 1) -+ - /* There are no more than 65535 data blocks per folder, so a folder cannot - * be more than 32768*65535 bytes in length. As files cannot span more than - * one folder, this is also their max offset, length and offset+length limit. -@@ -100,7 +108,7 @@ struct mscabd_decompress_state { - struct mspack_file *infh; /* input file handle */ - struct mspack_file *outfh; /* output file handle */ - unsigned char *i_ptr, *i_end; /* input data consumed, end */ -- unsigned char input[CAB_INPUTMAX]; /* one input block of data */ -+ unsigned char input[CAB_INPUTBUF]; /* one input block of data */ - }; - - struct mscab_decompressor_p { --- -2.19.0.rc0 - diff --git a/SOURCES/0002-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch b/SOURCES/0002-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch deleted file mode 100644 index c035023..0000000 --- a/SOURCES/0002-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch +++ /dev/null @@ -1,36 +0,0 @@ -From a68e54542c6f83eb2ee95a88482badbf36840049 Mon Sep 17 00:00:00 2001 -From: Stuart Caie -Date: Wed, 17 Oct 2018 11:29:03 +0100 -Subject: [PATCH 2/3] Avoid returning CHM file entries that are "blank" because - they have embedded null bytes - -(cherry picked from commit 8759da8db6ec9e866cb8eb143313f397f925bb4f) ---- - libmspack/mspack/chmd.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/libmspack/mspack/chmd.c b/libmspack/mspack/chmd.c -index b3f7fee..1d198bf 100644 ---- a/libmspack/mspack/chmd.c -+++ b/libmspack/mspack/chmd.c -@@ -447,14 +447,14 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, - while (num_entries--) { - READ_ENCINT(name_len); - if (name_len > (unsigned int) (end - p)) goto chunk_end; -- /* consider blank filenames to be an error */ -- if (name_len == 0) goto chunk_end; - name = p; p += name_len; -- - READ_ENCINT(section); - READ_ENCINT(offset); - READ_ENCINT(length); - -+ /* ignore blank or one-char (e.g. "/") filenames we'd return as blank */ -+ if (name_len < 2 || !name[0] || !name[1]) continue; -+ - /* empty files and directory names are stored as a file entry at - * offset 0 with length 0. We want to keep empty files, but not - * directory names, which end with a "/" */ --- -2.19.0.rc0 - diff --git a/SOURCES/0002-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch b/SOURCES/0002-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch new file mode 100644 index 0000000..970b178 --- /dev/null +++ b/SOURCES/0002-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch @@ -0,0 +1,49 @@ +From e31767785bc0922a953bbd1ef6428bf319ba2d2b Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Wed, 17 Oct 2018 11:33:35 +0100 +Subject: [PATCH 2/3] CAB block input buffer is one byte too small for maximal + Quantum block + +(cherry picked from commit 40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2) +--- + libmspack/mspack/cab.h | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/libmspack/mspack/cab.h b/libmspack/mspack/cab.h +index 59cf95e..25cebcb 100644 +--- a/libmspack/mspack/cab.h ++++ b/libmspack/mspack/cab.h +@@ -1,5 +1,5 @@ + /* This file is part of libmspack. +- * (C) 2003-2004 Stuart Caie. ++ * (C) 2003-2018 Stuart Caie. + * + * libmspack is free software; you can redistribute it and/or modify it under + * the terms of the GNU Lesser General Public License (LGPL) version 2.1 +@@ -70,6 +70,14 @@ + #define CAB_BLOCKMAX (32768) + #define CAB_INPUTMAX (CAB_BLOCKMAX+6144) + ++/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block ++ * plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment. ++ * ++ * When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be ++ * up to 65535 bytes, so max input buffer size needed is 65535 + 1 ++ */ ++#define CAB_INPUTBUF (65535 + 1) ++ + /* There are no more than 65535 data blocks per folder, so a folder cannot + * be more than 32768*65535 bytes in length. As files cannot span more than + * one folder, this is also their max offset, length and offset+length limit. +@@ -100,7 +108,7 @@ struct mscabd_decompress_state { + struct mspack_file *infh; /* input file handle */ + struct mspack_file *outfh; /* output file handle */ + unsigned char *i_ptr, *i_end; /* input data consumed, end */ +- unsigned char input[CAB_INPUTMAX]; /* one input block of data */ ++ unsigned char input[CAB_INPUTBUF]; /* one input block of data */ + }; + + struct mscab_decompressor_p { +-- +2.22.0 + diff --git a/SOURCES/0003-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch b/SOURCES/0003-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch deleted file mode 100644 index 27b9f84..0000000 --- a/SOURCES/0003-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 86cca984516664267a3f783dcdf84ac918494a02 Mon Sep 17 00:00:00 2001 -From: Stuart Caie -Date: Sat, 12 May 2018 10:51:34 +0100 -Subject: [PATCH 3/3] =?UTF-8?q?Fix=20off-by-one=20bounds=20check=20on=20CH?= - =?UTF-8?q?M=20PMGI/PMGL=20chunk=20numbers=20and=20reject=20empty=20filena?= - =?UTF-8?q?mes.=20Thanks=20to=20Hanno=20B=C3=B6ck=20for=20reporting?= -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -(cherry picked from commit 72e70a921f0f07fee748aec2274b30784e1d312a) ---- - libmspack/mspack/chmd.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/libmspack/mspack/chmd.c b/libmspack/mspack/chmd.c -index 1d198bf..45fa0ec 100644 ---- a/libmspack/mspack/chmd.c -+++ b/libmspack/mspack/chmd.c -@@ -447,7 +447,10 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, - while (num_entries--) { - READ_ENCINT(name_len); - if (name_len > (unsigned int) (end - p)) goto chunk_end; -+ /* consider blank filenames to be an error */ -+ if (name_len == 0) goto chunk_end; - name = p; p += name_len; -+ - READ_ENCINT(section); - READ_ENCINT(offset); - READ_ENCINT(length); --- -2.19.0.rc0 - diff --git a/SOURCES/0003-length-checks-when-looking-for-control-files.patch b/SOURCES/0003-length-checks-when-looking-for-control-files.patch new file mode 100644 index 0000000..220561c --- /dev/null +++ b/SOURCES/0003-length-checks-when-looking-for-control-files.patch @@ -0,0 +1,56 @@ +From e50806b8d3eb2af019def3fa932e7edf602ce51f Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Mon, 18 Feb 2019 13:04:58 +0000 +Subject: [PATCH 3/3] length checks when looking for control files + +(cherry picked from commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d) +--- + libmspack/mspack/chmd.c | 32 +++++++++++++++----------------- + 1 file changed, 15 insertions(+), 17 deletions(-) + +diff --git a/libmspack/mspack/chmd.c b/libmspack/mspack/chmd.c +index 1d198bf..4c46db8 100644 +--- a/libmspack/mspack/chmd.c ++++ b/libmspack/mspack/chmd.c +@@ -482,23 +482,21 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, + fi->filename[name_len] = '\0'; + + if (name[0] == ':' && name[1] == ':') { +- /* system file */ +- if (mspack_memcmp(&name[2], &content_name[2], 31L) == 0) { +- if (mspack_memcmp(&name[33], &content_name[33], 8L) == 0) { +- chm->sec1.content = fi; +- } +- else if (mspack_memcmp(&name[33], &control_name[33], 11L) == 0) { +- chm->sec1.control = fi; +- } +- else if (mspack_memcmp(&name[33], &spaninfo_name[33], 8L) == 0) { +- chm->sec1.spaninfo = fi; +- } +- else if (mspack_memcmp(&name[33], &rtable_name[33], 72L) == 0) { +- chm->sec1.rtable = fi; +- } +- } +- fi->next = chm->sysfiles; +- chm->sysfiles = fi; ++ /* system file */ ++ if (name_len == 40 && mspack_memcmp(name, content_name, 40) == 0) { ++ chm->sec1.content = fi; ++ } ++ else if (name_len == 44 && mspack_memcmp(name, control_name, 44) == 0) { ++ chm->sec1.control = fi; ++ } ++ else if (name_len == 41 && mspack_memcmp(name, spaninfo_name, 41) == 0) { ++ chm->sec1.spaninfo = fi; ++ } ++ else if (name_len == 105 && mspack_memcmp(name, rtable_name, 105) == 0) { ++ chm->sec1.rtable = fi; ++ } ++ fi->next = chm->sysfiles; ++ chm->sysfiles = fi; + } + else { + /* normal file */ +-- +2.22.0 + diff --git a/SPECS/libmspack.spec b/SPECS/libmspack.spec index 7159b68..11a0afb 100644 --- a/SPECS/libmspack.spec +++ b/SPECS/libmspack.spec @@ -1,6 +1,6 @@ Name: libmspack Version: 0.7 -Release: 0.1.alpha%{?dist}.3 +Release: 0.3.alpha%{?dist}.4 Summary: Library for CAB and related files compression and decompression Group: System Environment/Libraries @@ -11,10 +11,10 @@ Source0: https://github.com/kyz/libmspack/archive/v0.7alpha/%{name}-v0.7a Patch0: %{name}-0.4alpha-doc.patch # Fixes for CVE-2018-18584 CVE-2018-18585 -Patch1: 0001-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch -Patch2: 0002-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch -# Fix for CVE-2018-14680 -Patch3: 0003-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch +Patch1: 0001-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch +Patch2: 0002-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch +# Fix for CVE-CVE-2019-1010305 +Patch3: 0003-length-checks-when-looking-for-control-files.patch BuildRequires: doxygen BuildRequires: gcc @@ -98,6 +98,14 @@ rm $RPM_BUILD_ROOT%{_bindir}/oabextract %changelog +* Fri Aug 2 2019 Richard W.M. Jones - 0.7-0.2.alpha.4 +- Fix for CVE-2019-1010305 +- Remove "fix" for CVE-2018-14680 as this fix is included in base tar ball. + resolves: rhbz#1736745, rhbz#1736743 + +* Thu Mar 21 2019 Richard W.M. Jones - 0.7-0.2.alpha.3 +- Add gating tests resolves: rhbz#1682770 + * Mon Dec 10 2018 Richard W.M. Jones - 0.7-0.1.alpha.3 - Fix for CVE-2018-14680 resolves: rhbz#1610937