From 927c2f0f0cac7f25ae713ba1d3c9adb6342c2d9f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 06 2019 09:55:33 +0000 Subject: import libmspack-0.5-0.7.alpha.el7 --- diff --git a/SOURCES/0004-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch b/SOURCES/0004-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch new file mode 100644 index 0000000..82de70e --- /dev/null +++ b/SOURCES/0004-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch @@ -0,0 +1,49 @@ +From fe3e1a4e9e41712b1ec115fa218af74f3286c2fe Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Wed, 17 Oct 2018 11:33:35 +0100 +Subject: [PATCH 4/5] CAB block input buffer is one byte too small for maximal + Quantum block + +(cherry picked from commit 40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2) +--- + libmspack/trunk/mspack/cab.h | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/libmspack/trunk/mspack/cab.h b/libmspack/trunk/mspack/cab.h +index 59cf95e..25cebcb 100644 +--- a/libmspack/trunk/mspack/cab.h ++++ b/libmspack/trunk/mspack/cab.h +@@ -1,5 +1,5 @@ + /* This file is part of libmspack. +- * (C) 2003-2004 Stuart Caie. ++ * (C) 2003-2018 Stuart Caie. + * + * libmspack is free software; you can redistribute it and/or modify it under + * the terms of the GNU Lesser General Public License (LGPL) version 2.1 +@@ -70,6 +70,14 @@ + #define CAB_BLOCKMAX (32768) + #define CAB_INPUTMAX (CAB_BLOCKMAX+6144) + ++/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block ++ * plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment. ++ * ++ * When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be ++ * up to 65535 bytes, so max input buffer size needed is 65535 + 1 ++ */ ++#define CAB_INPUTBUF (65535 + 1) ++ + /* There are no more than 65535 data blocks per folder, so a folder cannot + * be more than 32768*65535 bytes in length. As files cannot span more than + * one folder, this is also their max offset, length and offset+length limit. +@@ -100,7 +108,7 @@ struct mscabd_decompress_state { + struct mspack_file *infh; /* input file handle */ + struct mspack_file *outfh; /* output file handle */ + unsigned char *i_ptr, *i_end; /* input data consumed, end */ +- unsigned char input[CAB_INPUTMAX]; /* one input block of data */ ++ unsigned char input[CAB_INPUTBUF]; /* one input block of data */ + }; + + struct mscab_decompressor_p { +-- +2.19.0.rc0 + diff --git a/SOURCES/0005-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch b/SOURCES/0005-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch new file mode 100644 index 0000000..c13514d --- /dev/null +++ b/SOURCES/0005-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch @@ -0,0 +1,36 @@ +From 4116f971376c6456f35c2edc2a0af9fee3656a52 Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Wed, 17 Oct 2018 11:29:03 +0100 +Subject: [PATCH 5/5] Avoid returning CHM file entries that are "blank" because + they have embedded null bytes + +(cherry picked from commit 8759da8db6ec9e866cb8eb143313f397f925bb4f) +--- + libmspack/trunk/mspack/chmd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libmspack/trunk/mspack/chmd.c b/libmspack/trunk/mspack/chmd.c +index cea9fc2..beaccb7 100644 +--- a/libmspack/trunk/mspack/chmd.c ++++ b/libmspack/trunk/mspack/chmd.c +@@ -447,14 +447,14 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, + while (num_entries--) { + READ_ENCINT(name_len); + if (name_len > (unsigned int) (end - p)) goto chunk_end; +- /* consider blank filenames to be an error */ +- if (name_len == 0) goto chunk_end; + name = p; p += name_len; +- + READ_ENCINT(section); + READ_ENCINT(offset); + READ_ENCINT(length); + ++ /* ignore blank or one-char (e.g. "/") filenames we'd return as blank */ ++ if (name_len < 2 || !name[0] || !name[1]) continue; ++ + /* empty files and directory names are stored as a file entry at + * offset 0 with length 0. We want to keep empty files, but not + * directory names, which end with a "/" */ +-- +2.19.0.rc0 + diff --git a/SPECS/libmspack.spec b/SPECS/libmspack.spec index deae7ac..f894a39 100644 --- a/SPECS/libmspack.spec +++ b/SPECS/libmspack.spec @@ -1,6 +1,6 @@ Name: libmspack Version: 0.5 -Release: 0.6.alpha%{?dist} +Release: 0.7.alpha%{?dist} Summary: Library for CAB and related files compression and decompression Group: System Environment/Libraries @@ -14,6 +14,9 @@ BuildRequires: doxygen Patch1: 0001-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch Patch2: 0002-kwaj_read_headers-fix-handling-of-non-terminated-str.patch Patch3: 0003-Fix-off-by-one-error-in-chmd-TOLOWER-fallback.patch +# Fixes for CVE-2018-18584 CVE-2018-18585 +Patch4: 0004-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch +Patch5: 0005-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch # Patch 2 has a bunch of binary files that cannot be applied using # plain patch. So I removed them and packaged them separately in this @@ -44,6 +47,8 @@ for developing applications that use %{name}. %patch1 -p3 %patch2 -p3 %patch3 -p3 +%patch4 -p3 +%patch5 -p3 pushd test zcat %{SOURCE2} | tar xvf - popd @@ -91,6 +96,10 @@ popd %changelog +* Fri Dec 7 2018 Richard W.M. Jones - 0.5-0.7.alpha +- Fixes for CVE-2018-18584 CVE-2018-18585. + resolves: rhbz#1648384 rhbz#1648385 + * Thu Aug 2 2018 Richard W.M. Jones - 0.5-0.6.alpha - Fixes for CVE-2018-14679 CVE-2018-14680 CVE-2018-14681 CVE-2018-14682 - resolves: rhbz#1611550 rhbz#1611551 rhbz#1611552 rhbz#1611553