diff --git a/SOURCES/0001-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch b/SOURCES/0001-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch index 52a4f9a..6ecf36f 100644 --- a/SOURCES/0001-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch +++ b/SOURCES/0001-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch @@ -1,7 +1,7 @@ From 7daeac0b9ad98c9cd5ea5f05d3028fe171ba403a Mon Sep 17 00:00:00 2001 From: Stuart Caie Date: Sat, 12 May 2018 10:51:34 +0100 -Subject: [PATCH 1/3] =?UTF-8?q?Fix=20off-by-one=20bounds=20check=20on=20CH?= +Subject: [PATCH 1/6] =?UTF-8?q?Fix=20off-by-one=20bounds=20check=20on=20CH?= =?UTF-8?q?M=20PMGI/PMGL=20chunk=20numbers=20and=20reject=20empty=20filena?= =?UTF-8?q?mes.=20Thanks=20to=20Hanno=20B=C3=B6ck=20for=20reporting?= MIME-Version: 1.0 @@ -54,5 +54,5 @@ index 5a6ef54..b799154 100644 /* ensure chunk cache is available */ if (!chm->chunk_cache) { -- -2.18.0 +2.22.0 diff --git a/SOURCES/0003-Fix-off-by-one-error-in-chmd-TOLOWER-fallback.patch b/SOURCES/0003-Fix-off-by-one-error-in-chmd-TOLOWER-fallback.patch index 931b6af..29a2592 100644 --- a/SOURCES/0003-Fix-off-by-one-error-in-chmd-TOLOWER-fallback.patch +++ b/SOURCES/0003-Fix-off-by-one-error-in-chmd-TOLOWER-fallback.patch @@ -1,7 +1,7 @@ From 8d40fbabead00847199af114fdc91f3f9a1ab397 Mon Sep 17 00:00:00 2001 From: Stuart Caie Date: Tue, 6 Feb 2018 23:17:30 +0000 -Subject: [PATCH 3/3] Fix off-by-one error in chmd TOLOWER() fallback +Subject: [PATCH 3/6] Fix off-by-one error in chmd TOLOWER() fallback (cherry picked from commit 4fd9ccaa54e1aebde1e4b95fb0163b699fd7bcc8) --- @@ -22,5 +22,5 @@ index b799154..cea9fc2 100644 * LC_CTYPE=en_GB.utf-8 perl -Mlocale -le 'print map{ord(lc chr).","} 0..255' */ -- -2.18.0 +2.22.0 diff --git a/SOURCES/0004-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch b/SOURCES/0004-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch new file mode 100644 index 0000000..15c366f --- /dev/null +++ b/SOURCES/0004-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch @@ -0,0 +1,36 @@ +From 31f7eb6d370d1ca5ec70a6143bf3d6bc2863f254 Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Wed, 17 Oct 2018 11:29:03 +0100 +Subject: [PATCH 4/6] Avoid returning CHM file entries that are "blank" because + they have embedded null bytes + +(cherry picked from commit 8759da8db6ec9e866cb8eb143313f397f925bb4f) +--- + libmspack/trunk/mspack/chmd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libmspack/trunk/mspack/chmd.c b/libmspack/trunk/mspack/chmd.c +index cea9fc2..beaccb7 100644 +--- a/libmspack/trunk/mspack/chmd.c ++++ b/libmspack/trunk/mspack/chmd.c +@@ -447,14 +447,14 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, + while (num_entries--) { + READ_ENCINT(name_len); + if (name_len > (unsigned int) (end - p)) goto chunk_end; +- /* consider blank filenames to be an error */ +- if (name_len == 0) goto chunk_end; + name = p; p += name_len; +- + READ_ENCINT(section); + READ_ENCINT(offset); + READ_ENCINT(length); + ++ /* ignore blank or one-char (e.g. "/") filenames we'd return as blank */ ++ if (name_len < 2 || !name[0] || !name[1]) continue; ++ + /* empty files and directory names are stored as a file entry at + * offset 0 with length 0. We want to keep empty files, but not + * directory names, which end with a "/" */ +-- +2.22.0 + diff --git a/SOURCES/0004-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch b/SOURCES/0004-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch deleted file mode 100644 index 82de70e..0000000 --- a/SOURCES/0004-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch +++ /dev/null @@ -1,49 +0,0 @@ -From fe3e1a4e9e41712b1ec115fa218af74f3286c2fe Mon Sep 17 00:00:00 2001 -From: Stuart Caie -Date: Wed, 17 Oct 2018 11:33:35 +0100 -Subject: [PATCH 4/5] CAB block input buffer is one byte too small for maximal - Quantum block - -(cherry picked from commit 40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2) ---- - libmspack/trunk/mspack/cab.h | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/libmspack/trunk/mspack/cab.h b/libmspack/trunk/mspack/cab.h -index 59cf95e..25cebcb 100644 ---- a/libmspack/trunk/mspack/cab.h -+++ b/libmspack/trunk/mspack/cab.h -@@ -1,5 +1,5 @@ - /* This file is part of libmspack. -- * (C) 2003-2004 Stuart Caie. -+ * (C) 2003-2018 Stuart Caie. - * - * libmspack is free software; you can redistribute it and/or modify it under - * the terms of the GNU Lesser General Public License (LGPL) version 2.1 -@@ -70,6 +70,14 @@ - #define CAB_BLOCKMAX (32768) - #define CAB_INPUTMAX (CAB_BLOCKMAX+6144) - -+/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block -+ * plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment. -+ * -+ * When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be -+ * up to 65535 bytes, so max input buffer size needed is 65535 + 1 -+ */ -+#define CAB_INPUTBUF (65535 + 1) -+ - /* There are no more than 65535 data blocks per folder, so a folder cannot - * be more than 32768*65535 bytes in length. As files cannot span more than - * one folder, this is also their max offset, length and offset+length limit. -@@ -100,7 +108,7 @@ struct mscabd_decompress_state { - struct mspack_file *infh; /* input file handle */ - struct mspack_file *outfh; /* output file handle */ - unsigned char *i_ptr, *i_end; /* input data consumed, end */ -- unsigned char input[CAB_INPUTMAX]; /* one input block of data */ -+ unsigned char input[CAB_INPUTBUF]; /* one input block of data */ - }; - - struct mscab_decompressor_p { --- -2.19.0.rc0 - diff --git a/SOURCES/0005-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch b/SOURCES/0005-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch deleted file mode 100644 index c13514d..0000000 --- a/SOURCES/0005-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 4116f971376c6456f35c2edc2a0af9fee3656a52 Mon Sep 17 00:00:00 2001 -From: Stuart Caie -Date: Wed, 17 Oct 2018 11:29:03 +0100 -Subject: [PATCH 5/5] Avoid returning CHM file entries that are "blank" because - they have embedded null bytes - -(cherry picked from commit 8759da8db6ec9e866cb8eb143313f397f925bb4f) ---- - libmspack/trunk/mspack/chmd.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/libmspack/trunk/mspack/chmd.c b/libmspack/trunk/mspack/chmd.c -index cea9fc2..beaccb7 100644 ---- a/libmspack/trunk/mspack/chmd.c -+++ b/libmspack/trunk/mspack/chmd.c -@@ -447,14 +447,14 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, - while (num_entries--) { - READ_ENCINT(name_len); - if (name_len > (unsigned int) (end - p)) goto chunk_end; -- /* consider blank filenames to be an error */ -- if (name_len == 0) goto chunk_end; - name = p; p += name_len; -- - READ_ENCINT(section); - READ_ENCINT(offset); - READ_ENCINT(length); - -+ /* ignore blank or one-char (e.g. "/") filenames we'd return as blank */ -+ if (name_len < 2 || !name[0] || !name[1]) continue; -+ - /* empty files and directory names are stored as a file entry at - * offset 0 with length 0. We want to keep empty files, but not - * directory names, which end with a "/" */ --- -2.19.0.rc0 - diff --git a/SOURCES/0005-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch b/SOURCES/0005-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch new file mode 100644 index 0000000..a311d3e --- /dev/null +++ b/SOURCES/0005-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch @@ -0,0 +1,49 @@ +From b5ee28722aee355700c88001e84ee3c61b8c92b0 Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Wed, 17 Oct 2018 11:33:35 +0100 +Subject: [PATCH 5/6] CAB block input buffer is one byte too small for maximal + Quantum block + +(cherry picked from commit 40ef1b4093d77ad3a5cfcee1f5cb6108b3a3bcc2) +--- + libmspack/trunk/mspack/cab.h | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/libmspack/trunk/mspack/cab.h b/libmspack/trunk/mspack/cab.h +index 59cf95e..25cebcb 100644 +--- a/libmspack/trunk/mspack/cab.h ++++ b/libmspack/trunk/mspack/cab.h +@@ -1,5 +1,5 @@ + /* This file is part of libmspack. +- * (C) 2003-2004 Stuart Caie. ++ * (C) 2003-2018 Stuart Caie. + * + * libmspack is free software; you can redistribute it and/or modify it under + * the terms of the GNU Lesser General Public License (LGPL) version 2.1 +@@ -70,6 +70,14 @@ + #define CAB_BLOCKMAX (32768) + #define CAB_INPUTMAX (CAB_BLOCKMAX+6144) + ++/* input buffer needs to be CAB_INPUTMAX + 1 byte to allow for max-sized block ++ * plus 1 trailer byte added by cabd_sys_read_block() for Quantum alignment. ++ * ++ * When MSCABD_PARAM_SALVAGE is set, block size is not checked so can be ++ * up to 65535 bytes, so max input buffer size needed is 65535 + 1 ++ */ ++#define CAB_INPUTBUF (65535 + 1) ++ + /* There are no more than 65535 data blocks per folder, so a folder cannot + * be more than 32768*65535 bytes in length. As files cannot span more than + * one folder, this is also their max offset, length and offset+length limit. +@@ -100,7 +108,7 @@ struct mscabd_decompress_state { + struct mspack_file *infh; /* input file handle */ + struct mspack_file *outfh; /* output file handle */ + unsigned char *i_ptr, *i_end; /* input data consumed, end */ +- unsigned char input[CAB_INPUTMAX]; /* one input block of data */ ++ unsigned char input[CAB_INPUTBUF]; /* one input block of data */ + }; + + struct mscab_decompressor_p { +-- +2.22.0 + diff --git a/SOURCES/0006-length-checks-when-looking-for-control-files.patch b/SOURCES/0006-length-checks-when-looking-for-control-files.patch new file mode 100644 index 0000000..55fa47b --- /dev/null +++ b/SOURCES/0006-length-checks-when-looking-for-control-files.patch @@ -0,0 +1,48 @@ +From f190eb996fb77a09090a5aec9191851e55ae160e Mon Sep 17 00:00:00 2001 +From: Stuart Caie +Date: Mon, 18 Feb 2019 13:04:58 +0000 +Subject: [PATCH 6/6] length checks when looking for control files + +(cherry picked from commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d) +--- + libmspack/trunk/mspack/chmd.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/libmspack/trunk/mspack/chmd.c b/libmspack/trunk/mspack/chmd.c +index beaccb7..783f511 100644 +--- a/libmspack/trunk/mspack/chmd.c ++++ b/libmspack/trunk/mspack/chmd.c +@@ -483,20 +483,18 @@ static int chmd_read_headers(struct mspack_system *sys, struct mspack_file *fh, + + if (name[0] == ':' && name[1] == ':') { + /* system file */ +- if (mspack_memcmp(&name[2], &content_name[2], 31L) == 0) { +- if (mspack_memcmp(&name[33], &content_name[33], 8L) == 0) { +- chm->sec1.content = fi; +- } +- else if (mspack_memcmp(&name[33], &control_name[33], 11L) == 0) { +- chm->sec1.control = fi; +- } +- else if (mspack_memcmp(&name[33], &spaninfo_name[33], 8L) == 0) { +- chm->sec1.spaninfo = fi; +- } +- else if (mspack_memcmp(&name[33], &rtable_name[33], 72L) == 0) { ++ if (name_len == 40 && mspack_memcmp(name, content_name, 40) == 0) { ++ chm->sec1.content = fi; ++ } ++ else if (name_len == 44 && mspack_memcmp(name, control_name, 44) == 0) { ++ chm->sec1.control = fi; ++ } ++ else if (name_len == 41 && mspack_memcmp(name, spaninfo_name, 41) == 0) { ++ chm->sec1.spaninfo = fi; ++ } ++ else if (name_len == 105 && mspack_memcmp(name, rtable_name, 105) == 0) { + chm->sec1.rtable = fi; + } +- } + fi->next = chm->sysfiles; + chm->sysfiles = fi; + } +-- +2.22.0 + diff --git a/SPECS/libmspack.spec b/SPECS/libmspack.spec index f894a39..0991386 100644 --- a/SPECS/libmspack.spec +++ b/SPECS/libmspack.spec @@ -1,6 +1,6 @@ Name: libmspack Version: 0.5 -Release: 0.7.alpha%{?dist} +Release: 0.8.alpha%{?dist} Summary: Library for CAB and related files compression and decompression Group: System Environment/Libraries @@ -15,8 +15,10 @@ Patch1: 0001-Fix-off-by-one-bounds-check-on-CHM-PMGI-PMGL-chunk-n.patch Patch2: 0002-kwaj_read_headers-fix-handling-of-non-terminated-str.patch Patch3: 0003-Fix-off-by-one-error-in-chmd-TOLOWER-fallback.patch # Fixes for CVE-2018-18584 CVE-2018-18585 -Patch4: 0004-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch -Patch5: 0005-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch +Patch4: 0004-Avoid-returning-CHM-file-entries-that-are-blank-beca.patch +Patch5: 0005-CAB-block-input-buffer-is-one-byte-too-small-for-max.patch +# Fix for CVE-CVE-2019-1010305 +Patch6: 0006-length-checks-when-looking-for-control-files.patch # Patch 2 has a bunch of binary files that cannot be applied using # plain patch. So I removed them and packaged them separately in this @@ -49,6 +51,7 @@ for developing applications that use %{name}. %patch3 -p3 %patch4 -p3 %patch5 -p3 +%patch6 -p3 pushd test zcat %{SOURCE2} | tar xvf - popd @@ -96,6 +99,10 @@ popd %changelog +* Fri Aug 2 2019 Richard W.M. Jones - 0.5-0.8.alpha +- Fix for CVE-2019-1010305 + resolves: rhbz#1736744 + * Fri Dec 7 2018 Richard W.M. Jones - 0.5-0.7.alpha - Fixes for CVE-2018-18584 CVE-2018-18585. resolves: rhbz#1648384 rhbz#1648385