From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [PATCH 1/1] gnu: unrtf: Fix CVE-2016-10091. Date: Wed, 4 Jan 2017 02:27:57 -0500 Message-ID: <20170104072757.GA18888@jasmine> References: <049f6fc2d37899df14579e04092582e3382489d5.1483302566.git.leo@famulari.name> <8760lwqeau.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me> <20170104071325.GA8103@jasmine> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="DBIVS5p969aUjpLe" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38047) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cOfzR-00073Z-4Y for guix-devel@gnu.org; Wed, 04 Jan 2017 02:28:07 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cOfzN-0003ra-Jx for guix-devel@gnu.org; Wed, 04 Jan 2017 02:28:05 -0500 Received: from out2-smtp.messagingengine.com ([66.111.4.26]:59662) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cOfzN-0003rI-Ce for guix-devel@gnu.org; Wed, 04 Jan 2017 02:28:01 -0500 Content-Disposition: inline In-Reply-To: <20170104071325.GA8103@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Marius Bakke Cc: guix-devel@gnu.org --DBIVS5p969aUjpLe Content-Type: multipart/mixed; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jan 04, 2017 at 02:13:25AM -0500, Leo Famulari wrote: > On Tue, Jan 03, 2017 at 05:49:29PM +0100, Marius Bakke wrote: > > Leo Famulari writes: > > > +diff --git a/debian/patches/series b/debian/patches/series > > > +new file mode 100644 > > > +index 0000000..7868249 > > > +--- /dev/null > > > ++++ b/debian/patches/series > > > +@@ -0,0 +1 @@ > > > ++0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch > >=20 > > This part we surely don't need ;-) >=20 > Oops! x2 Of course, the patch I sent on January 1 was completely broken. The patch it included from Debian was meant to be applied to the Debian package tree, not the UnRTF source code. I've attached a revision! --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-gnu-unrtf-Fix-CVE-2016-10091.patch" Content-Transfer-Encoding: quoted-printable =46rom 0799beece00361cbaa2e1d9796532de0f5f55ff9 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Sun, 1 Jan 2017 15:12:48 -0500 Subject: [PATCH] gnu: unrtf: Fix CVE-2016-10091. * gnu/packages/patches/unrtf-CVE-2016-10091.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/unrtf.scm (unrtf)[source]: Use it. --- gnu/local.mk | 1 + gnu/packages/patches/unrtf-CVE-2016-10091.patch | 189 ++++++++++++++++++++= ++++ gnu/packages/unrtf.scm | 2 + 3 files changed, 192 insertions(+) create mode 100644 gnu/packages/patches/unrtf-CVE-2016-10091.patch diff --git a/gnu/local.mk b/gnu/local.mk index f45030f84..00edacad7 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -878,6 +878,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/tophat-build-with-later-seqan.patch \ %D%/packages/patches/totem-debug-format-fix.patch \ %D%/packages/patches/tuxpaint-stamps-path.patch \ + %D%/packages/patches/unrtf-CVE-2016-10091.patch \ %D%/packages/patches/unzip-CVE-2014-8139.patch \ %D%/packages/patches/unzip-CVE-2014-8140.patch \ %D%/packages/patches/unzip-CVE-2014-8141.patch \ diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch b/gnu/packages= /patches/unrtf-CVE-2016-10091.patch new file mode 100644 index 000000000..badd1b8ed --- /dev/null +++ b/gnu/packages/patches/unrtf-CVE-2016-10091.patch @@ -0,0 +1,189 @@ +Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions): + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2016-10091 +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D849705 +http://seclists.org/oss-sec/2016/q4/787 + +Patch adapted from Debian: + +https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=3Djessie&= id=3D7500a48fb0fbad3ab963fb17560b2f90a8a485c8 + +The Debian patch adapts this upstream commit so that it can be applied +to the 0.21.9 release tarball: + +http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 + +From 7dd568ed8a6a5acb6c04f2b40f457d63a00435f3 Mon Sep 17 00:00:00 2001 +From: Willi Mann +Date: Sat, 31 Dec 2016 20:31:38 +0100 +Subject: [PATCH] Add patch from upstream to fix CVE-2016-10091 (buffer + overflow in various cmd_ functions) + +diff --git a/src/attr.c b/src/attr.c +index 02b5c81..e2951ea 100644 +--- a/src/attr.c ++++ b/src/attr.c +@@ -746,7 +746,7 @@ char * + assemble_string(char *string, int nr) + { +=20 +- char *s, tmp[12];/* Number of characters that can be in int type (includ= ing '\0') - AF */ ++ char *s, tmp[20]; + int i =3D 0, j =3D 0; +=20 + if (string =3D=3D NULL) +@@ -762,7 +762,7 @@ assemble_string(char *string, int nr) + } +=20 + if (string[i] !=3D '\0') { +- sprintf(tmp, "%d", nr); ++ snprintf(tmp, 20, "%d", nr); + strcpy(&s[j], tmp); + j =3D j + strlen(tmp); + } +diff --git a/src/convert.c b/src/convert.c +index c76d7d6..8eacdcb 100644 +--- a/src/convert.c ++++ b/src/convert.c +@@ -472,7 +472,7 @@ static const int fcharsetparmtocp(int parm) + } +=20 + // Translate code page to encoding name hopefully suitable as iconv input +-static char *cptoencoding(parm) ++static char *cptoencoding(int parm) + { + // Note that CP0 is supposed to mean current system default, which do= es + // not make any sense as a stored value, we don't handle it. +@@ -964,7 +964,7 @@ cmd_cf (Word *w, int align, char has_param, int num) + } + else + { +- sprintf(str,"#%02x%02x%02x", ++ snprintf(str, 40, "#%02x%02x%02x", + color_table[num].r, + color_table[num].g, + color_table[num].b); +@@ -993,7 +993,7 @@ cmd_cb (Word *w, int align, char has_param, int num) + } + else + { +- sprintf(str,"#%02x%02x%02x", ++ snprintf(str, 40, "#%02x%02x%02x", + color_table[num].r, + color_table[num].g, + color_table[num].b); +@@ -1018,7 +1018,7 @@ cmd_fs (Word *w, int align, char has_param, int poin= ts) { + /* Note, fs20 means 10pt */ + points /=3D 2; +=20 +- sprintf(str,"%d",points); ++ snprintf(str, 20, "%d", points); + attr_push(ATTR_FONTSIZE,str); +=20 + return FALSE; +@@ -1166,7 +1166,7 @@ cmd_f (Word *w, int align, char has_param, int num) + { + // TOBEDONE: WHAT'S THIS ??? + name =3D my_malloc(12); +- sprintf(name, "%d", num); ++ snprintf(name, 12, "%d", num); + } +=20 + /* we are going to output entities, so should not output font */ +@@ -1218,7 +1218,7 @@ cmd_highlight (Word *w, int align, char has_param, i= nt num) + } + else + { +- sprintf(str,"#%02x%02x%02x", ++ snprintf(str, 40, "#%02x%02x%02x", + color_table[num].r, + color_table[num].g, + color_table[num].b); +@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int p= aram) { +=20 + static int=20 + cmd_expand (Word *w, int align, char has_param, int param) { +- char str[10]; ++ char str[20]; + if (has_param) { +- sprintf(str, "%d", param/4); ++ snprintf(str, 20, "%d", param / 4); + if (!param)=20 + attr_pop(ATTR_EXPAND); + else=20 +@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int = param) { +=20 + static int=20 + cmd_emboss (Word *w, int align, char has_param, int param) { +- char str[10]; ++ char str[20]; + if (has_param && !param) + #ifdef SUPPORT_UNNESTED + attr_find_pop(ATTR_EMBOSS); +@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int = param) { + #endif + else + { +- sprintf(str, "%d", param); ++ snprintf(str, 20, "%d", param); + attr_push(ATTR_EMBOSS, str); + } + return FALSE; +@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, in= t param) { +=20 + static int=20 + cmd_engrave (Word *w, int align, char has_param, int param) { +- char str[10]; ++ char str[20]; + if (has_param && !param)=20 + attr_pop(ATTR_ENGRAVE); + else + { +- sprintf(str, "%d", param); ++ snprintf(str, 20, "%d", param); + attr_push(ATTR_ENGRAVE, str); + } + return FALSE; +@@ -1976,7 +1976,7 @@ static int cmd_u (Word *w, int align, char has_param= , int param) { +=20 + short done=3D0; + long unicode_number =3D (long) param; /* On 16bit architectures int is t= oo small to store unicode characters. - AF */ +- char tmp[12]; /* Number of characters that can be in int type (including= '\0'). If int size is greater than 4 bytes change this value. - AF */ ++ char tmp[20]; /* Number of characters that can be in int type (including= '\0'). If int size is greater than 4 bytes change this value. - AF */ + const char *alias; + #define DEBUG 0 + #if DEBUG +@@ -2006,7 +2006,7 @@ static int cmd_u (Word *w, int align, char has_param= , int param) { + /* RTF spec: Unicode values beyond 32767 are = represented by negative numbers */ + unicode_number +=3D 65536; + } +- sprintf(tmp, "%ld", unicode_number); ++ snprintf(tmp, 20, "%ld", unicode_number); +=20 + if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY= _ARGS, "unisymbol_print"); + done++; +diff --git a/src/output.c b/src/output.c +index 86d8b5c..4cdbfa6 100644 +--- a/src/output.c ++++ b/src/output.c +@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size) + if (!found_std_expr) { + if (op->fontsize_begin) { + char expr[16]; +- sprintf (expr, "%d", size); ++ snprintf(expr, 16, "%d", size); + if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MAN= Y_ARGS, "fontsize_begin"); + } else { + /* If we cannot write out a change for the exact +@@ -440,7 +440,7 @@ op_end_std_fontsize (OutputPersonality *op, int size) + if (!found_std_expr) { + if (op->fontsize_end) { + char expr[16]; +- sprintf (expr, "%d", size); ++ snprintf(expr, 16, "%d", size); + if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_A= RGS, "fontsize_end"); + } else { + /* If we cannot write out a change for the exact +-=20 +.11.0 + diff --git a/gnu/packages/unrtf.scm b/gnu/packages/unrtf.scm index 162dec752..e11c9445c 100644 --- a/gnu/packages/unrtf.scm +++ b/gnu/packages/unrtf.scm @@ -23,6 +23,7 @@ #:use-module (guix download) #:use-module (guix build-system gnu) #:use-module (guix gexp) + #:use-module (gnu packages) #:use-module (gnu packages autotools) #:use-module (gnu packages m4) #:use-module (gnu packages base)) @@ -35,6 +36,7 @@ (method url-fetch) (uri (string-append "mirror://gnu/unrtf/unrtf-" version ".tar.gz")) + (patches (search-patches "unrtf-CVE-2016-10091.patch")) (sha256 (base32 "1pcdzf2h1prn393dkvg93v80vh38q0v817xnbwrlwxbdz4k7i8r2")) --=20 2.11.0 --uAKRQypu60I7Lcqm-- --DBIVS5p969aUjpLe Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlhso/wACgkQJkb6MLrK fwgBXhAA5/DK+lAihWJ08OABe55EHLA8Imn61TZ1N9d9jPzw1OD/PFiqaNvoFbwl MMRmoy/FXQC18lHDmBECHF2INBNABXJ5EEExi7czJM5zAjkoIF/vMn5Z7iwnzdYk SAPhLaGQSYHO6CCuXE+tVfMnCLkFP/gZN6+K+fFEI7sU/qQ+2so05ZtwIvK4bvdk TRtJivTLlCq2EXIlGC4zOAkSrYE/i3L5nSKsllAlymdSwvtX0crvoabkSTLa+CF8 DptJwUkPLzG02OLeQDiLxn4Zby/t3UGsvZPJBNLJHT5rHoCc+drdFtFsNNeHXamj S3DfSsdhge0LXHWjCUDBGWHc9y7vWqTsHfjuhY9V1xkUbd1o/GwLuEYWiQu9D60z TxLNGECSsYytiBYkqll6e605qxUSKqJ3SE06UR+l2qd1eLowmlIjkaOJyliAYGs4 rvQDGuEa/JaLB/YwRiNalZ0O6Mk1muVM1B3OB+uKvOjMkZ/l9tc6/pAsK5V+wOV2 7bL2Ar8r+oftXQiINlrfsXqShOmY182oBAyNOohFcPqy1BoWQPuCeeYtcunuKMot 0QkkYKC366h+HDH9AzFxcsT9I0L35pQ9MlxNwd7McKBdDMpUPVP+s774gN+GjBYB F0c/BrWUVBLaragzZLhspYYR8exFlAlb4mmjZOpQQKTqLpxvnTA= =A4AD -----END PGP SIGNATURE----- --DBIVS5p969aUjpLe--