* [PATCH] gnu: catdoc: Fix CVE-2017-11110.
@ 2017-08-11 21:51 Alex Vong
2017-08-12 13:37 ` Marius Bakke
0 siblings, 1 reply; 3+ messages in thread
From: Alex Vong @ 2017-08-11 21:51 UTC (permalink / raw)
To: guix-patches, guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 226 bytes --]
Severity: important
Tags: patch security
Hello,
This patch fixes the latest CVE of catdoc. The upstream repo[0] is not
updated for more than a year, so I grab the patch from openSUSE instead
(which is also used by Debian).
[-- Attachment #1.2: 0001-gnu-catdoc-Fix-CVE-2017-11110.patch --]
[-- Type: text/x-diff, Size: 4081 bytes --]
From 69b2b0ca3b43409e86bd5d01fe72823ef84ee391 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Thu, 10 Aug 2017 21:02:14 +0800
Subject: [PATCH] gnu: catdoc: Fix CVE-2017-11110.
* gnu/packages/patches/catdoc-CVE-2017-11110.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/textutils.scm (catdoc)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/patches/catdoc-CVE-2017-11110.patch | 45 ++++++++++++++++++++++++
gnu/packages/textutils.scm | 2 ++
3 files changed, 48 insertions(+)
create mode 100644 gnu/packages/patches/catdoc-CVE-2017-11110.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 3d79d5d22..57c346921 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -534,6 +534,7 @@ dist_patch_DATA = \
%D%/packages/patches/calibre-drop-unrar.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
%D%/packages/patches/calibre-use-packaged-feedparser.patch \
+ %D%/packages/patches/catdoc-CVE-2017-11110.patch \
%D%/packages/patches/cdparanoia-fpic.patch \
%D%/packages/patches/cdrtools-3.01-mkisofs-isoinfo.patch \
%D%/packages/patches/ceph-disable-cpu-optimizations.patch \
diff --git a/gnu/packages/patches/catdoc-CVE-2017-11110.patch b/gnu/packages/patches/catdoc-CVE-2017-11110.patch
new file mode 100644
index 000000000..71c44f60f
--- /dev/null
+++ b/gnu/packages/patches/catdoc-CVE-2017-11110.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11110:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11110
+https://bugzilla.redhat.com/show_bug.cgi?id=1468471
+https://security-tracker.debian.org/tracker/CVE-2017-11110
+
+Patch copied from openSUSE:
+
+https://build.opensuse.org/package/view_file/openSUSE:Maintenance:6985/catdoc.openSUSE_Leap_42.2_Update/CVE-2017-11110.patch?expand=1
+
+From: Andreas Stieger <astieger@suse.com>
+Date: Mon, 10 Jul 2017 15:37:58 +0000
+References: CVE-2017-11110 http://bugzilla.suse.com/show_bug.cgi?id=1047877
+
+All .doc I found had sectorSize 0x09 at offset 0x1e. Guarding it against <4.
+
+---
+ src/ole.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: catdoc-0.95/src/ole.c
+===================================================================
+--- catdoc-0.95.orig/src/ole.c 2016-05-25 06:37:12.000000000 +0200
++++ catdoc-0.95/src/ole.c 2017-07-10 17:42:33.578308107 +0200
+@@ -106,6 +106,11 @@ FILE* ole_init(FILE *f, void *buffer, si
+ return NULL;
+ }
+ sectorSize = 1<<getshort(oleBuf,0x1e);
++ /* CVE-2017-11110) */
++ if (sectorSize < 4) {
++ fprintf(stderr,"sectorSize < 4 not supported\n");
++ return NULL;
++ }
+ shortSectorSize=1<<getshort(oleBuf,0x20);
+
+ /* Read BBD into memory */
+@@ -147,7 +152,7 @@ FILE* ole_init(FILE *f, void *buffer, si
+ }
+
+ fseek(newfile, 512+mblock*sectorSize, SEEK_SET);
+- if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i,
++ if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, /* >= 4 for CVE-2017-11110 */
+ 1, sectorSize, newfile) != sectorSize) {
+ fprintf(stderr, "Error read MSAT!\n");
+ ole_finish();
diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm
index e8ae30cd6..537d01334 100644
--- a/gnu/packages/textutils.scm
+++ b/gnu/packages/textutils.scm
@@ -12,6 +12,7 @@
;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org>
;;; Copyright © 2017 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -409,6 +410,7 @@ runs Word\".")
(method url-fetch)
(uri (string-append "http://ftp.wagner.pp.ru/pub/catdoc/"
"catdoc-" version ".tar.gz"))
+ (patches (search-patches "catdoc-CVE-2017-11110.patch"))
(sha256
(base32
"15h7v3bmwfk4z8r78xs5ih6vd0pskn0rj90xghvbzdjj0cc88jji"))))
--
2.14.0
[-- Attachment #1.3: Type: text/plain, Size: 265 bytes --]
(I am re-sending this mail for the 3rd time since I didn't receive a
reply from debbugs. This time I decide to mail to guix-devel as well
just in case it doesn't work again.)
Cheers,
Alex
[0]: http://www.wagner.pp.ru/gitweb/?p=oss/catdoc.git;a=summary
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] gnu: catdoc: Fix CVE-2017-11110.
2017-08-11 21:51 [PATCH] gnu: catdoc: Fix CVE-2017-11110 Alex Vong
@ 2017-08-12 13:37 ` Marius Bakke
2017-08-12 16:21 ` Alex Vong
0 siblings, 1 reply; 3+ messages in thread
From: Marius Bakke @ 2017-08-12 13:37 UTC (permalink / raw)
To: Alex Vong, guix-devel
[-- Attachment #1: Type: text/plain, Size: 668 bytes --]
Alex Vong <alexvong1995@gmail.com> writes:
> Severity: important
> Tags: patch security
>
> Hello,
>
> This patch fixes the latest CVE of catdoc. The upstream repo[0] is not
> updated for more than a year, so I grab the patch from openSUSE instead
> (which is also used by Debian).
Thanks for this, pushed!
[...]
> (I am re-sending this mail for the 3rd time since I didn't receive a
> reply from debbugs. This time I decide to mail to guix-devel as well
> just in case it doesn't work again.)
No idea what's up with that. Does it work if you omit the debbugs
control headers? Perhaps processing is disabled for guix-patches, or
something.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] gnu: catdoc: Fix CVE-2017-11110.
2017-08-12 13:37 ` Marius Bakke
@ 2017-08-12 16:21 ` Alex Vong
0 siblings, 0 replies; 3+ messages in thread
From: Alex Vong @ 2017-08-12 16:21 UTC (permalink / raw)
To: Marius Bakke; +Cc: guix-devel, 28058-done
[-- Attachment #1: Type: text/plain, Size: 855 bytes --]
Marius Bakke <mbakke@fastmail.com> writes:
> Alex Vong <alexvong1995@gmail.com> writes:
>
>> Severity: important
>> Tags: patch security
>>
>> Hello,
>>
>> This patch fixes the latest CVE of catdoc. The upstream repo[0] is not
>> updated for more than a year, so I grab the patch from openSUSE instead
>> (which is also used by Debian).
>
> Thanks for this, pushed!
>
> [...]
>
Thanks!
>> (I am re-sending this mail for the 3rd time since I didn't receive a
>> reply from debbugs. This time I decide to mail to guix-devel as well
>> just in case it doesn't work again.)
>
> No idea what's up with that. Does it work if you omit the debbugs
> control headers? Perhaps processing is disabled for guix-patches, or
> something.
This time it works. I guess debbugs was doing some maintaince work hence
temporarily unavailable.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-08-12 16:21 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-11 21:51 [PATCH] gnu: catdoc: Fix CVE-2017-11110 Alex Vong
2017-08-12 13:37 ` Marius Bakke
2017-08-12 16:21 ` Alex Vong
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).