From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: [PATCH 1/1] gnu: unrtf: Fix CVE-2016-10091.
Date: Sun,  1 Jan 2017 15:29:26 -0500
Message-ID: <049f6fc2d37899df14579e04092582e3382489d5.1483302566.git.leo@famulari.name>
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58484)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cNml9-000750-21
	for guix-devel@gnu.org; Sun, 01 Jan 2017 15:29:41 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1cNml5-00080L-Gh
	for guix-devel@gnu.org; Sun, 01 Jan 2017 15:29:38 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:34402)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <leo@famulari.name>) id 1cNml4-0007zQ-Qw
	for guix-devel@gnu.org; Sun, 01 Jan 2017 15:29:35 -0500
Received: from localhost.localdomain (c-73-188-17-148.hsd1.pa.comcast.net
	[73.188.17.148])
	by mail.messagingengine.com (Postfix) with ESMTPA id A937E7E050
	for <guix-devel@gnu.org>; Sun,  1 Jan 2017 15:29:33 -0500 (EST)
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

* gnu/packages/patches/unrtf-CVE-2016-10091.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/unrtf.scm (unrtf)[source]: Use it.
---
 gnu/local.mk                                    |   1 +
 gnu/packages/patches/unrtf-CVE-2016-10091.patch | 224 ++++++++++++++++++++++++
 gnu/packages/unrtf.scm                          |   2 +
 3 files changed, 227 insertions(+)
 create mode 100644 gnu/packages/patches/unrtf-CVE-2016-10091.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 6ab1c1c48..58878e8e4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -878,6 +878,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/tophat-build-with-later-seqan.patch	\
   %D%/packages/patches/totem-debug-format-fix.patch		\
   %D%/packages/patches/tuxpaint-stamps-path.patch		\
+  %D%/packages/patches/unrtf-CVE-2016-10091.patch		\
   %D%/packages/patches/unzip-CVE-2014-8139.patch		\
   %D%/packages/patches/unzip-CVE-2014-8140.patch		\
   %D%/packages/patches/unzip-CVE-2014-8141.patch		\
diff --git a/gnu/packages/patches/unrtf-CVE-2016-10091.patch b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
new file mode 100644
index 000000000..0a58b40db
--- /dev/null
+++ b/gnu/packages/patches/unrtf-CVE-2016-10091.patch
@@ -0,0 +1,224 @@
+Fix CVE-2016-10091 (stack-based buffer overflows in cmd_* functions):
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10091
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849705
+http://seclists.org/oss-sec/2016/q4/787
+
+Patch copied from Debian:
+
+https://anonscm.debian.org/cgit/collab-maint/unrtf.git/commit/?h=jessie&id=7500a48fb0fbad3ab963fb17560b2f90a8a485c8
+
+The Debian patch adapts this upstream commit so that it can be applied
+to the 0.21.9 release tarball:
+
+http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406
+
+From 7dd568ed8a6a5acb6c04f2b40f457d63a00435f3 Mon Sep 17 00:00:00 2001
+From: Willi Mann <willi@debian.org>
+Date: Sat, 31 Dec 2016 20:31:38 +0100
+Subject: [PATCH] Add patch from upstream to fix CVE-2016-10091 (buffer
+ overflow in various cmd_ functions)
+
+closes: 849705
+---
+ ...-instances-of-sprintf-with-snprintf-and-a.patch | 179 +++++++++++++++++++++
+ debian/patches/series                              |   1 +
+ 2 files changed, 180 insertions(+)
+ create mode 100644 debian/patches/0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch
+ create mode 100644 debian/patches/series
+
+diff --git a/debian/patches/0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch b/debian/patches/0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch
+new file mode 100644
+index 0000000..2f3825a
+--- /dev/null
++++ b/debian/patches/0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch
+@@ -0,0 +1,179 @@
++From: Jean-Francois Dockes <jf@dockes.org>
++Date: Sat, 31 Dec 2016 20:25:19 +0100
++Subject: Replace all instances of sprintf with snprintf and adjust size of
++ integer field in some cases
++
++This fixes CVE-2016-10091
++
++Bug-Debian: https://bugs.debian.org/849705
++---
++ src/attr.c    |  4 ++--
++ src/convert.c | 28 ++++++++++++++--------------
++ src/output.c  |  4 ++--
++ 3 files changed, 18 insertions(+), 18 deletions(-)
++
++diff --git a/src/attr.c b/src/attr.c
++index 02b5c81..e2951ea 100644
++--- a/src/attr.c
+++++ b/src/attr.c
++@@ -746,7 +746,7 @@ char *
++ assemble_string(char *string, int nr)
++ {
++ 
++-	char *s, tmp[12];/* Number of characters that can be in int type (including '\0') - AF */
+++	char *s, tmp[20];
++ 	int i = 0, j = 0;
++ 
++ 	if (string == NULL)
++@@ -762,7 +762,7 @@ assemble_string(char *string, int nr)
++ 		}
++ 
++ 		if (string[i] != '\0') {
++-			sprintf(tmp, "%d", nr);
+++			snprintf(tmp, 20, "%d", nr);
++ 			strcpy(&s[j], tmp);
++ 			j = j + strlen(tmp);
++ 		}
++diff --git a/src/convert.c b/src/convert.c
++index c76d7d6..8eacdcb 100644
++--- a/src/convert.c
+++++ b/src/convert.c
++@@ -472,7 +472,7 @@ static const int fcharsetparmtocp(int parm)
++ }
++ 
++ // Translate code page to encoding name hopefully suitable as iconv input
++-static char *cptoencoding(parm)
+++static char *cptoencoding(int parm)
++ {
++     // Note that CP0 is supposed to mean current system default, which does
++     // not make any sense as a stored value, we don't handle it.
++@@ -964,7 +964,7 @@ cmd_cf (Word *w, int align, char has_param, int num)
++ 	}
++ 	else
++ 	{
++-		sprintf(str,"#%02x%02x%02x",
+++		snprintf(str, 40, "#%02x%02x%02x",
++ 			color_table[num].r,
++ 			color_table[num].g,
++ 			color_table[num].b);
++@@ -993,7 +993,7 @@ cmd_cb (Word *w, int align, char has_param, int num)
++ 	}
++ 	else
++ 	{
++-		sprintf(str,"#%02x%02x%02x",
+++		snprintf(str, 40, "#%02x%02x%02x",
++ 			color_table[num].r,
++ 			color_table[num].g,
++ 			color_table[num].b);
++@@ -1018,7 +1018,7 @@ cmd_fs (Word *w, int align, char has_param, int points) {
++ 	/* Note, fs20 means 10pt */
++ 	points /= 2;
++ 
++-	sprintf(str,"%d",points);
+++	snprintf(str, 20, "%d", points);
++ 	attr_push(ATTR_FONTSIZE,str);
++ 
++ 	return FALSE;
++@@ -1166,7 +1166,7 @@ cmd_f (Word *w, int align, char has_param, int num)
++         {
++             // TOBEDONE: WHAT'S THIS ???
++             name = my_malloc(12);
++-            sprintf(name, "%d", num);
+++			snprintf(name, 12, "%d", num);
++         }
++ 
++         /* we are going to output entities, so should not output font */
++@@ -1218,7 +1218,7 @@ cmd_highlight (Word *w, int align, char has_param, int num)
++ 	}
++ 	else
++ 	{
++-		sprintf(str,"#%02x%02x%02x",
+++		snprintf(str, 40, "#%02x%02x%02x",
++ 			color_table[num].r,
++ 			color_table[num].g,
++ 			color_table[num].b);
++@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
++ 
++ static int 
++ cmd_expand (Word *w, int align, char has_param, int param) {
++-	char str[10];
+++	char str[20];
++ 	if (has_param) {
++-		sprintf(str, "%d", param/4);
+++		snprintf(str, 20, "%d", param / 4);
++ 		if (!param) 
++ 			attr_pop(ATTR_EXPAND);
++ 		else 
++@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
++ 
++ static int 
++ cmd_emboss (Word *w, int align, char has_param, int param) {
++-	char str[10];
+++	char str[20];
++ 	if (has_param && !param)
++ #ifdef SUPPORT_UNNESTED
++ 		attr_find_pop(ATTR_EMBOSS);
++@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
++ #endif
++ 	else
++ 	{
++-		sprintf(str, "%d", param);
+++		snprintf(str, 20, "%d", param);
++ 		attr_push(ATTR_EMBOSS, str);
++ 	}
++ 	return FALSE;
++@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
++ 
++ static int 
++ cmd_engrave (Word *w, int align, char has_param, int param) {
++-	char str[10];
+++	char str[20];
++ 	if (has_param && !param) 
++ 		attr_pop(ATTR_ENGRAVE);
++ 	else
++ 	{
++-		sprintf(str, "%d", param);
+++		snprintf(str, 20, "%d", param);
++ 		attr_push(ATTR_ENGRAVE, str);
++ 	}
++ 	return FALSE;
++@@ -1976,7 +1976,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
++ 
++ 	short	done=0;
++ 	long unicode_number = (long) param; /* On 16bit architectures int is too small to store unicode characters. - AF */
++-	char tmp[12]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
+++	char tmp[20]; /* Number of characters that can be in int type (including '\0'). If int size is greater than 4 bytes change this value. - AF */
++ 	const char *alias;
++ #define DEBUG 0
++ #if DEBUG
++@@ -2006,7 +2006,7 @@ static int cmd_u (Word *w, int align, char has_param, int param) {
++                             /* RTF spec: Unicode values beyond 32767 are represented by negative numbers */
++ 				unicode_number += 65536;
++ 			}
++-			sprintf(tmp, "%ld", unicode_number);
+++			snprintf(tmp, 20, "%ld", unicode_number);
++ 
++ 			if (safe_printf(1, op->unisymbol_print, tmp)) fprintf(stderr, TOO_MANY_ARGS, "unisymbol_print");
++ 			done++;
++diff --git a/src/output.c b/src/output.c
++index 86d8b5c..4cdbfa6 100644
++--- a/src/output.c
+++++ b/src/output.c
++@@ -320,7 +320,7 @@ op_begin_std_fontsize (OutputPersonality *op, int size)
++ 	if (!found_std_expr) {
++ 		if (op->fontsize_begin) {
++ 			char expr[16];
++-			sprintf (expr, "%d", size);
+++			snprintf(expr, 16, "%d", size);
++ 			if (safe_printf (1, op->fontsize_begin, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_begin");
++ 		} else {
++ 			/* If we cannot write out a change for the exact
++@@ -440,7 +440,7 @@ op_end_std_fontsize (OutputPersonality *op, int size)
++ 	if (!found_std_expr) {
++ 		if (op->fontsize_end) {
++ 			char expr[16];
++-			sprintf (expr, "%d", size);
+++			snprintf(expr, 16, "%d", size);
++ 			if (safe_printf(1, op->fontsize_end, expr)) fprintf(stderr, TOO_MANY_ARGS, "fontsize_end");
++ 		} else {
++ 			/* If we cannot write out a change for the exact
+diff --git a/debian/patches/series b/debian/patches/series
+new file mode 100644
+index 0000000..7868249
+--- /dev/null
++++ b/debian/patches/series
+@@ -0,0 +1 @@
++0001-Replace-all-instances-of-sprintf-with-snprintf-and-a.patch
+-- 
+2.11.0
+
diff --git a/gnu/packages/unrtf.scm b/gnu/packages/unrtf.scm
index 162dec752..e11c9445c 100644
--- a/gnu/packages/unrtf.scm
+++ b/gnu/packages/unrtf.scm
@@ -23,6 +23,7 @@
   #:use-module (guix download)
   #:use-module (guix build-system gnu)
   #:use-module (guix gexp)
+  #:use-module (gnu packages)
   #:use-module (gnu packages autotools)
   #:use-module (gnu packages m4)
   #:use-module (gnu packages base))
@@ -35,6 +36,7 @@
              (method url-fetch)
              (uri (string-append "mirror://gnu/unrtf/unrtf-"
                                  version ".tar.gz"))
+             (patches (search-patches "unrtf-CVE-2016-10091.patch"))
              (sha256
               (base32
                "1pcdzf2h1prn393dkvg93v80vh38q0v817xnbwrlwxbdz4k7i8r2"))
-- 
2.11.0