git Service of IN-Ulm e.V. Explore Help
Sign In
cbiedl
/
file
1
0
Fork 0
Files Pull Requests 0 Wiki
Browse Source

Fix CVE-2014-3487

Christoph Biedl 11 years ago
parent
fc270169cf
commit
17087b9b84
2 changed files with 30 additions and 0 deletions
Split View Show Diff Stats
  1. 29 0
      debian/patches/CVE-2014-3487.patch
  2. 1 0
      debian/patches/series

+ 29 - 0
debian/patches/CVE-2014-3487.patch
View File 

@@ -0,0 +1,29 @@
 
+Subject: The cdf_read_property_info function does not properly validate a stream offset
 
+ID: CVE-2014-3487
 
+Author: Christos Zoulas <christos@zoulas.com>
 
+Date: Mon Jun 9 13:04:37 2014 +0000
 
+Origin:
 
+    commit 93e063ee374b6a75729df9e7201fb511e47e259d
 
+Debian-Author: Holger Levsen <holger@debian.org>
 
+Comment:
 
+ made apply cleanly based on [origin]
 
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
 
+Last-Update: 2014-09-07
 
+
 
+    Add missing check offset test (Francisco Alonso, Jan Kaluza at RedHat)
 
+
 
+--- a/src/cdf.c
 
++++ b/src/cdf.c
 
+@@ -802,7 +802,11 @@
 
+ 	if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
 
+ 		goto out;
 
+ 	for (i = 0; i < sh.sh_properties; i++) {
 
+-		size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
 
++		size_t tail = (i << 1) + 1;
 
++		if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
 
++		    __LINE__) == -1)
 
++			goto out;
 
++		size_t ofs = CDF_GETUINT32(p, tail);
 
+ 		q = (const uint8_t *)(const void *)
 
+ 		    ((const char *)(const void *)p + ofs
 
+ 		    - 2 * sizeof(uint32_t));

+ 1 - 0
debian/patches/series
View File 

@@ -11,3 +11,4 @@ CVE-2014-0238.patch
 
 CVE-2014-3478.patch
 
 CVE-2014-3479.patch
 
 CVE-2014-3480.patch
 
+CVE-2014-3487.patch