|
|
@@ -0,0 +1,39 @@
|
|
|
+Subject: The cdf_read_short_sector function allows remote attackers to cause a denial of service
|
|
|
+ID: CVE-2014-0207
|
|
|
+Author: Christos Zoulas <christos@zoulas.com>
|
|
|
+Date: Mon May 5 16:11:21 2014 +0000
|
|
|
+Origin:
|
|
|
+ commit 6d209c1c489457397a5763bca4b28e43aac90391
|
|
|
+Debian-Author: Holger Levsen <holger@debian.org>
|
|
|
+Comment:
|
|
|
+ made apply cleanly based on [origin], removed all modifications to
|
|
|
+ src/readcdf.c (for CVE-2012-1571) as the problematic code was
|
|
|
+ introduced later.
|
|
|
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
|
|
|
+Last-Update: 2014-09-07
|
|
|
+
|
|
|
+ Apply patches from file-CVE-2012-1571.patch
|
|
|
+ From Francisco Alonso Espejo:
|
|
|
+ file < 5.18/git version can be made to crash when checking some
|
|
|
+ corrupt CDF files (Using an invalid cdf_read_short_sector size)
|
|
|
+ The problem I found here, is that in most situations (if
|
|
|
+ h_short_sec_size_p2 > 8) because the blocksize is 512 and normal
|
|
|
+ values are 06 which means reading 64 bytes.As long as the check
|
|
|
+ for the block size copy is not checked properly (there's an assert
|
|
|
+ that makes wrong/invalid assumptions)
|
|
|
+
|
|
|
+--- a/src/cdf.c
|
|
|
++++ b/src/cdf.c
|
|
|
+@@ -355,10 +355,10 @@
|
|
|
+ size_t ss = CDF_SHORT_SEC_SIZE(h);
|
|
|
+ size_t pos = CDF_SHORT_SEC_POS(h, id);
|
|
|
+ assert(ss == len);
|
|
|
+- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
|
|
|
++ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
|
|
|
+ DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
|
|
|
+ SIZE_T_FORMAT "u\n",
|
|
|
+- pos, CDF_SEC_SIZE(h) * sst->sst_len));
|
|
|
++ pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+ (void)memcpy(((char *)buf) + offs,
|
Christoph Biedl