Fix CVE-2014-0207

debian/patches/CVE-2014-0207.patch

@@ -0,0 +1,39 @@
+Subject: The cdf_read_short_sector function allows remote attackers to cause a denial of service
+ID: CVE-2014-0207
+Author: Christos Zoulas <christos@zoulas.com>
+Date: Mon May 5 16:11:21 2014 +0000
+Origin:
+    commit 6d209c1c489457397a5763bca4b28e43aac90391
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+ made apply cleanly based on [origin], removed all modifications to
+ src/readcdf.c (for CVE-2012-1571) as the problematic code was
+ introduced later.
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
+
+    Apply patches from file-CVE-2012-1571.patch
+    From Francisco Alonso Espejo:
+        file < 5.18/git version can be made to crash when checking some
+        corrupt CDF files (Using an invalid cdf_read_short_sector size)
+        The problem I found here, is that in most situations (if
+        h_short_sec_size_p2 > 8) because the blocksize is 512 and normal
+        values are 06 which means reading 64 bytes.As long as the check
+        for the block size copy is not checked properly (there's an assert
+        that makes wrong/invalid assumptions)
+
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -355,10 +355,10 @@
+ 	size_t ss = CDF_SHORT_SEC_SIZE(h);
+ 	size_t pos = CDF_SHORT_SEC_POS(h, id);
+ 	assert(ss == len);
+-	if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
++	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
+ 		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
+ 		    SIZE_T_FORMAT "u\n",
+-		    pos, CDF_SEC_SIZE(h) * sst->sst_len));
++		    pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
+ 		return -1;
+ 	}
+ 	(void)memcpy(((char *)buf) + offs,

debian/patches/series

@@ -5,3 +5,4 @@ CVE-2014-1943.patch
 limit-repetitions-in-awk-detection.patch
 CVE-2014-2270.patch
 DSA-2873-1-regression.patch
+CVE-2014-0207.patch