Fix CVE-2014-3479

debian/patches/CVE-2014-3479.patch

@@ -0,0 +1,33 @@
+Subject: The cdf_check_stream_offset function in relies on incorrect sector-size
+ID: CVE-2014-3479
+Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Jun 4 17:26:07 2014 +0000
+Origin:
+    commit 36fadd29849b8087af9f4586f89dbf74ea45be67
+Debian-Author: Holger Levsen <holger@debian.org>
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
+
+    Use the proper sector size when checking stream offsets (Francisco Alonso and
+    Jan Kaluza at RedHat)
+
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -267,13 +267,15 @@
+ {
+ 	const char *b = (const char *)sst->sst_tab;
+ 	const char *e = ((const char *)p) + tail;
++	size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
++	    CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
+ 	(void)&line;
+-	if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len)
++	if (e >= b && (size_t)(e - b) < ss * sst->sst_len)
+ 		return 0;
+ 	DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u"
+ 	    " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
+ 	    SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
+-	    CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
++	    ss * sst->sst_len, ss, sst->sst_len));
+ 	errno = EFTYPE;
+ 	return -1;
+ }

debian/patches/series

@@ -9,3 +9,4 @@ CVE-2014-0207.patch
 CVE-2014-0237.patch
 CVE-2014-0238.patch
 CVE-2014-3478.patch
+CVE-2014-3479.patch