Refresh patches and update descriptions in 5.04-5+squeeze6, no other changes

debian/patches/CVE-2014-0207.patch

@@ -1,8 +1,16 @@
-made apply cleanly based on, removed all modifications to src/readcdf.c (for CVE-2012-1571) as the problematic code was introduced later.
-
-commit 6d209c1c489457397a5763bca4b28e43aac90391
+Subject: The cdf_read_short_sector function allows remote attackers to cause a denial of service
+ID: CVE-2014-0207
 Author: Christos Zoulas <christos@zoulas.com>
-Date:   Mon May 5 16:11:21 2014 +0000
+Date: Mon May 5 16:11:21 2014 +0000
+Origin:
+    commit 6d209c1c489457397a5763bca4b28e43aac90391
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+ made apply cleanly based on [origin], removed all modifications to
+ src/readcdf.c (for CVE-2012-1571) as the problematic code was
+ introduced later.
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
 
     Apply patches from file-CVE-2012-1571.patch
     From Francisco Alonso Espejo:
@@ -14,11 +22,9 @@ Date:   Mon May 5 16:11:21 2014 +0000
         for the block size copy is not checked properly (there's an assert
         that makes wrong/invalid assumptions)
 
-diff --git a/src/cdf.c b/src/cdf.c
-index 2573a5f..f7c46ae 100644
 --- a/src/cdf.c
 +++ b/src/cdf.c
-@@ -355,10 +355,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
+@@ -355,10 +355,10 @@
  	size_t ss = CDF_SHORT_SEC_SIZE(h);
  	size_t pos = CDF_SHORT_SEC_POS(h, id);
  	assert(ss == len);

debian/patches/CVE-2014-0237.patch

@@ -1,16 +1,20 @@
-made apply cleanly based on
-
-commit b8acc83781d5a24cc5101e525d15efe0482c280d
+Subject: The cdf_unpack_summary_info function allows remote attackers to cause a denial of service
+ID: CVE-2014-0237
 Author: Christos Zoulas <christos@zoulas.com>
-Date:   Tue May 6 18:20:39 2014 +0000
+Date: Tue May 6 18:20:39 2014 +0000
+Origin:
+    commit b8acc83781d5a24cc5101e525d15efe0482c280d
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+    made apply cleanly based on [origin]
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
 
     Remove loop that kept reading the same offset (Jan Kaluza)
 
-diff --git a/src/cdf.c b/src/cdf.c
-index f7c46ae..c591a14 100644
 --- a/src/cdf.c
 +++ b/src/cdf.c
-@@ -932,7 +932,7 @@ int
+@@ -932,7 +932,7 @@
  cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
      cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
  {
@@ -19,7 +23,7 @@ index f7c46ae..c591a14 100644
  	const cdf_summary_info_header_t *si =
  	    CAST(const cdf_summary_info_header_t *, sst->sst_tab);
  	const cdf_section_declaration_t *sd =
-@@ -947,21 +947,13 @@ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
+@@ -947,21 +947,13 @@
  	ssi->si_os = CDF_TOLE2(si->si_os);
  	ssi->si_class = si->si_class;
  	cdf_swap_class(&ssi->si_class);

debian/patches/CVE-2014-0238.patch

@@ -1,17 +1,22 @@
-made apply cleanly based on
-
-commit f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
+Subject: The cdf_read_property_info function allows remote attackers to cause a denial of service
+ID: CVE-2014-0238
 Author: Christos Zoulas <christos@zoulas.com>
-Date:   Wed May 21 13:04:38 2014 +0000
+Date: Wed May 21 13:04:38 2014 +0000
+Origin:
+    commit f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+    made apply cleanly based on [origin]
+Comment-2: Upstream's commit message refers to a different CVE ID
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
 
     CVE-2014-0207: Prevent 0 element vectors and vectors longer than the number
     of properties from accessing random memory.
 
-diff --git a/src/cdf.c b/src/cdf.c
-index 48a00ec..375406c 100644
 --- a/src/cdf.c
 +++ b/src/cdf.c
-@@ -813,6 +813,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+@@ -813,6 +813,10 @@
  		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
  		if (inp[i].pi_type & CDF_VECTOR) {
  			nelements = CDF_GETUINT32(q, 1);
@@ -22,7 +27,7 @@ index 48a00ec..375406c 100644
  			o = 2;
  		} else {
  			nelements = 1;
-@@ -887,7 +887,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+@@ -887,7 +891,9 @@
  			}
  			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
  			    nelements));

debian/patches/CVE-2014-3478.patch

@@ -1,39 +1,95 @@
-made apply cleanly based on the following commits:
-
-commit 27a14bc7ba285a0a5ebfdb55e54001aa11932b08
+Subject: Buffer overflow in the mconvert function allows remote attackers to cause a denial of service
+ID: CVE-2014-3478
 Author: Christos Zoulas <christos@zoulas.com>
-Date:   Wed Jun 4 17:36:34 2014 +0000
+Date:
+    Wed Jun 4 17:36:34 2014 +0000 (A)
+    Wed Dec 22 18:14:05 2010 +0000 (B)
+    Wed Dec 22 19:09:10 2010 +0000 (C)
+Origin:
+    commit 27a14bc7ba285a0a5ebfdb55e54001aa11932b08 (A)
+    commit 2f0eeb07ba633f1d915f78a50b22808123b38ea0 (B)
+    commit 57e4574e062e538b16b225e822ece6ca0ce539b8 (C)
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+ made apply cleanly based on the [above] commits
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
 
+    [ A: ]
     Correctly compute the truncated pascal string size (Francisco Alonso and
     Jan Kaluza at RedHat)
 
-commit 2f0eeb07ba633f1d915f78a50b22808123b38ea0
-Author: Christos Zoulas <christos@zoulas.com>
-Date:   Wed Dec 22 18:14:05 2010 +0000
-
+    [ B: ]
     support for various formats of pascal strings.
 
-commit 57e4574e062e538b16b225e822ece6ca0ce539b8
-Author: Christos Zoulas <christos@zoulas.com>
-Date:   Wed Dec 22 19:09:10 2010 +0000
-
+    [ C: ]
     don't undo our initialization
 
-diff --git a/src/softmagic.c b/src/softmagic.c
-index 9ba500b..6d69419 100644
 --- a/src/softmagic.c
 +++ b/src/softmagic.c
-@@ -800,10 +800,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
+@@ -169,6 +169,8 @@
+ 			continue;
+ 		}
+ 
++		if ((e = handle_annotation(ms, m)) != 0)
++			return e;
+ 		/*
+ 		 * If we are going to print something, we'll need to print
+ 		 * a blank before we print something else.
+@@ -176,8 +178,6 @@
+ 		if (*m->desc) {
+ 			need_separator = 1;
+ 			printed_something = 1;
+-			if ((e = handle_annotation(ms, m)) != 0)
+-				return e;
+ 			if (print_sep(ms, firstline) == -1)
+ 				return -1;
+ 		}
+@@ -252,13 +252,13 @@
+ 					ms->c.li[cont_level].got_match = 0;
+ 					break;
+ 				}
++				if ((e = handle_annotation(ms, m)) != 0)
++					return e;
+ 				/*
+ 				 * If we are going to print something,
+ 				 * make sure that we have a separator first.
+ 				 */
+ 				if (*m->desc) {
+-					if ((e = handle_annotation(ms, m)) != 0)
+-						return e;
+ 					if (!printed_something) {
+ 						printed_something = 1;
+ 						if (print_sep(ms, firstline)
+@@ -450,7 +450,7 @@
+ 				return -1;
+ 			t = ms->offset + strlen(p->s);
+ 			if (m->type == FILE_PSTRING)
+-				t++;
++				t += file_pstring_length_size(m);
+ 		}
+ 		break;
+ 
+@@ -615,7 +615,7 @@
+ 				p->s[strcspn(p->s, "\n")] = '\0';
+ 			t = CAST(uint32_t, (ms->offset + strlen(p->s)));
+ 			if (m->type == FILE_PSTRING)
+-				t++;
++				t += file_pstring_length_size(m);
+ 			return t;
+ 		}
+ 
+@@ -800,10 +800,18 @@
  		return 1;
  	}
  	case FILE_PSTRING: {
 -		char *ptr1 = p->s, *ptr2 = ptr1 + 1;
 -	size_t len = *p->s;
+-		if (len >= sizeof(p->s))
+-			len = sizeof(p->s) - 1;
 +		size_t sz = file_pstring_length_size(m);
 +		char *ptr1 = p->s, *ptr2 = ptr1 + sz;
 +		size_t len = file_pstring_get_length(m, ptr1);
--		if (len >= sizeof(p->s))
--			len = sizeof(p->s) - 1;
 +		if (len >= sizeof(p->s)) {
 +			/*
 +			 * The size of the pascal string length (sz)
@@ -46,11 +102,9 @@ index 9ba500b..6d69419 100644
  		while (len--)
  			*ptr1++ = *ptr2++;
  		*ptr1 = '\0';
-diff --git a/doc/magic.man b/doc/magic.man
-index 8486645..299bb8d 100644
 --- a/doc/magic.man
 +++ b/doc/magic.man
-@@ -71,8 +71,22 @@ characters in the magic match both lower and upper case characters in the
+@@ -71,8 +71,22 @@
  target, whereas upper case characters in the magic only match uppercase
  characters in the target.
  .It Dv pstring
@@ -74,11 +128,9 @@ index 8486645..299bb8d 100644
  The string is not NUL terminated.
  .It Dv date
  A four-byte value interpreted as a UNIX date.
-diff --git a/src/apprentice.c b/src/apprentice.c
-index 40d547b..1120a69 100644
 --- a/src/apprentice.c
 +++ b/src/apprentice.c
-@@ -932,6 +932,11 @@ string_modifier_check(struct magic_set *ms, struct magic *m)
+@@ -932,6 +932,11 @@
  	if ((ms->flags & MAGIC_CHECK) == 0)
  		return 0;
  
@@ -90,16 +142,17 @@ index 40d547b..1120a69 100644
  	switch (m->type) {
  	case FILE_BESTRING16:
  	case FILE_LESTRING16:
-@@ -1308,7 +1308,7 @@ parse(struct magic_set *ms, struct magic_entry **mentryp, uint32_t *nmentryp,
+@@ -1308,8 +1313,7 @@
  		++l;
  	}
  	m->str_range = 0;
 -	m->str_flags = 0;
+-	m->num_mask = 0;
 +	m->str_flags = m->type == FILE_PSTRING ? PSTRING_1_LE : 0;
- 	m->num_mask = 0;
  	if ((op = get_op(*l)) != -1) {
  		if (!IS_STRING(m->type)) {
-@@ -1362,6 +1362,32 @@ parse(struct magic_set *ms, struct magic_entry **mentryp, uint32_t *nmentryp,
+ 			uint64_t val;
+@@ -1362,6 +1366,32 @@
  				case CHAR_TEXTTEST:
  					m->str_flags |= STRING_TEXTTEST;
  					break;
@@ -132,7 +185,7 @@ index 40d547b..1120a69 100644
  				default:
  					if (ms->flags & MAGIC_CHECK)
  						file_magwarn(ms,
-@@ -1990,7 +1990,7 @@ out:
+@@ -1990,7 +2020,7 @@
  	*p = '\0';
  	m->vallen = CAST(unsigned char, (p - origp));
  	if (m->type == FILE_PSTRING)
@@ -141,7 +194,16 @@ index 40d547b..1120a69 100644
  	return s;
  }
  
-@@ -2379,3 +2379,40 @@ bs1(struct magic *m)
+@@ -2371,6 +2401,8 @@
+ 	m->in_offset = swap4((uint32_t)m->in_offset);
+ 	m->lineno = swap4((uint32_t)m->lineno);
+ 	if (IS_STRING(m->type)) {
++		if (m->type == FILE_PSTRING)
++			printf("flags! %d\n", m->str_flags);
+ 		m->str_range = swap4(m->str_range);
+ 		m->str_flags = swap4(m->str_flags);
+ 	}
+@@ -2379,3 +2411,40 @@
  		m->num_mask = swap8(m->num_mask);
  	}
  }
@@ -182,11 +244,9 @@ index 40d547b..1120a69 100644
 +		return 1;
 +	}
 +}
-diff --git a/src/file.h b/src/file.h
-index 25cd3a5..c84749f 100644
 --- a/src/file.h
 +++ b/src/file.h
-@@ -285,6 +285,14 @@ struct magic {
+@@ -285,6 +285,14 @@
  #define REGEX_OFFSET_START			BIT(4)
  #define STRING_TEXTTEST				BIT(5)
  #define STRING_BINTEST				BIT(6)
@@ -201,7 +261,7 @@ index 25cd3a5..c84749f 100644
  #define CHAR_COMPACT_WHITESPACE			'W'
  #define CHAR_COMPACT_OPTIONAL_WHITESPACE	'w'
  #define CHAR_IGNORE_LOWERCASE			'c'
-@@ -292,6 +292,12 @@ struct magic {
+@@ -292,6 +300,12 @@
  #define CHAR_REGEX_OFFSET_START			's'
  #define CHAR_TEXTTEST				't'
  #define CHAR_BINTEST				'b'
@@ -214,7 +274,7 @@ index 25cd3a5..c84749f 100644
  #define STRING_IGNORE_CASE		(STRING_IGNORE_LOWERCASE|STRING_IGNORE_UPPERCASE)
  #define STRING_DEFAULT_RANGE		100
  
-@@ -400,6 +400,8 @@ protected ssize_t sread(int, void *, size_t, int);
+@@ -400,6 +414,8 @@
  protected int file_check_mem(struct magic_set *, unsigned int);
  protected int file_looks_utf8(const unsigned char *, size_t, unichar *,
      size_t *);
@@ -223,80 +283,3 @@ index 25cd3a5..c84749f 100644
  #ifdef __EMX__
  protected int file_os2_apptype(struct magic_set *, const char *, const void *,
      size_t);
-diff --git a/src/softmagic.c b/src/softmagic.c
-index a565989..0f15227 100644
---- a/src/softmagic.c
-+++ b/src/softmagic.c
-@@ -169,6 +169,8 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
- 			continue;
- 		}
- 
-+		if ((e = handle_annotation(ms, m)) != 0)
-+			return e;
- 		/*
- 		 * If we are going to print something, we'll need to print
- 		 * a blank before we print something else.
-@@ -176,8 +176,6 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
- 		if (*m->desc) {
- 			need_separator = 1;
- 			printed_something = 1;
--			if ((e = handle_annotation(ms, m)) != 0)
--				return e;
- 			if (print_sep(ms, firstline) == -1)
- 				return -1;
- 		}
-@@ -252,13 +252,13 @@ match(struct magic_set *ms, struct magic *magic, uint32_t nmagic,
- 					ms->c.li[cont_level].got_match = 0;
- 					break;
- 				}
-+				if ((e = handle_annotation(ms, m)) != 0)
-+					return e;
- 				/*
- 				 * If we are going to print something,
- 				 * make sure that we have a separator first.
- 				 */
- 				if (*m->desc) {
--					if ((e = handle_annotation(ms, m)) != 0)
--						return e;
- 					if (!printed_something) {
- 						printed_something = 1;
- 						if (print_sep(ms, firstline)
-@@ -450,7 +450,7 @@ mprint(struct magic_set *ms, struct magic *m)
- 				return -1;
- 			t = ms->offset + strlen(p->s);
- 			if (m->type == FILE_PSTRING)
--				t++;
-+				t += file_pstring_length_size(m);
- 		}
- 		break;
- 
-@@ -615,7 +615,7 @@ moffset(struct magic_set *ms, struct magic *m)
- 				p->s[strcspn(p->s, "\n")] = '\0';
- 			t = CAST(uint32_t, (ms->offset + strlen(p->s)));
- 			if (m->type == FILE_PSTRING)
--				t++;
-+				t += file_pstring_length_size(m);
- 			return t;
- 		}
- 
-diff --git a/src/apprentice.c b/src/apprentice.c
-index 1120a69..c77f679 100644
---- a/src/apprentice.c
-+++ b/src/apprentice.c
-@@ -1314,7 +1314,6 @@ parse(struct magic_set *ms, struct magic_entry **mentryp, uint32_t *nmentryp,
- 	}
- 	m->str_range = 0;
- 	m->str_flags = m->type == FILE_PSTRING ? PSTRING_1_LE : 0;
--	m->num_mask = 0;
- 	if ((op = get_op(*l)) != -1) {
- 		if (!IS_STRING(m->type)) {
- 			uint64_t val;
-@@ -2402,6 +2402,8 @@ bs1(struct magic *m)
- 	m->in_offset = swap4((uint32_t)m->in_offset);
- 	m->lineno = swap4((uint32_t)m->lineno);
- 	if (IS_STRING(m->type)) {
-+		if (m->type == FILE_PSTRING)
-+			printf("flags! %d\n", m->str_flags);
- 		m->str_range = swap4(m->str_range);
- 		m->str_flags = swap4(m->str_flags);
- 	}

debian/patches/CVE-2014-3479.patch

@@ -1,15 +1,19 @@
-commit 36fadd29849b8087af9f4586f89dbf74ea45be67
+Subject: The cdf_check_stream_offset function in relies on incorrect sector-size
+ID: CVE-2014-3479
 Author: Christos Zoulas <christos@zoulas.com>
-Date:   Wed Jun 4 17:26:07 2014 +0000
+Date: Wed Jun 4 17:26:07 2014 +0000
+Origin:
+    commit 36fadd29849b8087af9f4586f89dbf74ea45be67
+Debian-Author: Holger Levsen <holger@debian.org>
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
 
     Use the proper sector size when checking stream offsets (Francisco Alonso and
     Jan Kaluza at RedHat)
 
-diff --git a/src/cdf.c b/src/cdf.c
-index 6652581..0bfb31a 100644
 --- a/src/cdf.c
 +++ b/src/cdf.c
-@@ -267,13 +267,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
+@@ -267,13 +267,15 @@
  {
  	const char *b = (const char *)sst->sst_tab;
  	const char *e = ((const char *)p) + tail;

debian/patches/CVE-2014-3480.patch

@@ -1,17 +1,21 @@
-made apply cleanly based on
-
-commit 40bade80cbe2af1d0b2cd0420cebd5d5905a2382
+Subject: The cdf_count_chain function does not properly validate sector-count data
+ID: CVE-2014-3480
 Author: Christos Zoulas <christos@zoulas.com>
-Date:   Wed Jun 4 17:23:19 2014 +0000
+Date: Wed Jun 4 17:23:19 2014 +0000
+Origin:
+    commit 40bade80cbe2af1d0b2cd0420cebd5d5905a2382
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+ made apply cleanly based on [origin]
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
 
     Fix incorrect bounds check for sector count. (Francisco Alonso and Jan Kaluza
     at RedHat)
 
-diff --git a/src/cdf.c b/src/cdf.c
-index 375406c..6652581 100644
 --- a/src/cdf.c
 +++ b/src/cdf.c
-@@ -460,7 +460,8 @@ size_t
+@@ -460,7 +460,8 @@
  cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
  {
  	size_t i, j;
@@ -21,7 +25,7 @@ index 375406c..6652581 100644
  
  	DPRINTF(("Chain:"));
  	for (j = i = 0; sid >= 0; i++, j++) {
-@@ -470,8 +470,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+@@ -470,8 +471,8 @@
  			errno = EFTYPE;
  			return (size_t)-1;
  		}

debian/patches/CVE-2014-3487.patch

@@ -1,16 +1,20 @@
-made apply cleanly based on 
-
-commit 93e063ee374b6a75729df9e7201fb511e47e259d
+Subject: The cdf_read_property_info function does not properly validate a stream offset
+ID: CVE-2014-3487
 Author: Christos Zoulas <christos@zoulas.com>
-Date:   Mon Jun 9 13:04:37 2014 +0000
+Date: Mon Jun 9 13:04:37 2014 +0000
+Origin:
+    commit 93e063ee374b6a75729df9e7201fb511e47e259d
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+ made apply cleanly based on [origin]
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
 
     Add missing check offset test (Francisco Alonso, Jan Kaluza at RedHat)
 
-diff --git a/src/cdf.c b/src/cdf.c
-index 0bfb31a..c258e82 100644
 --- a/src/cdf.c
 +++ b/src/cdf.c
-@@ -802,7 +802,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+@@ -802,7 +802,11 @@
  	if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
  		goto out;
  	for (i = 0; i < sh.sh_properties; i++) {