Fix CVE-2014-0237

debian/patches/CVE-2014-0237.patch

@@ -0,0 +1,51 @@
+Subject: The cdf_unpack_summary_info function allows remote attackers to cause a denial of service
+ID: CVE-2014-0237
+Author: Christos Zoulas <christos@zoulas.com>
+Date: Tue May 6 18:20:39 2014 +0000
+Origin:
+    commit b8acc83781d5a24cc5101e525d15efe0482c280d
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+    made apply cleanly based on [origin]
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
+
+    Remove loop that kept reading the same offset (Jan Kaluza)
+
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -932,7 +932,7 @@
+ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
+     cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
+ {
+-	size_t i, maxcount;
++	size_t maxcount;
+ 	const cdf_summary_info_header_t *si =
+ 	    CAST(const cdf_summary_info_header_t *, sst->sst_tab);
+ 	const cdf_section_declaration_t *sd =
+@@ -947,21 +947,13 @@
+ 	ssi->si_os = CDF_TOLE2(si->si_os);
+ 	ssi->si_class = si->si_class;
+ 	cdf_swap_class(&ssi->si_class);
+-	ssi->si_count = CDF_TOLE2(si->si_count);
++	ssi->si_count = CDF_TOLE4(si->si_count);
+ 	*count = 0;
+ 	maxcount = 0;
+ 	*info = NULL;
+-	for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
+-		if (i >= CDF_LOOP_LIMIT) {
+-			DPRINTF(("Unpack summary info loop limit"));
+-			errno = EFTYPE;
+-			return -1;
+-		}
+-		if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
+-		    info, count, &maxcount) == -1) {
+-			return -1;
+-		}
+-	}
++	if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info,
++	    count, &maxcount) == -1)
++		return -1;
+ 	return 0;
+ }
+ 

debian/patches/series

@@ -6,3 +6,4 @@ limit-repetitions-in-awk-detection.patch
 CVE-2014-2270.patch
 DSA-2873-1-regression.patch
 CVE-2014-0207.patch
+CVE-2014-0237.patch