Fix CVE-2014-3480

debian/patches/CVE-2014-3480.patch

@@ -0,0 +1,38 @@
+Subject: The cdf_count_chain function does not properly validate sector-count data
+ID: CVE-2014-3480
+Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed Jun 4 17:23:19 2014 +0000
+Origin:
+    commit 40bade80cbe2af1d0b2cd0420cebd5d5905a2382
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+ made apply cleanly based on [origin]
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
+
+    Fix incorrect bounds check for sector count. (Francisco Alonso and Jan Kaluza
+    at RedHat)
+
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -460,7 +460,8 @@
+ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ {
+ 	size_t i, j;
+-	cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
++	cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
++	    / sizeof(maxsector));
+ 
+ 	DPRINTF(("Chain:"));
+ 	for (j = i = 0; sid >= 0; i++, j++) {
+@@ -470,8 +471,8 @@
+ 			errno = EFTYPE;
+ 			return (size_t)-1;
+ 		}
+-		if (sid > maxsector) {
+-			DPRINTF(("Sector %d > %d\n", sid, maxsector));
++		if (sid >= maxsector) {
++			DPRINTF(("Sector %d >= %d\n", sid, maxsector));
+ 			errno = EFTYPE;
+ 			return (size_t)-1;
+ 		}

debian/patches/series

@@ -10,3 +10,4 @@ CVE-2014-0237.patch
 CVE-2014-0238.patch
 CVE-2014-3478.patch
 CVE-2014-3479.patch
+CVE-2014-3480.patch