Bug#874302: liblouis: Debdiff for liblouis CVEs 38, 39, 40 , 42 and 44 with prefix (CVE-2017-1137*)

To: Debian Bug Tracking System <874302@bugs.debian.org>
Subject: Bug#874302: liblouis: Debdiff for liblouis CVEs 38, 39, 40 , 42 and 44 with prefix (CVE-2017-1137*)
From: "Leonidas S. Barbosa" <leo.barbosa@canonical.com>
Date: Tue, 05 Sep 2017 15:02:31 -0300
Message-id: <[🔎] 150463455114.12604.15629535595903804294.reportbug@l41n>
Reply-to: "Leonidas S. Barbosa" <leo.barbosa@canonical.com>, 874302@bugs.debian.org
References: <[🔎] 150455577501.21518.15830040225740156275.reportbug@eldamar.local>

Package: liblouis
Version: 3.0.0-3
Followup-For: Bug #874302
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu artful ubuntu-patch

Dear Maintainer,

In Ubuntu, the attached patch was applied to achieve the following:


  * SECURITY UPDATE: Illegal address access in getALine
    - debian/patches/CVE-2017-13738-and-2017-13744.patch: fix
      possible out-of-bounds write in liblouis/compileTranslationTable.c.
    - CVE-2017-13738
    - CVE-2017-13744
  * SECURITY UPDATE: heap-based buffer overflow
    - debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch:
      fix buffer overflow parsing malformed table in
      liblouis/compilerTranslationTable.c.
    - CVE-2017-13739
    - CVE-2017-13740
    - CVE-2017-13742


See that for us 41 and 43 were considered as ignored since it seems to catched
just with ASAN.

Thanks for considering the patch.



-- System Information:
Debian Release: stretch/sid
  APT prefers xenial-updates
  APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru liblouis-3.0.0/debian/files liblouis-3.0.0/debian/files
--- liblouis-3.0.0/debian/files	1969-12-31 21:00:00.000000000 -0300
+++ liblouis-3.0.0/debian/files	2017-09-04 10:28:23.000000000 -0300
@@ -0,0 +1 @@
+liblouis_3.0.0-3ubuntu1_source.buildinfo libs extra
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch	1969-12-31 21:00:00.000000000 -0300
+++ liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch	2017-08-31 10:59:03.000000000 -0300
@@ -0,0 +1,19 @@
+From edf8ee00197e5a9b062554bdca00fe1617d257a4 Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Tue, 29 Aug 2017 16:55:29 -0500
+Subject: [PATCH] Fix possible out-of-bounds write from a \ followed by
+ multiple newlines
+
+Fixes CVE-2017-13738 and CVE-2017-13744.
+Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
+===================================================================
+--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
++++ liblouis-3.0.0/liblouis/compileTranslationTable.c
+@@ -573,6 +573,7 @@ getALine (FileInfo * nested)
+       if (pch == '\\' && ch == 10)
+ 	{
+ 	  nested->linelen--;
++	  pch = ch;
+ 	  continue;
+ 	}
+       if (ch == 10 || nested->linelen >= MAXSTRING)
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch	1969-12-31 21:00:00.000000000 -0300
+++ liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch	2017-08-31 11:15:15.000000000 -0300
@@ -0,0 +1,28 @@
+From d8cfdf1ab64a4c9c6685efe45bc735f68dac618c Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Wed, 30 Aug 2017 12:53:02 -0500
+Subject: [PATCH] resolveSubtable: Fix buffer overflow parsing a malformed
+ table
+
+The subtable's name can theoretically be up to MAXSTRING characters long.
+The base name is then copied into a buffer, and the subtable's name is
+appended, so we should allocate more than MAXSTRING bytes for the buffer.
+
+Fixes CVE-2017-13739, CVE-2017-13740, and CVE-2017-13742.
+---
+ liblouis/compileTranslationTable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
+===================================================================
+--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
++++ liblouis-3.0.0/liblouis/compileTranslationTable.c
+@@ -4899,7 +4899,7 @@ resolveSubtable (const char *table, cons
+ 
+   if (table == NULL || table[0] == '\0')
+     return NULL;
+-  tableFile = (char *) malloc (MAXSTRING * sizeof(char));
++  tableFile = (char *) malloc (MAXSTRING * sizeof(char) * 2);
+   
+   //
+   // First try to resolve against base
diff -Nru liblouis-3.0.0/debian/patches/series liblouis-3.0.0/debian/patches/series
--- liblouis-3.0.0/debian/patches/series	1969-12-31 21:00:00.000000000 -0300
+++ liblouis-3.0.0/debian/patches/series	2017-08-31 11:13:38.000000000 -0300
@@ -0,0 +1,2 @@
+CVE-2017-13738-and-2017-13744.patch
+CVE-2017-13739-and-2017-13740-and-2017-13742.patch

Reply to:

Follow-Ups:
- Bug#874302: liblouis: Debdiff for liblouis CVEs 38, 39, 40 , 42 and 44 with prefix (CVE-2017-1137*)
  - From: Paul Gevers <elbrus@debian.org>

References:
- Bug#874302: liblouis: CVE-2017-13738 CVE-2017-13739 CVE-2017-13740 CVE-2017-13741 CVE-2017-13742 CVE-2017-13743 CVE-2017-13744
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#874302: liblouis: CVE-2017-13738 CVE-2017-13739 CVE-2017-13740 CVE-2017-13741 CVE-2017-13742 CVE-2017-13743 CVE-2017-13744
Next by Date: Re: Removing Qt4 in Buster
Previous by thread: Bug#874302: liblouis: CVE-2017-13738 CVE-2017-13739 CVE-2017-13740 CVE-2017-13741 CVE-2017-13742 CVE-2017-13743 CVE-2017-13744
Next by thread: Bug#874302: liblouis: Debdiff for liblouis CVEs 38, 39, 40 , 42 and 44 with prefix (CVE-2017-1137*)
Index(es):
- Date
- Thread