Bug#874302: liblouis: Debdiff for liblouis CVEs 38, 39, 40 , 42 and 44 with prefix (CVE-2017-1137*)
Package: liblouis
Version: 3.0.0-3
Followup-For: Bug #874302
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu artful ubuntu-patch
Dear Maintainer,
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: Illegal address access in getALine
- debian/patches/CVE-2017-13738-and-2017-13744.patch: fix
possible out-of-bounds write in liblouis/compileTranslationTable.c.
- CVE-2017-13738
- CVE-2017-13744
* SECURITY UPDATE: heap-based buffer overflow
- debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch:
fix buffer overflow parsing malformed table in
liblouis/compilerTranslationTable.c.
- CVE-2017-13739
- CVE-2017-13740
- CVE-2017-13742
See that for us 41 and 43 were considered as ignored since it seems to catched
just with ASAN.
Thanks for considering the patch.
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.10.0-32-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru liblouis-3.0.0/debian/files liblouis-3.0.0/debian/files
--- liblouis-3.0.0/debian/files 1969-12-31 21:00:00.000000000 -0300
+++ liblouis-3.0.0/debian/files 2017-09-04 10:28:23.000000000 -0300
@@ -0,0 +1 @@
+liblouis_3.0.0-3ubuntu1_source.buildinfo libs extra
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch 1969-12-31 21:00:00.000000000 -0300
+++ liblouis-3.0.0/debian/patches/CVE-2017-13738-and-2017-13744.patch 2017-08-31 10:59:03.000000000 -0300
@@ -0,0 +1,19 @@
+From edf8ee00197e5a9b062554bdca00fe1617d257a4 Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Tue, 29 Aug 2017 16:55:29 -0500
+Subject: [PATCH] Fix possible out-of-bounds write from a \ followed by
+ multiple newlines
+
+Fixes CVE-2017-13738 and CVE-2017-13744.
+Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
+===================================================================
+--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
++++ liblouis-3.0.0/liblouis/compileTranslationTable.c
+@@ -573,6 +573,7 @@ getALine (FileInfo * nested)
+ if (pch == '\\' && ch == 10)
+ {
+ nested->linelen--;
++ pch = ch;
+ continue;
+ }
+ if (ch == 10 || nested->linelen >= MAXSTRING)
diff -Nru liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch
--- liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch 1969-12-31 21:00:00.000000000 -0300
+++ liblouis-3.0.0/debian/patches/CVE-2017-13739-and-2017-13740-and-2017-13742.patch 2017-08-31 11:15:15.000000000 -0300
@@ -0,0 +1,28 @@
+From d8cfdf1ab64a4c9c6685efe45bc735f68dac618c Mon Sep 17 00:00:00 2001
+From: Mike Gorse <mgorse@suse.com>
+Date: Wed, 30 Aug 2017 12:53:02 -0500
+Subject: [PATCH] resolveSubtable: Fix buffer overflow parsing a malformed
+ table
+
+The subtable's name can theoretically be up to MAXSTRING characters long.
+The base name is then copied into a buffer, and the subtable's name is
+appended, so we should allocate more than MAXSTRING bytes for the buffer.
+
+Fixes CVE-2017-13739, CVE-2017-13740, and CVE-2017-13742.
+---
+ liblouis/compileTranslationTable.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: liblouis-3.0.0/liblouis/compileTranslationTable.c
+===================================================================
+--- liblouis-3.0.0.orig/liblouis/compileTranslationTable.c
++++ liblouis-3.0.0/liblouis/compileTranslationTable.c
+@@ -4899,7 +4899,7 @@ resolveSubtable (const char *table, cons
+
+ if (table == NULL || table[0] == '\0')
+ return NULL;
+- tableFile = (char *) malloc (MAXSTRING * sizeof(char));
++ tableFile = (char *) malloc (MAXSTRING * sizeof(char) * 2);
+
+ //
+ // First try to resolve against base
diff -Nru liblouis-3.0.0/debian/patches/series liblouis-3.0.0/debian/patches/series
--- liblouis-3.0.0/debian/patches/series 1969-12-31 21:00:00.000000000 -0300
+++ liblouis-3.0.0/debian/patches/series 2017-08-31 11:13:38.000000000 -0300
@@ -0,0 +1,2 @@
+CVE-2017-13738-and-2017-13744.patch
+CVE-2017-13739-and-2017-13740-and-2017-13742.patch
Reply to: