aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrancesco Colista <fcolista@alpinelinux.org>2017-08-28 13:36:50 +0000
committerFrancesco Colista <fcolista@alpinelinux.org>2017-08-28 13:53:10 +0000
commit4053980ec8c5562de60ee9c6eda3410cda4e6629 (patch)
tree1138018140e27699b2cb8685cbf49424fa2b5389
parent1a5266d019a8e6b6420cc4ec3320090806369651 (diff)
downloadaports-4053980ec8c5562de60ee9c6eda3410cda4e6629.tar.bz2
aports-4053980ec8c5562de60ee9c6eda3410cda4e6629.tar.xz
main/libmspack: fix for CVE-2017-6419, CVE-2017-11423. Fixes #7756
-rw-r--r--main/libmspack/APKBUILD24
-rw-r--r--main/libmspack/CVE-2017-11423.patch20
-rw-r--r--main/libmspack/CVE-2017-6419.patch78
3 files changed, 117 insertions, 5 deletions
diff --git a/main/libmspack/APKBUILD b/main/libmspack/APKBUILD
index 8032ef1441..95bc28f146 100644
--- a/main/libmspack/APKBUILD
+++ b/main/libmspack/APKBUILD
@@ -2,7 +2,7 @@
pkgname=libmspack
pkgver=0.5_alpha
_ver=${pkgver/_/}
-pkgrel=0
+pkgrel=1
pkgdesc="Library for CAB and related files compression and decompression"
url="http://www.cabextract.org.uk/libmspack/"
arch="all"
@@ -12,9 +12,17 @@ depends_dev=""
makedepends="$depends_dev"
install=""
subpackages="$pkgname-dev"
-source="http://www.cabextract.org.uk/libmspack/libmspack-$_ver.tar.gz"
+source="http://www.cabextract.org.uk/libmspack/libmspack-$_ver.tar.gz
+ CVE-2017-6419.patch
+ CVE-2017-11423.patch"
_builddir="$srcdir"/libmspack-$_ver
+
+# secfixes:
+# 0.5_alpha-r1:
+# - CVE-2017-6419
+# - CVE-2017-11423
+
prepare() {
local i
cd "$_builddir"
@@ -44,6 +52,12 @@ package() {
make DESTDIR="$pkgdir" install || return 1
}
-md5sums="3aa3f6b9ef101463270c085478fda1da libmspack-0.5alpha.tar.gz"
-sha256sums="8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110 libmspack-0.5alpha.tar.gz"
-sha512sums="6d4efa0f43c43185ef91c97c1518aa70f09109d7332cda7e12019e146ec9cb0f2065fb1b57683b48bae9a7eaf8e82eb94096644c6d25c56d45878f630b719231 libmspack-0.5alpha.tar.gz"
+md5sums="3aa3f6b9ef101463270c085478fda1da libmspack-0.5alpha.tar.gz
+a88236b4e1b9bb265945a455123648ed CVE-2017-6419.patch
+e29cb11b947c191dbec80932f16b5d70 CVE-2017-11423.patch"
+sha256sums="8967f275525f5067b364cee43b73e44d0433668c39f9376dfff19f653d1c8110 libmspack-0.5alpha.tar.gz
+fed2f79b41b326ca0b5f1f968027ee320e9f3d14f14fc67a7b1bcf5650884dd8 CVE-2017-6419.patch
+164b7bbbc08abce0e7f995938b3b74084dcc71cc8871c9ab1e14dcadc8df6a58 CVE-2017-11423.patch"
+sha512sums="6d4efa0f43c43185ef91c97c1518aa70f09109d7332cda7e12019e146ec9cb0f2065fb1b57683b48bae9a7eaf8e82eb94096644c6d25c56d45878f630b719231 libmspack-0.5alpha.tar.gz
+5b40a114c8449f0c9f38536cb148c684a94e51607ec806da1a4a4466550202d63edbcd26e4a6cdec7b20483f3384f732ba952945e752a975be2e9a6653e036e0 CVE-2017-6419.patch
+b426584d967c53f61491f1d47205a8db0bab5ca0a9ba75868f0437d697f5c81df20652c6eedf7825d00851555ff10f4a388275024fdc41d638d1d6ee9387dad2 CVE-2017-11423.patch"
diff --git a/main/libmspack/CVE-2017-11423.patch b/main/libmspack/CVE-2017-11423.patch
new file mode 100644
index 0000000000..868ff83482
--- /dev/null
+++ b/main/libmspack/CVE-2017-11423.patch
@@ -0,0 +1,20 @@
+diff --git a/mspack/cabd.c b/mspack/cabd.c
+index 16021ee..8b10934 100644
+--- a/mspack/cabd.c
++++ b/mspack/cabd.c
+@@ -521,10 +521,13 @@ static char *cabd_read_string(struct mspack_system *sys,
+ {
+ off_t base = sys->tell(fh);
+ char buf[256], *str;
+- unsigned int len, i, ok;
++ int len, i, ok;
+
+ /* read up to 256 bytes */
+- len = sys->read(fh, &buf[0], 256);
++ if ((len = sys->read(fh, &buf[0], 256)) <= 0) {
++ *error = MSPACK_ERR_READ;
++ return NULL;
++ }
+
+ /* search for a null terminator in the buffer */
+ for (i = 0, ok = 0; i < len; i++) if (!buf[i]) { ok = 1; break; }
diff --git a/main/libmspack/CVE-2017-6419.patch b/main/libmspack/CVE-2017-6419.patch
new file mode 100644
index 0000000000..4945f5fba5
--- /dev/null
+++ b/main/libmspack/CVE-2017-6419.patch
@@ -0,0 +1,78 @@
+diff --git a/mspack/chmd.c b/mspack/chmd.c
+index 5a6ef54..1a486c8 100644
+--- a/mspack/chmd.c
++++ b/mspack/chmd.c
+@@ -1269,9 +1269,15 @@ static int read_spaninfo(struct mschm_decompressor_p *self,
+
+ /* get the uncompressed length of the LZX stream */
+ err = read_off64(length_ptr, data, sys, self->d->infh);
+-
+ sys->free(data);
+- return (err) ? MSPACK_ERR_DATAFORMAT : MSPACK_ERR_OK;
++ if (err) return MSPACK_ERR_DATAFORMAT;
++
++ if (*length_ptr <= 0) {
++ D(("output length is invalid"))
++ return MSPACK_ERR_DATAFORMAT;
++ }
++
++ return MSPACK_ERR_OK;
+ }
+
+ /***************************************
+diff --git a/mspack/lzxd.c b/mspack/lzxd.c
+index 2281e7b..d164df9 100644
+--- a/mspack/lzxd.c
++++ b/mspack/lzxd.c
+@@ -300,8 +300,14 @@ struct lzxd_stream *lzxd_init(struct mspack_system *system,
+ if (window_bits < 15 || window_bits > 21) return NULL;
+ }
+
++ if (reset_interval < 0 || output_length < 0) {
++ D(("reset interval or output length < 0"))
++ return NULL;
++ }
++
++ /* round up input buffer size to multiple of two */
+ input_buffer_size = (input_buffer_size + 1) & -2;
+- if (!input_buffer_size) return NULL;
++ if (input_buffer_size < 2) return NULL;
+
+ /* allocate decompression state */
+ if (!(lzx = (struct lzxd_stream *) system->alloc(system, sizeof(struct lzxd_stream)))) {
+@@ -382,7 +388,7 @@ int lzxd_set_reference_data(struct lzxd_stream *lzx,
+ }
+
+ void lzxd_set_output_length(struct lzxd_stream *lzx, off_t out_bytes) {
+- if (lzx) lzx->length = out_bytes;
++ if (lzx && out_bytes > 0) lzx->length = out_bytes;
+ }
+
+ int lzxd_decompress(struct lzxd_stream *lzx, off_t out_bytes) {
+diff --git a/mspack/mszipd.c b/mspack/mszipd.c
+index 5b4756d..6ecd96d 100644
+--- a/mspack/mszipd.c
++++ b/mspack/mszipd.c
+@@ -349,8 +349,9 @@ struct mszipd_stream *mszipd_init(struct mspack_system *system,
+
+ if (!system) return NULL;
+
++ /* round up input buffer size to multiple of two */
+ input_buffer_size = (input_buffer_size + 1) & -2;
+- if (!input_buffer_size) return NULL;
++ if (input_buffer_size < 2) return NULL;
+
+ /* allocate decompression state */
+ if (!(zip = (struct mszipd_stream *) system->alloc(system, sizeof(struct mszipd_stream)))) {
+diff --git a/mspack/qtmd.c b/mspack/qtmd.c
+index 12b27f5..5d2c76f 100644
+--- a/mspack/qtmd.c
++++ b/mspack/qtmd.c
+@@ -197,6 +197,7 @@ struct qtmd_stream *qtmd_init(struct mspack_system *system,
+ /* Quantum supports window sizes of 2^10 (1Kb) through 2^21 (2Mb) */
+ if (window_bits < 10 || window_bits > 21) return NULL;
+
++ /* round up input buffer size to multiple of two */
+ input_buffer_size = (input_buffer_size + 1) & -2;
+ if (input_buffer_size < 2) return NULL;
+