void-packages/srcpkgs/lrzip/patches/CVE-2017-8844.patch
maxice8 db41b7577d lrzip: apply applicable security patches from upstream
Upstream has a few more CVEs but didn't make a new release yet.

In the meantime we patch what we can

Fixes:
    - CVE-2017-8842
    - CVE-2017-8844
    - CVE-2017-8845
    - CVE-2018-5650

The CVEs left remaining to be fixed by upstream are

( Removed CVE- prefix as to not confuse tools that grep for those
values)

CVE: 2017-8843 SEVERITY: 4.3
CVE: 2017-8846 SEVERITY: 4.3
CVE: 2017-8847 SEVERITY: 4.3
CVE: 2017-9928 SEVERITY: 4.3
CVE: 2017-9929 SEVERITY: 4.3
CVE: 2018-11496 SEVERITY: 4.3
CVE: 2018-5747 SEVERITY: 4.3
2018-10-02 12:05:21 -03:00

35 lines
1.4 KiB
Diff

From dc57230636fe8da068674e1023b2f07c593ec21b Mon Sep 17 00:00:00 2001
From: Con Kolivas <kernel@kolivas.org>
Date: Wed, 16 May 2018 14:30:15 +1000
Subject: [PATCH] Cope with compressed length being longer than uncompressed
and rounding up, attending to CVE-2017-8844.
---
stream.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/stream.c b/stream.c
index 4ef910e..01b883a 100644
--- a/stream.c
+++ b/stream.c
@@ -1564,7 +1564,7 @@ static void *ucompthread(void *data)
/* fill a buffer from a stream - return -1 on failure */
static int fill_buffer(rzip_control *control, struct stream_info *sinfo, int streamno)
{
- i64 u_len, c_len, last_head, padded_len, header_length;
+ i64 u_len, c_len, last_head, padded_len, header_length, max_len;
uchar enc_head[25 + SALT_LEN], blocksalt[SALT_LEN];
struct stream *s = &sinfo->s[streamno];
stream_thread_struct *st;
@@ -1639,7 +1639,9 @@ static int fill_buffer(rzip_control *control, struct stream_info *sinfo, int str
if (unlikely(u_len > control->maxram))
fatal_return(("Unable to malloc buffer of size %lld in this environment\n", u_len), -1);
- s_buf = malloc(MAX(u_len, MIN_SIZE));
+ max_len = MAX(u_len, MIN_SIZE);
+ max_len = MAX(max_len, c_len);
+ s_buf = malloc(max_len);
if (unlikely(u_len && !s_buf))
fatal_return(("Unable to malloc buffer of size %lld in fill_buffer\n", u_len), -1);
sinfo->ram_alloced += u_len;