Update for security issue

This commit is contained in:
Nicolas Chauvet 2018-03-12 17:33:00 +01:00
commit a57f90d302
2 changed files with 46 additions and 10 deletions

View file

@ -0,0 +1,33 @@
From 435a2ca802358a3debb6d164d2c33049131df81c Mon Sep 17 00:00:00 2001
From: Phillip Hellewell <sshock@gmail.com>
Date: Sat, 10 Mar 2018 18:05:39 -0700
Subject: [PATCH 3/4] Sanity check size passed to malloc...
Add sanity check before calling malloc in af_get_page() function to
avoid undefined behavior (e.g., seg fault) when dealing with a corrupt
AFF image with an invalid pagesize.
Issue found by Luis Rocha (luiscrocha@gmail.com).
---
lib/afflib_pages.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/afflib_pages.cpp b/lib/afflib_pages.cpp
index 2569c2a..f8cf775 100644
--- a/lib/afflib_pages.cpp
+++ b/lib/afflib_pages.cpp
@@ -219,6 +219,11 @@ int af_get_page(AFFILE *af,int64_t pagenum,unsigned char *data,size_t *bytes)
return -3; // read error
}
+ /* Sanity check to avoid undefined behaviour when calling malloc below with pagesize from a corrupt AFF image. */
+ if(af->image_pagesize <= 0 || af->image_pagesize > 16*1024*1024)
+ return -1;
+
+
/* Now uncompress directly into the buffer provided by the caller, unless the caller didn't
* provide a buffer. If that happens, allocate our own...
*/
--
2.13.6

View file

@ -1,11 +1,13 @@
Name: afflib
Version: 3.7.16
Release: 3%{?dist}
Release: 4%{?dist}
Summary: Library to support the Advanced Forensic Format
License: BSD with advertising
URL: https://github.com/sshock/AFFLIBv3
Source0: https://github.com/sshock/AFFLIBv3/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source0: %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
# Upstream backport
Patch0: Sanity-check-size-passed-to-malloc.patch
BuildRequires: libtool
@ -50,7 +52,7 @@ developing applications that use %{name}.
%prep
%setup -q -n AFFLIBv3-%{version}
%autosetup -p1 -n AFFLIBv3-%{version}
# prevent internal lzma to be built - testing
#rm -rf lzma443
@ -73,18 +75,15 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
# clean unused-direct-shlib-dependencies
sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool
make %{?_smp_mflags}
%make_build
%install
make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p"
find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%make_install
find %{buildroot} -name '*.la' -exec rm -f {} ';'
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%ldconfig_scriptlets
%files
@ -106,6 +105,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
%changelog
* Mon Mar 12 2018 Nicolas Chauvet <kwizart@gmail.com> - 3.7.16-4
- Security issue - rhbz#1554423
- Spec file update
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 3.7.16-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild