From 2afa0f2dbcbc079d534922810ba646e7a6b9621f Mon Sep 17 00:00:00 2001 From: Nicolas Chauvet Date: Sun, 4 Jan 2015 17:26:14 +0100 Subject: [PATCH 1/2] Unused BR --- afflib.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/afflib.spec b/afflib.spec index a9daf20..4851dc2 100644 --- a/afflib.spec +++ b/afflib.spec @@ -17,7 +17,7 @@ BuildRequires: expat-devel # GPLv2 FOSS incompatible with BSD with advertising ##BuildRequires: fuse-devel # Afflib uses lzma-SDK 443 -BuildRequires: lzma-devel +#BuildRequires: lzma-devel BuildRequires: ncurses-devel BuildRequires: libtermcap-devel BuildRequires: openssl-devel From d76ede4c0acc1cc24071a4ac5c3062cff631eb80 Mon Sep 17 00:00:00 2001 From: Nicolas Chauvet Date: Mon, 12 Mar 2018 17:36:55 +0100 Subject: [PATCH 2/2] Rebase on current master --- Sanity-check-size-passed-to-malloc.patch | 33 ++++++++++++++++++++++++ afflib.spec | 23 ++++++++++------- 2 files changed, 46 insertions(+), 10 deletions(-) create mode 100644 Sanity-check-size-passed-to-malloc.patch diff --git a/Sanity-check-size-passed-to-malloc.patch b/Sanity-check-size-passed-to-malloc.patch new file mode 100644 index 0000000..dddbfde --- /dev/null +++ b/Sanity-check-size-passed-to-malloc.patch @@ -0,0 +1,33 @@ +From 435a2ca802358a3debb6d164d2c33049131df81c Mon Sep 17 00:00:00 2001 +From: Phillip Hellewell +Date: Sat, 10 Mar 2018 18:05:39 -0700 +Subject: [PATCH 3/4] Sanity check size passed to malloc... + +Add sanity check before calling malloc in af_get_page() function to +avoid undefined behavior (e.g., seg fault) when dealing with a corrupt +AFF image with an invalid pagesize. + +Issue found by Luis Rocha (luiscrocha@gmail.com). +--- + lib/afflib_pages.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/afflib_pages.cpp b/lib/afflib_pages.cpp +index 2569c2a..f8cf775 100644 +--- a/lib/afflib_pages.cpp ++++ b/lib/afflib_pages.cpp +@@ -219,6 +219,11 @@ int af_get_page(AFFILE *af,int64_t pagenum,unsigned char *data,size_t *bytes) + return -3; // read error + } + ++ /* Sanity check to avoid undefined behaviour when calling malloc below with pagesize from a corrupt AFF image. */ ++ if(af->image_pagesize <= 0 || af->image_pagesize > 16*1024*1024) ++ return -1; ++ ++ + /* Now uncompress directly into the buffer provided by the caller, unless the caller didn't + * provide a buffer. If that happens, allocate our own... + */ +-- +2.13.6 + diff --git a/afflib.spec b/afflib.spec index 1809b7a..bfdecd3 100644 --- a/afflib.spec +++ b/afflib.spec @@ -1,11 +1,13 @@ Name: afflib Version: 3.7.16 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Library to support the Advanced Forensic Format License: BSD with advertising URL: https://github.com/sshock/AFFLIBv3 -Source0: https://github.com/sshock/AFFLIBv3/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Source0: %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +# Upstream backport +Patch0: Sanity-check-size-passed-to-malloc.patch BuildRequires: libtool @@ -50,7 +52,7 @@ developing applications that use %{name}. %prep -%setup -q -n AFFLIBv3-%{version} +%autosetup -p1 -n AFFLIBv3-%{version} # prevent internal lzma to be built - testing #rm -rf lzma443 @@ -73,18 +75,15 @@ sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool # clean unused-direct-shlib-dependencies sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool -make %{?_smp_mflags} +%make_build %install -make install DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" -find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' +%make_install +find %{buildroot} -name '*.la' -exec rm -f {} ';' - -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig +%ldconfig_scriptlets %files @@ -106,6 +105,10 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' %changelog +* Mon Mar 12 2018 Nicolas Chauvet - 3.7.16-4 +- Security issue - rhbz#1554423 +- Spec file update + * Wed Feb 07 2018 Fedora Release Engineering - 3.7.16-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild