Hello community, here is the log from the commit of package libmspack for openSUSE:Factory checked in at 2015-01-21 21:54:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libmspack (Old) and /work/SRC/openSUSE:Factory/.libmspack.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libmspack" Changes: -------- --- /work/SRC/openSUSE:Factory/libmspack/libmspack.changes 2014-04-05 16:47:09.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libmspack.new/libmspack.changes 2015-01-21 21:54:17.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Jan 20 18:12:19 CET 2015 - sbrabec@suse.cz + +- Fix possible infinite loop caused DoS (bnc912214, CVE-2014-9556, + libmspack-qtmd_decompress-loop.patch). + +------------------------------------------------------------------- New: ---- libmspack-qtmd_decompress-loop.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libmspack.spec ++++++ --- /var/tmp/diff_new_pack.727h8Z/_old 2015-01-21 21:54:18.000000000 +0100 +++ /var/tmp/diff_new_pack.727h8Z/_new 2015-01-21 21:54:18.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package libmspack # -# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,8 @@ #Source: http://www.cabextract.org.uk/libmspack/%{name}-%{_version}.tar.gz Source: %{name}-%{_version}.tar.gz Source2: baselibs.conf +# PATCH-FIX-SECURITY libmspack-qtmd_decompress-loop.patch bnc912214 CVE-2014-9556 sbrabec@suse.cz -- Fix possible infinite loop caused DoS. +Patch: libmspack-qtmd_decompress-loop.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: pkg-config @@ -60,6 +62,7 @@ %prep %setup -q -n %{name}-%{_version} +%patch -p3 %build %configure\ ++++++ libmspack-qtmd_decompress-loop.patch ++++++
From a0449d2079c4ba5822e6567ad7094c10108f16cd Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior
Date: Tue, 23 Dec 2014 21:20:43 +0100 Subject: libmspack: qtmd: fix frame_end overflow
Debian bts #773041, #772891 contains a report of a .cab file which
causes an endless loop.
Eric Sharkey diagnosed the problem as frame_end is 32bit and overflows
and the result the loop makes no progress.
The problem seems that after the overflow, window_posn is larger than
frame_end and therefore we never enter the loop to make progress. But we
still have out_bytes >0 so we don't leave the outer loop either.
Andreas Cadhalpun suggested to instead makeing frame_end 64bit, we could
avoid the overflow by reordering the code the following way:
original, with just out_bytes (without (qtm->o_end - qtm->o_ptr))
| frame_end = window_posn + out_bytes;
| if ((window_posn + frame_todo) < frame_end) {
| frame_end = window_posn + frame_todo;
| }
replace frame_end in "if" with its content (and move the first frame_end
into the else path)
| if ((window_posn + frame_todo) < (window_posn + out_bytes))
| frame_end = window_posn + frame_todo;
| else
| frame_end = window_posn + out_bytes;
remove window_posn from "if" since it is the same both times.
| if (frame_todo < out_bytes)
| frame_end = window_posn + frame_todo;
| else
| frame_end = window_posn + out_bytes;
Andreas added:
|This works, because frame_todo is at most QTM_FRAME_SIZE = 32768.
Suggested-as-patch: Andreas Cadhalpun