Hello community, here is the log from the commit of package libical for openSUSE:Factory checked in at 2017-06-30 18:41:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libical (Old) and /work/SRC/openSUSE:Factory/.libical.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "libical" Fri Jun 30 18:41:12 2017 rev:38 rq:506161 version:2.0.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libical/libical.changes 2016-10-13 11:23:30.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.libical.new/libical.changes 2017-06-30 18:41:18.147073772 +0200 @@ -1,0 +2,12 @@ +Mon Jun 19 19:54:50 UTC 2017 - mgorse@suse.com + +- Add fixes for various crashes: + libical-boo986631-read-past-end.patch + libical-boo986631-check-prev-char.patch + libical-parser-sanity-check.patch + libical-timezone-use-after-free.patch + libical-boo1015964-use-after-free.patch + Fixes boo#986631 (CVE-2016-5827), boo#986639 (CVE-2016-5824), + boo#1015964 (CVE-2016-9584), and boo#1044995. + +------------------------------------------------------------------- New: ---- libical-boo1015964-use-after-free.patch libical-boo986631-check-prev-char.patch libical-boo986631-read-past-end.patch libical-parser-sanity-check.patch libical-timezone-use-after-free.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libical.spec ++++++ --- /var/tmp/diff_new_pack.qNm91V/_old 2017-06-30 18:41:18.706995015 +0200 +++ /var/tmp/diff_new_pack.qNm91V/_new 2017-06-30 18:41:18.710994453 +0200 @@ -1,7 +1,7 @@ # # spec file for package libical # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,6 +29,16 @@ Source: https://github.com/libical/libical/releases/download/v%{version}/%{name}-%{version}.tar.gz Source2: baselibs.conf Patch1: 0001-build-ICU-must-appear-as-Requires-in-pkgconfig.patch +# PATCH-FIX-UPSTREAM libical-boo986631-read-past-end.patch boo#986631 mgorse@suse.com -- fix for reading passed end of string (CVE-2016-5827) +Patch2: libical-boo986631-read-past-end.patch +# PATCH-FIX-UPSTREAM libical-boo986631-check-prev-char.patch boo#986631 mgorse@suse.com -- make sure we have a prev_char before checking it +Patch3: libical-boo986631-check-prev-char.patch +# PATCH-FIX-UPSTREAM libical-parser-sanity-check.patch mgorse@suse.com -- sanity check value parameter against what is allowed. +Patch4: libical-parser-sanity-check.patch +# PATCH-FIX-UPSTREAM libical-timezone-use-after-free.patch mgorse@suse.com -- fix use after free in fetch_lat_long_from_string +Patch5: libical-timezone-use-after-free.patch +# PATCH-FIX-UPSTREAM libical-boo1015964-use-after-free.patch boo#986639 boo#1015984 mgorse@suse.com -- copy reqstattype's debug string into its own memory (CVE-2016-5824 CVE-2016-9584). +Patch6: libical-boo1015964-use-after-free.patch BuildRequires: cmake >= 2.4 BuildRequires: gcc-c++ BuildRequires: pkg-config @@ -91,6 +101,11 @@ %prep %setup -q %patch -P 1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 %build %cmake ++++++ libical-boo1015964-use-after-free.patch ++++++
From 6b9438d746cec6e4e632d78c5244f4be6314d1c9 Mon Sep 17 00:00:00 2001 From: Allen Winter <allen.winter@kdab.com> Date: Sun, 28 May 2017 12:51:10 -0400 Subject: [PATCH] icaltypes.c - icalreqstattype_from_string(), copy the reqstattype's debug string into its own memory in the ring buffer.
Issue#253 --- src/libical/icaltypes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libical/icaltypes.c b/src/libical/icaltypes.c index 70c50d29..85c33545 100644 --- a/src/libical/icaltypes.c +++ b/src/libical/icaltypes.c @@ -140,7 +140,7 @@ struct icalreqstattype icalreqstattype_from_string(const char *str) p2 = strchr(p1 + 1, ';'); if (p2 != 0 && *p2 != 0) { - stat.debug = p2 + 1; + stat.debug = icalmemory_tmp_copy(p2 + 1); } return stat; -- 2.12.3 ++++++ libical-boo986631-check-prev-char.patch ++++++
From 04d84749e53db08c71ed0ce8b6ba5c11082743cd Mon Sep 17 00:00:00 2001 From: Ken Murchison <murch@andrew.cmu.edu> Date: Fri, 2 Dec 2016 14:14:03 -0500 Subject: [PATCH] icalparser.c: make sure we have a prev_char before checking it
--- src/libical/icalparser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c index 9d332375..2735c9ac 100644 --- a/src/libical/icalparser.c +++ b/src/libical/icalparser.c @@ -148,7 +148,7 @@ static char *parser_get_next_char(char c, char *str, int qm) char prev_char = 0; while (next_char != 0) { - if (prev_char != '\\') { + if (prev_char && prev_char != '\\') { if (qm == 1 && next_char == '"') { /* Encountered a quote, toggle quote mode */ quote_mode = !quote_mode; -- 2.12.3 ++++++ libical-boo986631-read-past-end.patch ++++++
From 38757abb495ea6cb40faa5418052278bf75040f7 Mon Sep 17 00:00:00 2001 From: Ken Murchison <murch@andrew.cmu.edu> Date: Fri, 2 Dec 2016 14:13:22 -0500 Subject: [PATCH] icaltime.c: don't read past end of string (can't check str[19] if length is 16)
--- src/libical/icaltime.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libical/icaltime.c b/src/libical/icaltime.c index ca647633..4077ce75 100644 --- a/src/libical/icaltime.c +++ b/src/libical/icaltime.c @@ -445,7 +445,7 @@ struct icaltimetype icaltime_from_string(const char *str) tt.is_utc = 0; tt.is_date = 0; } else if ((size == 16) || (size == 20)) { /* UTC time, ends in 'Z' */ - if ((str[15] != 'Z') && (str[19] != 'Z')) + if ((str[size-1] != 'Z')) goto FAIL; tt.is_utc = 1; -- 2.12.3 ++++++ libical-parser-sanity-check.patch ++++++
From 53e68ff6e2133c54ff44df53e8b75ef21125fb3d Mon Sep 17 00:00:00 2001 From: Ken Murchison <murch@andrew.cmu.edu> Date: Tue, 13 Dec 2016 16:22:42 -0500 Subject: [PATCH] icalparser.c: sanity check VALUE parameter against what is allowed
Backported by Mike Gorse <mgorse@suse.com> --- src/libical/icalparser.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 67 insertions(+), 2 deletions(-) diff --git a/src/libical/icalparser.c b/src/libical/icalparser.c index 998bc96d..62e3a401 100644 --- a/src/libical/icalparser.c +++ b/src/libical/icalparser.c @@ -1023,6 +1023,12 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line) /* If it is a VALUE parameter, set the kind of value */ if (icalparameter_isa(param) == ICAL_VALUE_PARAMETER) { + const char unknown_type[] = + "Got a VALUE parameter with an unknown type"; + const char illegal_type[] = + "Got a VALUE parameter with an illegal type for property"; + const char *value_err = NULL; + value_kind = (icalvalue_kind)icalparameter_value_to_value_kind( icalparameter_get_value(param)); @@ -1033,8 +1039,66 @@ icalcomponent *icalparser_add_line(icalparser *parser, char *line) parameter ( it was not one of the defined values ), so reset the value_kind */ - insert_error(tail, str, - "Got a VALUE parameter with an unknown type", + value_err = unknown_type; + } + else if (value_kind != + icalproperty_kind_to_value_kind(icalproperty_isa(prop))) { + /* VALUE parameter type does not match default type + for this property (check for allowed alternate types) */ + + switch (prop_kind) { + case ICAL_ATTACH_PROPERTY: + /* Accept BINARY */ + if (value_kind != ICAL_BINARY_VALUE) + value_err = illegal_type; + break; + + case ICAL_DTEND_PROPERTY: + case ICAL_DUE_PROPERTY: + case ICAL_DTSTART_PROPERTY: + case ICAL_EXDATE_PROPERTY: + case ICAL_RECURRENCEID_PROPERTY: + /* Accept DATE */ + if (value_kind != ICAL_DATE_VALUE) + value_err = illegal_type; + break; + + case ICAL_GEO_PROPERTY: + /* Accept FLOAT (but change to GEO) */ + if (value_kind != ICAL_FLOAT_VALUE) + value_err = illegal_type; + else value_kind = ICAL_GEO_VALUE; + break; + + case ICAL_RDATE_PROPERTY: + /* Accept DATE or PERIOD */ + if (value_kind != ICAL_DATE_VALUE && + value_kind != ICAL_PERIOD_VALUE) + value_err = illegal_type; + break; + + case ICAL_TRIGGER_PROPERTY: + /* Accept DATE-TIME */ + if (value_kind != ICAL_DATETIME_VALUE) + value_err = illegal_type; + break; + + case ICAL_X_PROPERTY: + /* Accept ANY value type */ + break; + + default: + /* ONLY default type is allowed */ + value_err = illegal_type; + break; + } + } + + if (value_err != NULL) { + /* Ooops, unknown/illegal VALUE parameter, + so reset the value_kind */ + + insert_error(tail, str, value_err, ICAL_XLICERRORTYPE_PARAMETERVALUEPARSEERROR); value_kind = icalproperty_kind_to_value_kind(icalproperty_isa(prop)); -- 2.12.3 ++++++ libical-timezone-use-after-free.patch ++++++
From 6bcc779a17a2d286e4c3cb958ddf369cc01cb42c Mon Sep 17 00:00:00 2001 From: Allen Winter <allen.winter@kdab.com> Date: Thu, 15 Dec 2016 18:17:10 -0500 Subject: [PATCH] icaltimezone.c - fix heap-use-after-free caused by fetch_lat_long_from_string() issue#262
Backported by Mike Gorse <mgorse@suse.com> --- diff -urp libical-2.0.0.orig/src/libical/icaltimezone.c libical-2.0.0/src/libical/icaltimezone.c --- libical-2.0.0.orig/src/libical/icaltimezone.c 2015-12-28 15:44:53.000000000 -0600 +++ libical-2.0.0/src/libical/icaltimezone.c 2017-06-19 15:48:27.789017341 -0500 @@ -1520,39 +1520,39 @@ static int fetch_lat_long_from_string(co /* We need to parse the latitude/longitude co-ordinates and location fields */ sptr = (char *)str; - while (*sptr != '\t') { + while ((*sptr != '\t') && (*sptr != '\0')) { sptr++; } temp = ++sptr; - while (*sptr != '\t') { + while (*sptr != '\t' && *sptr != '\0') { sptr++; } len = (ptrdiff_t) (sptr - temp); lat = (char *)malloc(len + 1); lat = strncpy(lat, temp, len); lat[len] = '\0'; - while (*sptr != '\t') { + while ((*sptr != '\t') && (*sptr != '\0')) { sptr++; } loc = ++sptr; - while (!isspace((int)(*sptr))) { + while (!isspace((int)(*sptr)) && (*sptr != '\0')) { sptr++; } - len = (ptrdiff_t) (sptr - loc); + len = (ptrdiff_t)(sptr - loc); location = strncpy(location, loc, len); location[len] = '\0'; #if defined(sun) && defined(__SVR4) /* Handle EET, MET and WET in zone_sun.tab. */ if (!strcmp(location, "Europe/")) { - while (*sptr != '\t') { + while ((*sptr != '\t') && (*sptr != '\0')) { sptr++; } loc = ++sptr; - while (!isspace(*sptr)) { + while (!isspace(*sptr) && (*sptr != '\0')) { sptr++; } - len = sptr - loc; + len = (ptrdiff_t)(sptr - loc); location = strncpy(location, loc, len); location[len] = '\0'; } Only in libical-2.0.0/src/libical: icaltimezone.c.orig