[PATCH] gnu: catdoc: Fix CVE-2017-11110.

  • Done
  • quality assurance status badge
Details
One participant
  • Alex Vong
Owner
unassigned
Submitted by
Alex Vong
Severity
important
A
A
Alex Vong wrote on 11 Aug 2017 23:51
87zib5pyby.fsf@gmail.com
Severity: important
Tags: patch security

Hello,

This patch fixes the latest CVE of catdoc. The upstream repo[0] is not
updated for more than a year, so I grab the patch from openSUSE instead
(which is also used by Debian).
From 69b2b0ca3b43409e86bd5d01fe72823ef84ee391 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Thu, 10 Aug 2017 21:02:14 +0800
Subject: [PATCH] gnu: catdoc: Fix CVE-2017-11110.

* gnu/packages/patches/catdoc-CVE-2017-11110.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/textutils.scm (catdoc)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/patches/catdoc-CVE-2017-11110.patch | 45 ++++++++++++++++++++++++
gnu/packages/textutils.scm | 2 ++
3 files changed, 48 insertions(+)
create mode 100644 gnu/packages/patches/catdoc-CVE-2017-11110.patch

Toggle diff (85 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 3d79d5d22..57c346921 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -534,6 +534,7 @@ dist_patch_DATA = \
%D%/packages/patches/calibre-drop-unrar.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
%D%/packages/patches/calibre-use-packaged-feedparser.patch \
+ %D%/packages/patches/catdoc-CVE-2017-11110.patch \
%D%/packages/patches/cdparanoia-fpic.patch \
%D%/packages/patches/cdrtools-3.01-mkisofs-isoinfo.patch \
%D%/packages/patches/ceph-disable-cpu-optimizations.patch \
diff --git a/gnu/packages/patches/catdoc-CVE-2017-11110.patch b/gnu/packages/patches/catdoc-CVE-2017-11110.patch
new file mode 100644
index 000000000..71c44f60f
--- /dev/null
+++ b/gnu/packages/patches/catdoc-CVE-2017-11110.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11110:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11110
+https://bugzilla.redhat.com/show_bug.cgi?id=1468471
+https://security-tracker.debian.org/tracker/CVE-2017-11110
+
+Patch copied from openSUSE:
+
+https://build.opensuse.org/package/view_file/openSUSE:Maintenance:6985/catdoc.openSUSE_Leap_42.2_Update/CVE-2017-11110.patch?expand=1
+
+From: Andreas Stieger <astieger@suse.com>
+Date: Mon, 10 Jul 2017 15:37:58 +0000
+References: CVE-2017-11110 http://bugzilla.suse.com/show_bug.cgi?id=1047877
+
+All .doc I found had sectorSize 0x09 at offset 0x1e. Guarding it against <4.
+
+---
+ src/ole.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: catdoc-0.95/src/ole.c
+===================================================================
+--- catdoc-0.95.orig/src/ole.c 2016-05-25 06:37:12.000000000 +0200
++++ catdoc-0.95/src/ole.c 2017-07-10 17:42:33.578308107 +0200
+@@ -106,6 +106,11 @@ FILE* ole_init(FILE *f, void *buffer, si
+ return NULL;
+ }
+ sectorSize = 1<<getshort(oleBuf,0x1e);
++ /* CVE-2017-11110) */
++ if (sectorSize < 4) {
++ fprintf(stderr,"sectorSize < 4 not supported\n");
++ return NULL;
++ }
+ shortSectorSize=1<<getshort(oleBuf,0x20);
+
+ /* Read BBD into memory */
+@@ -147,7 +152,7 @@ FILE* ole_init(FILE *f, void *buffer, si
+ }
+
+ fseek(newfile, 512+mblock*sectorSize, SEEK_SET);
+- if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i,
++ if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, /* >= 4 for CVE-2017-11110 */
+ 1, sectorSize, newfile) != sectorSize) {
+ fprintf(stderr, "Error read MSAT!\n");
+ ole_finish();
diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm
index e8ae30cd6..537d01334 100644
--- a/gnu/packages/textutils.scm
+++ b/gnu/packages/textutils.scm
@@ -12,6 +12,7 @@
;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org>
;;; Copyright © 2017 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -409,6 +410,7 @@ runs Word\".")
(method url-fetch)
(uri (string-append "http://ftp.wagner.pp.ru/pub/catdoc/"
"catdoc-" version ".tar.gz"))
+ (patches (search-patches "catdoc-CVE-2017-11110.patch"))
(sha256
(base32
"15h7v3bmwfk4z8r78xs5ih6vd0pskn0rj90xghvbzdjj0cc88jji"))))
--
2.14.0
(I am re-sending this mail for the 3rd time since I didn't receive a
reply from debbugs. This time I decide to mail to guix-devel as well
just in case it doesn't work again.)

Cheers,
Alex

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmOJvIACgkQxYq4eRf1
Ea7j9Q/9EKSmn1t9t0uCGujOAri5pORqXv2BdOdrte6Q3IfMnuOpsjzG7YjQJCgQ
d0+laYjpHL2kV9/QI5U6FKowPAksiCW2Amgj2x/5eDTVjFSV7emRynLaT4leTMBE
uXpdmhLTmO2rI1Fu4OTIfNGgYFDrqesZAg0njKzlKSSqA2XoLNUGG+DOxUvZQIb5
8tFeS6THe+Qq397btQlRXUhYHWM8fqcGY4QE999PjZt5jULCPXkxLfqbOdiNP6wa
xxgTpj8BfOv2P8cOWNnkvxjauLNq0cpdrB41JUM8NdvOavUpZ2uQFhfMa6BHkuxd
/FTZOUQQO8cCpN7h81exbdhr6doov0MjBpLQZ3MXte2m6l1zpUrSNUetMNDAFn2d
wKhzASgKqdk67zUT2CR3sOAXwxKc6hRbJ7cNxQfPK7/PhY0CqQSVtTCdYbu4Le+Y
AZG6DurLC3joO3N6XLt1fPg+zcwg2mO9SsBWCCycG3s7iT1LOa54pbJp/xtxCDc1
UZNnbRDcvQn2G5f0CcmJffEO0flZBiL8AJwNL6BAhtTLY4MV5Mu5ZMi6Vfqi24sN
lQtgsjgTGAqwwPnl0NkLRmo9xVSKZ26W3em5HqzwVnoSf/zvq/30vUgIW73D+PZY
kQExGMC5hFUbf9GPY0x91c1veyCkTbSDKNNPpKCJ8Wdi6h97bQ4=
=pyeT
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 12 Aug 2017 18:21
(name . Marius Bakke)(address . mbakke@fastmail.com)
87shgwpxj2.fsf@gmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (15 lines)
> Alex Vong <alexvong1995@gmail.com> writes:
>
>> Severity: important
>> Tags: patch security
>>
>> Hello,
>>
>> This patch fixes the latest CVE of catdoc. The upstream repo[0] is not
>> updated for more than a year, so I grab the patch from openSUSE instead
>> (which is also used by Debian).
>
> Thanks for this, pushed!
>
> [...]
>
Thanks!

Toggle quote (8 lines)
>> (I am re-sending this mail for the 3rd time since I didn't receive a
>> reply from debbugs. This time I decide to mail to guix-devel as well
>> just in case it doesn't work again.)
>
> No idea what's up with that. Does it work if you omit the debbugs
> control headers? Perhaps processing is disabled for guix-patches, or
> something.

This time it works. I guess debbugs was doing some maintaince work hence
temporarily unavailable.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmPKwEACgkQxYq4eRf1
Ea4r7g//ZUBmrpKsI+emofK9hOIMzGNZrGUOLuozZyG1Je385E1YzbpXRs9T9jhN
6kWQp+eX8SBfsZMfGQUSO/Rq/3o0nKaqt9RRf9SjmPVG7r03y8BanMJ/f8r3UxKa
ALfdIOFgi44rkwvN13+QIXXAwPl2cbw70urkdOuVm+QMGQy44mKyqCW7KMJaKsoB
EvcUCuAaZ8Or7oCfGmr4agczLWWVl1omT65k72yMT9Dz3DRVDuHIxaBM9B9niYNx
fb6t99zvAsWfe+MELKX5ASotcXnVrl1P/D69mfRJhlueojeX+kznfuG58/6wSqD7
clJU/NVOCqiVdcgQ5mLYp5aL31kA+xoLqvP5vXeCivGs/6SwN+OWrKQhf9kJdTiX
P2wrjDhR9vZ8JoMHGmiE4j4uZiCYTEC8nTeOm5DUIYZSzk4MvSGaT7X67xT0nbEG
VYJfgaMXMTIrjrq2CYvjc7fT8QeXnOuINM/3GSRWD36vUk34s1g39ScQRz5F6iXv
Tivz8MIo5aU+c1NeybYEDEYdonDJvwEiT7gYdFkjOl4jyLdUlBrKQbEobvJ+2Pnu
M7nuRK80M/kVxAgYQupAwms8qKDBnqAvICgJYGuI2bnpZvi/CxYWEOJ5IOhTt5W8
yS2NpHb4sRLjpHwZGx3fKLFwoBl7EHlmAgxCLMkLzATi1tknKuE=
=p1j7
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 28058@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 28058
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch