[PATCH] gnu: catdoc: Fix CVE-2017-11110.

  • Done
  • quality assurance status badge
Details
One participant
  • Alex Vong
Owner
unassigned
Submitted by
Alex Vong
Severity
important
A
A
Alex Vong wrote on 11 Aug 2017 23:51
87zib5pyby.fsf@gmail.com
Severity: important
Tags: patch security

Hello,

This patch fixes the latest CVE of catdoc. The upstream repo[0] is not
updated for more than a year, so I grab the patch from openSUSE instead
(which is also used by Debian).
From 69b2b0ca3b43409e86bd5d01fe72823ef84ee391 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Thu, 10 Aug 2017 21:02:14 +0800
Subject: [PATCH] gnu: catdoc: Fix CVE-2017-11110.

* gnu/packages/patches/catdoc-CVE-2017-11110.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/textutils.scm (catdoc)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/patches/catdoc-CVE-2017-11110.patch | 45 ++++++++++++++++++++++++
gnu/packages/textutils.scm | 2 ++
3 files changed, 48 insertions(+)
create mode 100644 gnu/packages/patches/catdoc-CVE-2017-11110.patch

Toggle diff (85 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 3d79d5d22..57c346921 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -534,6 +534,7 @@ dist_patch_DATA = \
%D%/packages/patches/calibre-drop-unrar.patch \
%D%/packages/patches/calibre-no-updates-dialog.patch \
%D%/packages/patches/calibre-use-packaged-feedparser.patch \
+ %D%/packages/patches/catdoc-CVE-2017-11110.patch \
%D%/packages/patches/cdparanoia-fpic.patch \
%D%/packages/patches/cdrtools-3.01-mkisofs-isoinfo.patch \
%D%/packages/patches/ceph-disable-cpu-optimizations.patch \
diff --git a/gnu/packages/patches/catdoc-CVE-2017-11110.patch b/gnu/packages/patches/catdoc-CVE-2017-11110.patch
new file mode 100644
index 000000000..71c44f60f
--- /dev/null
+++ b/gnu/packages/patches/catdoc-CVE-2017-11110.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11110:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11110
+https://bugzilla.redhat.com/show_bug.cgi?id=1468471
+https://security-tracker.debian.org/tracker/CVE-2017-11110
+
+Patch copied from openSUSE:
+
+https://build.opensuse.org/package/view_file/openSUSE:Maintenance:6985/catdoc.openSUSE_Leap_42.2_Update/CVE-2017-11110.patch?expand=1
+
+From: Andreas Stieger <astieger@suse.com>
+Date: Mon, 10 Jul 2017 15:37:58 +0000
+References: CVE-2017-11110 http://bugzilla.suse.com/show_bug.cgi?id=1047877
+
+All .doc I found had sectorSize 0x09 at offset 0x1e. Guarding it against <4.
+
+---
+ src/ole.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: catdoc-0.95/src/ole.c
+===================================================================
+--- catdoc-0.95.orig/src/ole.c 2016-05-25 06:37:12.000000000 +0200
++++ catdoc-0.95/src/ole.c 2017-07-10 17:42:33.578308107 +0200
+@@ -106,6 +106,11 @@ FILE* ole_init(FILE *f, void *buffer, si
+ return NULL;
+ }
+ sectorSize = 1<<getshort(oleBuf,0x1e);
++ /* CVE-2017-11110) */
++ if (sectorSize < 4) {
++ fprintf(stderr,"sectorSize < 4 not supported\n");
++ return NULL;
++ }
+ shortSectorSize=1<<getshort(oleBuf,0x20);
+
+ /* Read BBD into memory */
+@@ -147,7 +152,7 @@ FILE* ole_init(FILE *f, void *buffer, si
+ }
+
+ fseek(newfile, 512+mblock*sectorSize, SEEK_SET);
+- if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i,
++ if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, /* >= 4 for CVE-2017-11110 */
+ 1, sectorSize, newfile) != sectorSize) {
+ fprintf(stderr, "Error read MSAT!\n");
+ ole_finish();
diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm
index e8ae30cd6..537d01334 100644
--- a/gnu/packages/textutils.scm
+++ b/gnu/packages/textutils.scm
@@ -12,6 +12,7 @@
;;; Copyright © 2017 Rene Saavedra <rennes@openmailbox.org>
;;; Copyright © 2017 Hartmut Goebel <h.goebel@crazy-compilers.com>
;;; Copyright © 2017 Kei Kebreau <kei@openmailbox.org>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -409,6 +410,7 @@ runs Word\".")
(method url-fetch)
(uri (string-append "http://ftp.wagner.pp.ru/pub/catdoc/"
"catdoc-" version ".tar.gz"))
+ (patches (search-patches "catdoc-CVE-2017-11110.patch"))
(sha256
(base32
"15h7v3bmwfk4z8r78xs5ih6vd0pskn0rj90xghvbzdjj0cc88jji"))))
--
2.14.0
(I am re-sending this mail for the 3rd time since I didn't receive a
reply from debbugs. This time I decide to mail to guix-devel as well
just in case it doesn't work again.)

Cheers,
Alex

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmOJvIACgkQxYq4eRf1
Ea7j9Q/9EKSmn1t9t0uCGujOAri5pORqXv2BdOdrte6Q3IfMnuOpsjzG7YjQJCgQ
d0+laYjpHL2kV9/QI5U6FKowPAksiCW2Amgj2x/5eDTVjFSV7emRynLaT4leTMBE
uXpdmhLTmO2rI1Fu4OTIfNGgYFDrqesZAg0njKzlKSSqA2XoLNUGG+DOxUvZQIb5
8tFeS6THe+Qq397btQlRXUhYHWM8fqcGY4QE999PjZt5jULCPXkxLfqbOdiNP6wa
xxgTpj8BfOv2P8cOWNnkvxjauLNq0cpdrB41JUM8NdvOavUpZ2uQFhfMa6BHkuxd
/FTZOUQQO8cCpN7h81exbdhr6doov0MjBpLQZ3MXte2m6l1zpUrSNUetMNDAFn2d
wKhzASgKqdk67zUT2CR3sOAXwxKc6hRbJ7cNxQfPK7/PhY0CqQSVtTCdYbu4Le+Y
AZG6DurLC3joO3N6XLt1fPg+zcwg2mO9SsBWCCycG3s7iT1LOa54pbJp/xtxCDc1
UZNnbRDcvQn2G5f0CcmJffEO0flZBiL8AJwNL6BAhtTLY4MV5Mu5ZMi6Vfqi24sN
lQtgsjgTGAqwwPnl0NkLRmo9xVSKZ26W3em5HqzwVnoSf/zvq/30vUgIW73D+PZY
kQExGMC5hFUbf9GPY0x91c1veyCkTbSDKNNPpKCJ8Wdi6h97bQ4=
=pyeT
-----END PGP SIGNATURE-----

A
A
Alex Vong wrote on 12 Aug 2017 18:21
(name . Marius Bakke)(address . mbakke@fastmail.com)
87shgwpxj2.fsf@gmail.com
Marius Bakke <mbakke@fastmail.com> writes:

Toggle quote (15 lines)
> Alex Vong <alexvong1995@gmail.com> writes:
>
>> Severity: important
>> Tags: patch security
>>
>> Hello,
>>
>> This patch fixes the latest CVE of catdoc. The upstream repo[0] is not
>> updated for more than a year, so I grab the patch from openSUSE instead
>> (which is also used by Debian).
>
> Thanks for this, pushed!
>
> [...]
>
Thanks!

Toggle quote (8 lines)
>> (I am re-sending this mail for the 3rd time since I didn't receive a
>> reply from debbugs. This time I decide to mail to guix-devel as well
>> just in case it doesn't work again.)
>
> No idea what's up with that. Does it work if you omit the debbugs
> control headers? Perhaps processing is disabled for guix-patches, or
> something.

This time it works. I guess debbugs was doing some maintaince work hence
temporarily unavailable.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEdZDkzSn0Cycogr9IxYq4eRf1Ea4FAlmPKwEACgkQxYq4eRf1
Ea4r7g//ZUBmrpKsI+emofK9hOIMzGNZrGUOLuozZyG1Je385E1YzbpXRs9T9jhN
6kWQp+eX8SBfsZMfGQUSO/Rq/3o0nKaqt9RRf9SjmPVG7r03y8BanMJ/f8r3UxKa
ALfdIOFgi44rkwvN13+QIXXAwPl2cbw70urkdOuVm+QMGQy44mKyqCW7KMJaKsoB
EvcUCuAaZ8Or7oCfGmr4agczLWWVl1omT65k72yMT9Dz3DRVDuHIxaBM9B9niYNx
fb6t99zvAsWfe+MELKX5ASotcXnVrl1P/D69mfRJhlueojeX+kznfuG58/6wSqD7
clJU/NVOCqiVdcgQ5mLYp5aL31kA+xoLqvP5vXeCivGs/6SwN+OWrKQhf9kJdTiX
P2wrjDhR9vZ8JoMHGmiE4j4uZiCYTEC8nTeOm5DUIYZSzk4MvSGaT7X67xT0nbEG
VYJfgaMXMTIrjrq2CYvjc7fT8QeXnOuINM/3GSRWD36vUk34s1g39ScQRz5F6iXv
Tivz8MIo5aU+c1NeybYEDEYdonDJvwEiT7gYdFkjOl4jyLdUlBrKQbEobvJ+2Pnu
M7nuRK80M/kVxAgYQupAwms8qKDBnqAvICgJYGuI2bnpZvi/CxYWEOJ5IOhTt5W8
yS2NpHb4sRLjpHwZGx3fKLFwoBl7EHlmAgxCLMkLzATi1tknKuE=
=p1j7
-----END PGP SIGNATURE-----

Closed
?