GNU bug report logs - #28058
[PATCH] gnu: catdoc: Fix CVE-2017-11110.

Previous Next

Package: guix-patches;

Reported by: Alex Vong <alexvong1995 <at> gmail.com>

Date: Fri, 11 Aug 2017 21:53:01 UTC

Severity: important

Tags: patch, security

Done: Alex Vong <alexvong1995 <at> gmail.com>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 28058 in the body.
You can then email your comments to 28058 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#28058; Package guix-patches. (Fri, 11 Aug 2017 21:53:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Alex Vong <alexvong1995 <at> gmail.com>:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Fri, 11 Aug 2017 21:53:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: guix-patches <at> gnu.org, guix-devel <at> gnu.org
Subject: [PATCH] gnu: catdoc: Fix CVE-2017-11110.
Date: Sat, 12 Aug 2017 05:51:45 +0800

[Message part 1 (text/plain, inline)]
Severity: important
Tags: patch security

Hello,

This patch fixes the latest CVE of catdoc. The upstream repo[0] is not
updated for more than a year, so I grab the patch from openSUSE instead
(which is also used by Debian).


[0001-gnu-catdoc-Fix-CVE-2017-11110.patch (text/x-diff, inline)]
From 69b2b0ca3b43409e86bd5d01fe72823ef84ee391 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995 <at> gmail.com>
Date: Thu, 10 Aug 2017 21:02:14 +0800
Subject: [PATCH] gnu: catdoc: Fix CVE-2017-11110.

* gnu/packages/patches/catdoc-CVE-2017-11110.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/textutils.scm (catdoc)[source]: Use it.
---
 gnu/local.mk                                     |  1 +
 gnu/packages/patches/catdoc-CVE-2017-11110.patch | 45 ++++++++++++++++++++++++
 gnu/packages/textutils.scm                       |  2 ++
 3 files changed, 48 insertions(+)
 create mode 100644 gnu/packages/patches/catdoc-CVE-2017-11110.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 3d79d5d22..57c346921 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -534,6 +534,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/calibre-drop-unrar.patch			\
   %D%/packages/patches/calibre-no-updates-dialog.patch		\
   %D%/packages/patches/calibre-use-packaged-feedparser.patch	\
+  %D%/packages/patches/catdoc-CVE-2017-11110.patch		\
   %D%/packages/patches/cdparanoia-fpic.patch			\
   %D%/packages/patches/cdrtools-3.01-mkisofs-isoinfo.patch 	\
   %D%/packages/patches/ceph-disable-cpu-optimizations.patch	\
diff --git a/gnu/packages/patches/catdoc-CVE-2017-11110.patch b/gnu/packages/patches/catdoc-CVE-2017-11110.patch
new file mode 100644
index 000000000..71c44f60f
--- /dev/null
+++ b/gnu/packages/patches/catdoc-CVE-2017-11110.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11110:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11110
+https://bugzilla.redhat.com/show_bug.cgi?id=1468471
+https://security-tracker.debian.org/tracker/CVE-2017-11110
+
+Patch copied from openSUSE:
+
+https://build.opensuse.org/package/view_file/openSUSE:Maintenance:6985/catdoc.openSUSE_Leap_42.2_Update/CVE-2017-11110.patch?expand=1
+
+From: Andreas Stieger <astieger <at> suse.com>
+Date: Mon, 10 Jul 2017 15:37:58 +0000
+References: CVE-2017-11110 http://bugzilla.suse.com/show_bug.cgi?id=1047877
+
+All .doc I found had sectorSize 0x09 at offset 0x1e. Guarding it against <4.
+
+---
+ src/ole.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: catdoc-0.95/src/ole.c
+===================================================================
+--- catdoc-0.95.orig/src/ole.c	2016-05-25 06:37:12.000000000 +0200
++++ catdoc-0.95/src/ole.c	2017-07-10 17:42:33.578308107 +0200
+@@ -106,6 +106,11 @@ FILE* ole_init(FILE *f, void *buffer, si
+ 		return NULL;
+ 	}
+  	sectorSize = 1<<getshort(oleBuf,0x1e);
++	/* CVE-2017-11110) */
++ 	if (sectorSize < 4) {
++		fprintf(stderr,"sectorSize < 4 not supported\n");
++		return NULL;
++	}
+ 	shortSectorSize=1<<getshort(oleBuf,0x20);
+ 
+ /* Read BBD into memory */
+@@ -147,7 +152,7 @@ FILE* ole_init(FILE *f, void *buffer, si
+ 		}
+ 
+ 		fseek(newfile, 512+mblock*sectorSize, SEEK_SET);
+-		if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i,
++		if(fread(tmpBuf+MSAT_ORIG_SIZE+(sectorSize-4)*i, /* >= 4 for CVE-2017-11110 */
+ 						 1, sectorSize, newfile) != sectorSize) {
+ 			fprintf(stderr, "Error read MSAT!\n");
+ 			ole_finish();
diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm
index e8ae30cd6..537d01334 100644
--- a/gnu/packages/textutils.scm
+++ b/gnu/packages/textutils.scm
@@ -12,6 +12,7 @@
 ;;; Copyright © 2017 Rene Saavedra <rennes <at> openmailbox.org>
 ;;; Copyright © 2017 Hartmut Goebel <h.goebel <at> crazy-compilers.com>
 ;;; Copyright © 2017 Kei Kebreau <kei <at> openmailbox.org>
+;;; Copyright © 2017 Alex Vong <alexvong1995 <at> gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -409,6 +410,7 @@ runs Word\".")
               (method url-fetch)
               (uri (string-append "http://ftp.wagner.pp.ru/pub/catdoc/"
                                   "catdoc-" version ".tar.gz"))
+              (patches (search-patches "catdoc-CVE-2017-11110.patch"))
               (sha256
                (base32
                 "15h7v3bmwfk4z8r78xs5ih6vd0pskn0rj90xghvbzdjj0cc88jji"))))
-- 
2.14.0


[Message part 3 (text/plain, inline)]
(I am re-sending this mail for the 3rd time since I didn't receive a
reply from debbugs. This time I decide to mail to guix-devel as well
just in case it doesn't work again.) 

Cheers,
Alex

[0]: http://www.wagner.pp.ru/gitweb/?p=oss/catdoc.git;a=summary

[signature.asc (application/pgp-signature, inline)]
Reply sent to Alex Vong <alexvong1995 <at> gmail.com>:
You have taken responsibility. (Sat, 12 Aug 2017 16:22:02 GMT) Full text and rfc822 format available.
Notification sent to Alex Vong <alexvong1995 <at> gmail.com>:
bug acknowledged by developer. (Sat, 12 Aug 2017 16:22:02 GMT) Full text and rfc822 format available.

Message #10 received at 28058-done <at> debbugs.gnu.org (full text, mbox):

From: Alex Vong <alexvong1995 <at> gmail.com>
To: Marius Bakke <mbakke <at> fastmail.com>
Cc: guix-devel <at> gnu.org, 28058-done <at> debbugs.gnu.org
Subject: Re: [PATCH] gnu: catdoc: Fix CVE-2017-11110.
Date: Sun, 13 Aug 2017 00:21:21 +0800

[Message part 1 (text/plain, inline)]
Marius Bakke <mbakke <at> fastmail.com> writes:

> Alex Vong <alexvong1995 <at> gmail.com> writes:
>
>> Severity: important
>> Tags: patch security
>>
>> Hello,
>>
>> This patch fixes the latest CVE of catdoc. The upstream repo[0] is not
>> updated for more than a year, so I grab the patch from openSUSE instead
>> (which is also used by Debian).
>
> Thanks for this, pushed!
>
> [...]
>
Thanks!

>> (I am re-sending this mail for the 3rd time since I didn't receive a
>> reply from debbugs. This time I decide to mail to guix-devel as well
>> just in case it doesn't work again.) 
>
> No idea what's up with that. Does it work if you omit the debbugs
> control headers? Perhaps processing is disabled for guix-patches, or
> something.

This time it works. I guess debbugs was doing some maintaince work hence
temporarily unavailable.

[signature.asc (application/pgp-signature, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Sun, 10 Sep 2017 11:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 7 years and 282 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.