[Update] [Stable] archivers/bzip2

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Update] [Stable] archivers/bzip2

Henry Jensen
Greetings,

attached diff fixes CVE-2019-12900 (BZ2_decompress in decompress.c in
bzip2 through 1.0.6 has an out-of-bounds write when there are many
selectors.) The vulnerability has a CVSS v3.0 score of 9.8 "CRITICAL".

It is essentially the patch from
https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc

Comments?

Kind Regards,

Henry

bzip2.diff (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Update] [Stable] archivers/bzip2

Stuart Henderson
Thanks, I've committed a tweaked version.

On 2019/06/24 16:28, Henry Jensen wrote:

> Greetings,
>
> attached diff fixes CVE-2019-12900 (BZ2_decompress in decompress.c in
> bzip2 through 1.0.6 has an out-of-bounds write when there are many
> selectors.) The vulnerability has a CVSS v3.0 score of 9.8 "CRITICAL".
>
> It is essentially the patch from
> https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
>
> Comments?
>
> Kind Regards,
>
> Henry

> diff -urN archivers/bzip2/Makefile mystuff/archivers/bzip2/Makefile
> --- archivers/bzip2/Makefile Fri Aug 24 21:06:12 2018
> +++ mystuff/archivers/bzip2/Makefile Mon Jun 24 15:37:39 2019
> @@ -3,7 +3,7 @@
>  COMMENT= block-sorting file compressor, unencumbered
>  
>  DISTNAME= bzip2-1.0.6
> -REVISION= 9
> +REVISION= 10
>  
>  CATEGORIES= archivers
>  
> diff -urN archivers/bzip2/patches/patch-decompress_c mystuff/archivers/bzip2/patches/patch-decompress_c
> --- archivers/bzip2/patches/patch-decompress_c Thu Jan  1 01:00:00 1970
> +++ mystuff/archivers/bzip2/patches/patch-decompress_c Mon Jun 24 15:50:00 2019
> @@ -0,0 +1,12 @@
> +Index: decompress.c
> +--- decompress.c.orig
> ++++ decompress.c
> +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> +       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> +       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> +       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> +-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> ++      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
> +       for (i = 0; i < nSelectors; i++) {
> +          j = 0;
> +          while (True) {

Reply | Threaded
Open this post in threaded view
|

Re: [Update] [Stable] archivers/bzip2

T.J. Townsend
Here's an update to 1.0.7, released today.

1.0.7 (27 Jun 19)
~~~~~~~~~~~~~~~~

* Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH
* bzip2: Fix return value when combining --test,-t and -q.
* bzip2recover: Fix buffer overflow for large argv[0]
* bzip2recover: Fix use after free issue with outFile (CVE-2016-3189)
* Make sure nSelectors is not out of range (CVE-2019-12900)

https://www.sourceware.org/bzip2/CHANGES

Index: Makefile
===================================================================
RCS file: /cvs/ports/archivers/bzip2/Makefile,v
retrieving revision 1.75
diff -u -p -r1.75 Makefile
--- Makefile 24 Jun 2019 14:46:36 -0000 1.75
+++ Makefile 27 Jun 2019 20:17:38 -0000
@@ -2,8 +2,7 @@
 
 COMMENT= block-sorting file compressor, unencumbered
 
-DISTNAME= bzip2-1.0.6
-REVISION= 10
+DISTNAME= bzip2-1.0.7
 
 CATEGORIES= archivers
 
@@ -17,8 +16,7 @@ PERMIT_PACKAGE_CDROM= Yes
 # uses pledge()
 WANTLIB += c
 
-# originally at bzip.org, domain expired
-MASTER_SITES= https://spacehopper.org/mirrors/
+MASTER_SITES= https://sourceware.org/pub/bzip2/
 
 BZ2_CFLAGS= -Wall -Winline -fomit-frame-pointer -fno-strength-reduce
 MAKE_FLAGS= CC="${CC}" CFLAGS="${CFLAGS} ${BZ2_CFLAGS}" \
Index: distinfo
===================================================================
RCS file: /cvs/ports/archivers/bzip2/distinfo,v
retrieving revision 1.8
diff -u -p -r1.8 distinfo
--- distinfo 4 Apr 2013 16:03:55 -0000 1.8
+++ distinfo 27 Jun 2019 20:17:38 -0000
@@ -1,2 +1,2 @@
-SHA256 (bzip2-1.0.6.tar.gz) = ooSPNPzV1s9H3vAEYfy1KKBITY7e+CCNbS4pCdxh2c0=
-SIZE (bzip2-1.0.6.tar.gz) = 782025
+SHA256 (bzip2-1.0.7.tar.gz) = 52iofFsaeVEUmb60FQC8xMryA3Jv/0am9fmtJ/4Iqys=
+SIZE (bzip2-1.0.7.tar.gz) = 809680
Index: patches/patch-bzip2recover_c
===================================================================
RCS file: patches/patch-bzip2recover_c
diff -N patches/patch-bzip2recover_c
--- patches/patch-bzip2recover_c 28 Jun 2016 09:56:23 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,15 +0,0 @@
-$OpenBSD: patch-bzip2recover_c,v 1.1 2016/06/28 09:56:23 jasper Exp $
-
-CVE-2016-3189 bzip2: heap use after free in bzip2recover
-Patch from: https://bugzilla.redhat.com/show_bug.cgi?id=1319648
-
---- bzip2recover.c.orig Tue Jun 28 11:54:25 2016
-+++ bzip2recover.c Tue Jun 28 11:54:43 2016
-@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv )
-             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
-             bsPutUInt32 ( bsWr, blockCRC );
-             bsClose ( bsWr );
-+    outFile = NULL;
-          }
-          if (wrBlock >= rbCtr) break;
-          wrBlock++;
Index: patches/patch-decompress_c
===================================================================
RCS file: patches/patch-decompress_c
diff -N patches/patch-decompress_c
--- patches/patch-decompress_c 24 Jun 2019 14:46:36 -0000 1.1
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,27 +0,0 @@
-$OpenBSD: patch-decompress_c,v 1.1 2019/06/24 14:46:36 sthen Exp $
-
-From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
-From: Albert Astals Cid <[hidden email]>
-Date: Tue, 28 May 2019 19:35:18 +0200
-Subject: [PATCH] Make sure nSelectors is not out of range
-
-nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
-which is
- UChar    selectorMtf[BZ_MAX_SELECTORS];
-so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
-access
-
-Fixes out of bounds access discovered while fuzzying karchive
-
-Index: decompress.c
---- decompress.c.orig
-+++ decompress.c
-@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
-       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
-       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
-       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
--      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
-+      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
-       for (i = 0; i < nSelectors; i++) {
-          j = 0;
-          while (True) {

Reply | Threaded
Open this post in threaded view
|

Re: [Update] [Stable] archivers/bzip2

Stuart Henderson
On 2019/06/27 17:08, T.J. Townsend wrote:
> Here's an update to 1.0.7, released today.

I had a quick look at a source code diff, despite 9 years gap
there's not a lot of change. It looks pretty safe to me but given
the risk of breakage I'd prefer to have more eyes on it.

> 1.0.7 (27 Jun 19)
> ~~~~~~~~~~~~~~~~
>
> * Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH
> * bzip2: Fix return value when combining --test,-t and -q.
> * bzip2recover: Fix buffer overflow for large argv[0]
> * bzip2recover: Fix use after free issue with outFile (CVE-2016-3189)
> * Make sure nSelectors is not out of range (CVE-2019-12900)
>
> https://www.sourceware.org/bzip2/CHANGES
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/archivers/bzip2/Makefile,v
> retrieving revision 1.75
> diff -u -p -r1.75 Makefile
> --- Makefile 24 Jun 2019 14:46:36 -0000 1.75
> +++ Makefile 27 Jun 2019 20:17:38 -0000
> @@ -2,8 +2,7 @@
>  
>  COMMENT= block-sorting file compressor, unencumbered
>  
> -DISTNAME= bzip2-1.0.6
> -REVISION= 10
> +DISTNAME= bzip2-1.0.7
>  
>  CATEGORIES= archivers
>  
> @@ -17,8 +16,7 @@ PERMIT_PACKAGE_CDROM= Yes
>  # uses pledge()
>  WANTLIB += c
>  
> -# originally at bzip.org, domain expired
> -MASTER_SITES= https://spacehopper.org/mirrors/
> +MASTER_SITES= https://sourceware.org/pub/bzip2/
>  
>  BZ2_CFLAGS= -Wall -Winline -fomit-frame-pointer -fno-strength-reduce
>  MAKE_FLAGS= CC="${CC}" CFLAGS="${CFLAGS} ${BZ2_CFLAGS}" \
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/archivers/bzip2/distinfo,v
> retrieving revision 1.8
> diff -u -p -r1.8 distinfo
> --- distinfo 4 Apr 2013 16:03:55 -0000 1.8
> +++ distinfo 27 Jun 2019 20:17:38 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (bzip2-1.0.6.tar.gz) = ooSPNPzV1s9H3vAEYfy1KKBITY7e+CCNbS4pCdxh2c0=
> -SIZE (bzip2-1.0.6.tar.gz) = 782025
> +SHA256 (bzip2-1.0.7.tar.gz) = 52iofFsaeVEUmb60FQC8xMryA3Jv/0am9fmtJ/4Iqys=
> +SIZE (bzip2-1.0.7.tar.gz) = 809680
> Index: patches/patch-bzip2recover_c
> ===================================================================
> RCS file: patches/patch-bzip2recover_c
> diff -N patches/patch-bzip2recover_c
> --- patches/patch-bzip2recover_c 28 Jun 2016 09:56:23 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,15 +0,0 @@
> -$OpenBSD: patch-bzip2recover_c,v 1.1 2016/06/28 09:56:23 jasper Exp $
> -
> -CVE-2016-3189 bzip2: heap use after free in bzip2recover
> -Patch from: https://bugzilla.redhat.com/show_bug.cgi?id=1319648
> -
> ---- bzip2recover.c.orig Tue Jun 28 11:54:25 2016
> -+++ bzip2recover.c Tue Jun 28 11:54:43 2016
> -@@ -457,6 +457,7 @@ Int32 main ( Int32 argc, Char** argv )
> -             bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
> -             bsPutUInt32 ( bsWr, blockCRC );
> -             bsClose ( bsWr );
> -+    outFile = NULL;
> -          }
> -          if (wrBlock >= rbCtr) break;
> -          wrBlock++;
> Index: patches/patch-decompress_c
> ===================================================================
> RCS file: patches/patch-decompress_c
> diff -N patches/patch-decompress_c
> --- patches/patch-decompress_c 24 Jun 2019 14:46:36 -0000 1.1
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,27 +0,0 @@
> -$OpenBSD: patch-decompress_c,v 1.1 2019/06/24 14:46:36 sthen Exp $
> -
> -From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001
> -From: Albert Astals Cid <[hidden email]>
> -Date: Tue, 28 May 2019 19:35:18 +0200
> -Subject: [PATCH] Make sure nSelectors is not out of range
> -
> -nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
> -which is
> - UChar    selectorMtf[BZ_MAX_SELECTORS];
> -so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
> -access
> -
> -Fixes out of bounds access discovered while fuzzying karchive
> -
> -Index: decompress.c
> ---- decompress.c.orig
> -+++ decompress.c
> -@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
> -       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
> -       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
> -       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
> --      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
> -+      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
> -       for (i = 0; i < nSelectors; i++) {
> -          j = 0;
> -          while (True) {
>

Reply | Threaded
Open this post in threaded view
|

Re: [Update] [Stable] archivers/bzip2

Klemens Nanni-2
On Thu, Jun 27, 2019 at 10:10:31PM +0100, Stuart Henderson wrote:
> I had a quick look at a source code diff, despite 9 years gap
> there's not a lot of change. It looks pretty safe to me but given
> the risk of breakage I'd prefer to have more eyes on it.
I diffed 1.0.6 from 2010 and the current HEAD, actual C code changes
are minimal and look quite sane.

OK kn