1 files changed, 37 insertions, 0 deletions

diff --git a/package/utils/bsdiff/patches/020-CVE-2014-9862.patch b/package/utils/bsdiff/patches/020-CVE-2014-9862.patch
new file mode 100644
index 0000000000..98a49312f3
--- /dev/null
+++ b/package/utils/bsdiff/patches/020-CVE-2014-9862.patch
@@ -0,0 +1,37 @@
+From: The FreeBSD Project
+Bug: https://security-tracker.debian.org/tracker/CVE-2014-9862
+Subject: CVE-2014-9862 - check for a negative value on numbers of bytes
+  The implementation of bspatch does not check for a negative value on numbers
+  of bytes read from the diff and extra streams, allowing an attacker who
+  can control the patch file to write at arbitrary locations in the heap.
+  .
+  bspatch's main loop reads three numbers from the "control" stream in
+  the patch: X, Y and Z. The first two are the number of bytes to read
+  from "diff" and "extra" (and thus only non-negative), while the
+  third one could be positive or negative and moves the oldpos pointer
+  on the source image. These 3 values are 64bits signed ints (encoded
+  somehow on the file) that are later passed the function that reads
+  from the streams, but those values are not verified to be
+  non-negative.
+  .
+  Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
+  The patch was downloaded from a link pointed by
+  https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp
+
+---
+ bspatch.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/bspatch.c
++++ b/bspatch.c
+@@ -152,6 +152,10 @@ int main(int argc,char * argv[])
+ 		};
+ 
+ 		/* Sanity-check */
++		if ((ctrl[0] < 0) || (ctrl[1] < 0))
++			errx(1,"Corrupt patch\n");
++
++		/* Sanity-check */
+ 		if(newpos+ctrl[0]>newsize)
+ 			errx(1,"Corrupt patch\n");
+