blob: 98a49312f3b47386159d70a4308f487f5f34456a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From: The FreeBSD Project
Bug: https://security-tracker.debian.org/tracker/CVE-2014-9862
Subject: CVE-2014-9862 - check for a negative value on numbers of bytes
The implementation of bspatch does not check for a negative value on numbers
of bytes read from the diff and extra streams, allowing an attacker who
can control the patch file to write at arbitrary locations in the heap.
.
bspatch's main loop reads three numbers from the "control" stream in
the patch: X, Y and Z. The first two are the number of bytes to read
from "diff" and "extra" (and thus only non-negative), while the
third one could be positive or negative and moves the oldpos pointer
on the source image. These 3 values are 64bits signed ints (encoded
somehow on the file) that are later passed the function that reads
from the streams, but those values are not verified to be
non-negative.
.
Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
The patch was downloaded from a link pointed by
https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp
---
bspatch.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/bspatch.c
+++ b/bspatch.c
@@ -152,6 +152,10 @@ int main(int argc,char * argv[])
};
/* Sanity-check */
+ if ((ctrl[0] < 0) || (ctrl[1] < 0))
+ errx(1,"Corrupt patch\n");
+
+ /* Sanity-check */
if(newpos+ctrl[0]>newsize)
errx(1,"Corrupt patch\n");
|
