package/utils/bsdiff/patches/020-CVE-2014-9862.patch

   1 From: The FreeBSD Project
   2 Bug: https://security-tracker.debian.org/tracker/CVE-2014-9862
   3 Subject: CVE-2014-9862 - check for a negative value on numbers of bytes
   4   The implementation of bspatch does not check for a negative value on numbers
   5   of bytes read from the diff and extra streams, allowing an attacker who
   6   can control the patch file to write at arbitrary locations in the heap.
   7   .
   8   bspatch's main loop reads three numbers from the "control" stream in
   9   the patch: X, Y and Z. The first two are the number of bytes to read
  10   from "diff" and "extra" (and thus only non-negative), while the
  11   third one could be positive or negative and moves the oldpos pointer
  12   on the source image. These 3 values are 64bits signed ints (encoded
  13   somehow on the file) that are later passed the function that reads
  14   from the streams, but those values are not verified to be
  15   non-negative.
  16   .
  17   Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
  18   The patch was downloaded from a link pointed by
  19   https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp
  20
  21 ---
  22  bspatch.c |    4 ++++
  23  1 file changed, 4 insertions(+)
  24
  25 --- a/bspatch.c
  26 +++ b/bspatch.c
  27 @@ -152,6 +152,10 @@ int main(int argc,char * argv[])
  28                 };
  29
  30                 /* Sanity-check */
  31 +               if ((ctrl[0] < 0) || (ctrl[1] < 0))
  32 +                       errx(1,"Corrupt patch\n");
  33 +
  34 +               /* Sanity-check */
  35                 if(newpos+ctrl[0]>newsize)
  36                         errx(1,"Corrupt patch\n");
  37