From 646a5c1cbfd95873950a87b5f75d52073a967023 Mon Sep 17 00:00:00 2001
From: Patrick J Volkerding <volkerdi@slackware.com>
Date: Mon, 28 May 2018 19:12:29 +0000
Subject: Mon May 28 19:12:29 UTC 2018

a/pkgtools-15.0-noarch-13.txz:  Rebuilt.
  installpkg: default line length for --terselength is the number of columns.
  removepkg: added --terse mode.
  upgradepkg: default line length for --terselength is the number of columns.
  upgradepkg: accept -option in addition to --option.
ap/vim-8.1.0026-x86_64-1.txz:  Upgraded.
d/bison-3.0.5-x86_64-1.txz:  Upgraded.
e/emacs-26.1-x86_64-1.txz:  Upgraded.
kde/kopete-4.14.3-x86_64-8.txz:  Rebuilt.
  Recompiled against libidn-1.35.
n/conntrack-tools-1.4.5-x86_64-1.txz:  Upgraded.
n/libnetfilter_conntrack-1.0.7-x86_64-1.txz:  Upgraded.
n/libnftnl-1.1.0-x86_64-1.txz:  Upgraded.
n/links-2.16-x86_64-2.txz:  Rebuilt.
  Rebuilt to enable X driver for -g mode.
n/lynx-2.8.9dev.19-x86_64-1.txz:  Upgraded.
n/nftables-0.8.5-x86_64-1.txz:  Upgraded.
n/p11-kit-0.23.11-x86_64-1.txz:  Upgraded.
n/ulogd-2.0.7-x86_64-1.txz:  Upgraded.
n/whois-5.3.1-x86_64-1.txz:  Upgraded.
xap/network-manager-applet-1.8.12-x86_64-1.txz:  Upgraded.
xap/vim-gvim-8.1.0026-x86_64-1.txz:  Upgraded.
---
 .../0003-CVE-2015-4645_and_CVE-2015-4646.patch     | 76 ++++++++++++++++++++++
 1 file changed, 76 insertions(+)
 create mode 100644 source/ap/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch

(limited to 'source/ap/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch')

diff --git a/source/ap/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch b/source/ap/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch
new file mode 100644
index 000000000..d81639f63
--- /dev/null
+++ b/source/ap/squashfs-tools/0003-CVE-2015-4645_and_CVE-2015-4646.patch
@@ -0,0 +1,76 @@
+From 6777e08cc38bc780d27c69c1d8c272867b74524f Mon Sep 17 00:00:00 2001
+From: Giancarlo Canales Barreto <gcanalesb@me.com>
+Date: Wed, 17 Jun 2015 00:22:19 -0400
+Subject: [PATCH] Update unsquash-4.c
+
+There seems to be a stack overflow in read_fragment_table_4 at via what seems to be an integer overflow. Still looking into this problem, it seems like two or three different problems combined.
+
+The first problem overflows the bytes variable, so that the allocation is enormous.
+```c
+int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
+```
+
+If we fix this by making the variable size_t, we run into an unrelated problem in which the stack VLA allocation of fragment_table_index can easily exceed RLIMIT_STACK.
+```c
+long long fragment_table_index[indexes];
+```
+
+In the case of my system, the RLIMIT_STACK is 8388608, and VLA is asking for 15728648. Plus the stack probably already has a bunch of other things. This is what I believe ultimately leads to the stack overflow.
+
+Afterwards, the heap allocation seems to succeed, and the disastrous call to read_fs_bytes is made, which initiates transfer from the squashfs image to the stack. At this stage, a stack overflow appears to be in full effect.
+
+```c
+ res = read_fs_bytes(fd, sBlk.s.fragment_table_start,
+         SQUASHFS_FRAGMENT_INDEX_BYTES(sBlk.s.fragments),
+         fragment_table_index);
+```
+This problem is also present in other read_fragment_table_N functions, and in in the original squashfs-tools.
+
+```
+Parallel unsquashfs: Using 8 processors
+ASAN:SIGSEGV
+=================================================================
+==8221==ERROR: AddressSanitizer: stack-overflow on address 0x7ffef3ae9608 (pc 0x000000559011 bp 0x7ffef49e9670 sp 0x7ffef3ae9610 T0)
+    #0 0x559010 in read_fragment_table_4 /home/septimus/vr/squashfs-vr/squashfs-tools/unsquash-4.c:40:9
+    #1 0x525073 in main /home/septimus/vr/squashfs-vr/squashfs-tools/unsquashfs.c:2763:5
+    #2 0x7fb56c533a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
+    #3 0x418468 in _start (/home/septimus/vr/squashfs-vr/squashfs-tools/unsquashfs+0x418468)
+SUMMARY: AddressSanitizer: stack-overflow /home/septimus/vr/squashfs-vr/squashfs-tools/unsquash-4.c:40:9 in read_fragment_table_4
+==8221==ABORTING
+```
+
+Perhaps we should avoid using VLA altogether, and allocate fragment_table_index to the heap?
+This pull request is an example implementation of the fix for unsquash-4, but I don't have enough test vectors to verify it will not break anything.
+---
+ unsquash-4.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
+index ecdaac7..2c0cf63 100644
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -31,9 +31,9 @@ static unsigned int *id_table;
+ int read_fragment_table_4(long long *directory_table_end)
+ {
+ 	int res, i;
+-	int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
+-	int  indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
+-	long long fragment_table_index[indexes];
++	size_t bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
++	size_t indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
++	long long *fragment_table_index;
+ 
+ 	TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
+ 		"from 0x%llx\n", sBlk.s.fragments, indexes,
+@@ -44,6 +44,11 @@ int read_fragment_table_4(long long *directory_table_end)
+ 		return TRUE;
+ 	}
+ 
++	fragment_table_index = malloc(indexes*sizeof(long long));
++	if(fragment_table_index == NULL)
++		EXIT_UNSQUASH("read_fragment_table: failed to allocate "
++			"fragment table index\n");
++
+ 	fragment_table = malloc(bytes);
+ 	if(fragment_table == NULL)
+ 		EXIT_UNSQUASH("read_fragment_table: failed to allocate "
-- 
cgit v1.2.3-65-gdbad