diff -Nru liblouis-3.5.0/debian/changelog liblouis-3.5.0/debian/changelog --- liblouis-3.5.0/debian/changelog 2022-06-09 13:37:45.000000000 +0000 +++ liblouis-3.5.0/debian/changelog 2023-03-27 12:13:06.000000000 +0000 @@ -1,3 +1,27 @@ +liblouis (3.5.0-1ubuntu0.5) bionic-security; urgency=medium + + * SECURITY UPDATE: Denial of service + - debian/patches/CVE-2023-26767.patch: check the length + of path before copying indo dataPath in + liblouis/compileTranslationTable.c, liblouis/liblouis.h.in. + - CVE-2023-26767 + * SECURITY UPDATE: Buffer overflow + - debian/patches/CVE-2023-26768-1.patch: check filename before + coping to initialLogFileName in liblouis/logging.c. + - debian/patches/CVE-2023-26768-2.patch: replace the magic + number with a define in liblouis/logging.c. + - CVE-2023-26768 + * SECURITY UPDATE: Buffer overflow + - debian/patches/CVE-2023-26769-1.patch: check path length + before coping into tableFile in liblouis/compileTranslationTable.c. + - debian/patches/CVE-2023-26769-2.patch: fix format in + liblouis/compileTranslationTable.c. + - debian/patches/CVE-2023-26769-3.patch: add parentheses for + define expression in liblouis/compileTranslationTable.c. + - CVE-2023-26769 + + -- Leonidas Da Silva Barbosa Mon, 27 Mar 2023 09:13:06 -0300 + liblouis (3.5.0-1ubuntu0.4) bionic-security; urgency=medium * SECURITY UPDATE: Out-of-bounds diff -Nru liblouis-3.5.0/debian/patches/CVE-2023-26767.patch liblouis-3.5.0/debian/patches/CVE-2023-26767.patch --- liblouis-3.5.0/debian/patches/CVE-2023-26767.patch 1970-01-01 00:00:00.000000000 +0000 +++ liblouis-3.5.0/debian/patches/CVE-2023-26767.patch 2023-03-27 12:12:01.000000000 +0000 @@ -0,0 +1,55 @@ +From f432de31058b5a94874d47405216d07910c18a9a Mon Sep 17 00:00:00 2001 +From: Christian Egli +Date: Wed, 8 Feb 2023 11:18:27 +0100 +Subject: [PATCH] Check the length of path before copying into dataPath + +See https://lwn.net/Articles/507319/ for more background on the +security problems of strcpy. + +Fixes #1292 +--- + NEWS | 2 ++ + liblouis/compileTranslationTable.c | 2 +- + liblouis/liblouis.h.in | 3 ++- + 3 files changed, 5 insertions(+), 2 deletions(-) + +#Index: liblouis-3.20.0/NEWS +#=================================================================== +#--- liblouis-3.20.0.orig/NEWS +#+++ liblouis-3.20.0/NEWS +#@@ -2756,6 +2756,8 @@ issues]]. +# +# ** New features +# ** Bug fixes +#+- Fix a buffer overflow error in ~lou_setDataPath~. Thanks Marsman1996 +#+ for reporting and Christian Egli for fixing it. +# ** Braille table improvements +# ** Other changes +# ** Deprecation notice +Index: liblouis-3.5.0/liblouis/compileTranslationTable.c +=================================================================== +--- liblouis-3.5.0.orig/liblouis/compileTranslationTable.c ++++ liblouis-3.5.0/liblouis/compileTranslationTable.c +@@ -58,7 +58,7 @@ char *EXPORT_CALL + lou_setDataPath(const char *path) { + static char dataPath[MAXSTRING]; + dataPathPtr = NULL; +- if (path == NULL) return NULL; ++ if (path == NULL || strlen(path) >= MAXSTRING) return NULL; + strcpy(dataPath, path); + dataPathPtr = dataPath; + return dataPathPtr; +Index: liblouis-3.5.0/liblouis/liblouis.h.in +=================================================================== +--- liblouis-3.5.0.orig/liblouis/liblouis.h.in ++++ liblouis-3.5.0/liblouis/liblouis.h.in +@@ -269,7 +269,8 @@ lou_getEmphClasses(const char *tableList + /** + * Set the path used for searching for tables and liblouisutdml files. + * +- * Overrides the installation path. */ ++ * Overrides the installation path. Returns NULL if `path` is NULL or ++ * if the length of `path` is equal or longer than `MAXSTRING`. */ + LIBLOUIS_API + char *EXPORT_CALL + lou_setDataPath(const char *path); diff -Nru liblouis-3.5.0/debian/patches/CVE-2023-26768-1.patch liblouis-3.5.0/debian/patches/CVE-2023-26768-1.patch --- liblouis-3.5.0/debian/patches/CVE-2023-26768-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ liblouis-3.5.0/debian/patches/CVE-2023-26768-1.patch 2023-03-27 12:12:14.000000000 +0000 @@ -0,0 +1,22 @@ +From 565ac66ec0c187ffb442226487de3db376702958 Mon Sep 17 00:00:00 2001 +From: Marsman1996 +Date: Thu, 9 Feb 2023 18:56:21 +0800 +Subject: [PATCH] Check filename before coping to initialLogFileName + +--- + liblouis/logging.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/liblouis/logging.c b/liblouis/logging.c +index 9f470b45e5..7498deb758 100644 +--- a/liblouis/logging.c ++++ b/liblouis/logging.c +@@ -126,7 +126,7 @@ lou_logFile(const char *fileName) { + fclose(logFile); + logFile = NULL; + } +- if (fileName == NULL || fileName[0] == 0) return; ++ if (fileName == NULL || fileName[0] == 0 || strlen(fileName) >= 256) return; + if (initialLogFileName[0] == 0) strcpy(initialLogFileName, fileName); + logFile = fopen(fileName, "a"); + if (logFile == NULL && initialLogFileName[0] != 0) diff -Nru liblouis-3.5.0/debian/patches/CVE-2023-26768-2.patch liblouis-3.5.0/debian/patches/CVE-2023-26768-2.patch --- liblouis-3.5.0/debian/patches/CVE-2023-26768-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ liblouis-3.5.0/debian/patches/CVE-2023-26768-2.patch 2023-03-27 12:12:20.000000000 +0000 @@ -0,0 +1,34 @@ +From 47822bb418fb77564c159469e3be79989b11aced Mon Sep 17 00:00:00 2001 +From: Marsman1996 +Date: Thu, 9 Feb 2023 21:00:36 +0800 +Subject: [PATCH] replace the magic number with a define + +--- + liblouis/logging.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/liblouis/logging.c b/liblouis/logging.c +index 7498deb758..2849cf26d4 100644 +--- a/liblouis/logging.c ++++ b/liblouis/logging.c +@@ -117,8 +117,10 @@ _lou_logMessage(logLevels level, const char *format, ...) { + } + } + ++#define FILENAMESIZE 256 ++ + static FILE *logFile = NULL; +-static char initialLogFileName[256] = ""; ++static char initialLogFileName[FILENAMESIZE] = ""; + + void EXPORT_CALL + lou_logFile(const char *fileName) { +@@ -126,7 +128,7 @@ lou_logFile(const char *fileName) { + fclose(logFile); + logFile = NULL; + } +- if (fileName == NULL || fileName[0] == 0 || strlen(fileName) >= 256) return; ++ if (fileName == NULL || fileName[0] == 0 || strlen(fileName) >= FILENAMESIZE) return; + if (initialLogFileName[0] == 0) strcpy(initialLogFileName, fileName); + logFile = fopen(fileName, "a"); + if (logFile == NULL && initialLogFileName[0] != 0) diff -Nru liblouis-3.5.0/debian/patches/CVE-2023-26769-1.patch liblouis-3.5.0/debian/patches/CVE-2023-26769-1.patch --- liblouis-3.5.0/debian/patches/CVE-2023-26769-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ liblouis-3.5.0/debian/patches/CVE-2023-26769-1.patch 2023-03-27 12:12:35.000000000 +0000 @@ -0,0 +1,68 @@ +From d45430431f8c75941f863328eb3f7fc09f902b2e Mon Sep 17 00:00:00 2001 +From: Marsman1996 +Date: Wed, 8 Feb 2023 22:10:01 +0800 +Subject: [PATCH] Check the path length before coping into tableFile + +--- + liblouis/compileTranslationTable.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +Index: liblouis-3.5.0/liblouis/compileTranslationTable.c +=================================================================== +--- liblouis-3.5.0.orig/liblouis/compileTranslationTable.c ++++ liblouis-3.5.0/liblouis/compileTranslationTable.c +@@ -4309,7 +4309,9 @@ resolveSubtable(const char *table, const + char *tableFile; + static struct stat info; + +- if (table == NULL || table[0] == '\0') return NULL; ++ if (table == NULL || table[0] == '\0' || ++ strlen(table) >= MAXSTRING * sizeof(char) * 2) ++ return NULL; + tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2); + + // +@@ -4317,10 +4319,13 @@ resolveSubtable(const char *table, const + // + if (base) { + int k; ++ if (strlen(base) >= MAXSTRING * sizeof(char) * 2) goto failure; + strcpy(tableFile, base); + k = (int)strlen(tableFile); + while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--; + tableFile[++k] = '\0'; ++ if (strlen(tableFile) + strlen(table) >= MAXSTRING * sizeof(char) * 2) ++ goto failure; + strcat(tableFile, table); + if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { + _lou_logMessage(LOG_DEBUG, "found table %s", tableFile); +@@ -4352,6 +4357,10 @@ resolveSubtable(const char *table, const + last = (*cp == '\0'); + *cp = '\0'; + if (dir == cp) dir = "."; ++ if (strlen(dir) + strlen(table) + 1 >= MAXSTRING * sizeof(char) * 2) { ++ free(searchPath_copy); ++ goto failure; ++ } + sprintf(tableFile, "%s%c%s", dir, DIR_SEP, table); + if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { + _lou_logMessage(LOG_DEBUG, "found table %s", tableFile); +@@ -4359,6 +4368,10 @@ resolveSubtable(const char *table, const + return tableFile; + } + if (last) break; ++ if (strlen(dir) + strlen(table) + 16 >= MAXSTRING * sizeof(char) * 2) { ++ free(searchPath_copy); ++ goto failure; ++ } + sprintf(tableFile, "%s%c%s%c%s%c%s", dir, DIR_SEP, "liblouis", DIR_SEP, + "tables", DIR_SEP, table); + if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { +@@ -4370,6 +4383,7 @@ resolveSubtable(const char *table, const + } + free(searchPath_copy); + } ++failure: + free(tableFile); + return NULL; + } diff -Nru liblouis-3.5.0/debian/patches/CVE-2023-26769-2.patch liblouis-3.5.0/debian/patches/CVE-2023-26769-2.patch --- liblouis-3.5.0/debian/patches/CVE-2023-26769-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ liblouis-3.5.0/debian/patches/CVE-2023-26769-2.patch 2023-03-27 12:12:46.000000000 +0000 @@ -0,0 +1,70 @@ +From 6f39e88745e8ec602ccc46042c305a6188f28b0a Mon Sep 17 00:00:00 2001 +From: Marsman1996 +Date: Wed, 8 Feb 2023 22:40:52 +0800 +Subject: [PATCH] fix format: 1. define MAX_TABLEFILE_SIZE 2. parse the magic + number + +--- + liblouis/compileTranslationTable.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +Index: liblouis-3.5.0/liblouis/compileTranslationTable.c +=================================================================== +--- liblouis-3.5.0.orig/liblouis/compileTranslationTable.c ++++ liblouis-3.5.0/liblouis/compileTranslationTable.c +@@ -4309,23 +4309,21 @@ resolveSubtable(const char *table, const + char *tableFile; + static struct stat info; + +- if (table == NULL || table[0] == '\0' || +- strlen(table) >= MAXSTRING * sizeof(char) * 2) +- return NULL; +- tableFile = (char *)malloc(MAXSTRING * sizeof(char) * 2); ++#define MAX_TABLEFILE_SIZE MAXSTRING * sizeof(char) * 2 ++ if (table == NULL || table[0] == '\0') return NULL; ++ tableFile = (char *)malloc(MAX_TABLEFILE_SIZE); + + // + // First try to resolve against base + // + if (base) { + int k; +- if (strlen(base) >= MAXSTRING * sizeof(char) * 2) goto failure; ++ if (strlen(base) >= MAX_TABLEFILE_SIZE) goto failure; + strcpy(tableFile, base); + k = (int)strlen(tableFile); + while (k >= 0 && tableFile[k] != '/' && tableFile[k] != '\\') k--; + tableFile[++k] = '\0'; +- if (strlen(tableFile) + strlen(table) >= MAXSTRING * sizeof(char) * 2) +- goto failure; ++ if (strlen(tableFile) + strlen(table) >= MAX_TABLEFILE_SIZE) goto failure; + strcat(tableFile, table); + if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { + _lou_logMessage(LOG_DEBUG, "found table %s", tableFile); +@@ -4337,6 +4335,7 @@ resolveSubtable(const char *table, const + // It could be an absolute path, or a path relative to the current working + // directory + // ++ if (strlen(table) >= MAX_TABLEFILE_SIZE) goto failure; + strcpy(tableFile, table); + if (stat(tableFile, &info) == 0 && !(info.st_mode & S_IFDIR)) { + _lou_logMessage(LOG_DEBUG, "found table %s", tableFile); +@@ -4357,7 +4356,7 @@ resolveSubtable(const char *table, const + last = (*cp == '\0'); + *cp = '\0'; + if (dir == cp) dir = "."; +- if (strlen(dir) + strlen(table) + 1 >= MAXSTRING * sizeof(char) * 2) { ++ if (strlen(dir) + strlen(table) + 1 >= MAX_TABLEFILE_SIZE) { + free(searchPath_copy); + goto failure; + } +@@ -4368,7 +4367,8 @@ resolveSubtable(const char *table, const + return tableFile; + } + if (last) break; +- if (strlen(dir) + strlen(table) + 16 >= MAXSTRING * sizeof(char) * 2) { ++ if (strlen(dir) + strlen("liblouis") + strlen("tables") + strlen(table) + 3 >= ++ MAX_TABLEFILE_SIZE) { + free(searchPath_copy); + goto failure; + } diff -Nru liblouis-3.5.0/debian/patches/CVE-2023-26769-3.patch liblouis-3.5.0/debian/patches/CVE-2023-26769-3.patch --- liblouis-3.5.0/debian/patches/CVE-2023-26769-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ liblouis-3.5.0/debian/patches/CVE-2023-26769-3.patch 2023-03-27 12:12:59.000000000 +0000 @@ -0,0 +1,22 @@ +From 9f6cec9b63c1d9396fcc32fed77267a2815b648f Mon Sep 17 00:00:00 2001 +From: Marsman1996 +Date: Wed, 8 Feb 2023 23:01:56 +0800 +Subject: [PATCH] add parentheses for define expression + +--- + liblouis/compileTranslationTable.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: liblouis-3.5.0/liblouis/compileTranslationTable.c +=================================================================== +--- liblouis-3.5.0.orig/liblouis/compileTranslationTable.c ++++ liblouis-3.5.0/liblouis/compileTranslationTable.c +@@ -4309,7 +4309,7 @@ resolveSubtable(const char *table, const + char *tableFile; + static struct stat info; + +-#define MAX_TABLEFILE_SIZE MAXSTRING * sizeof(char) * 2 ++#define MAX_TABLEFILE_SIZE (MAXSTRING * sizeof(char) * 2) + if (table == NULL || table[0] == '\0') return NULL; + tableFile = (char *)malloc(MAX_TABLEFILE_SIZE); + diff -Nru liblouis-3.5.0/debian/patches/series liblouis-3.5.0/debian/patches/series --- liblouis-3.5.0/debian/patches/series 2022-06-09 13:37:40.000000000 +0000 +++ liblouis-3.5.0/debian/patches/series 2023-03-27 12:12:56.000000000 +0000 @@ -7,3 +7,9 @@ CVE-2018-12085.patch CVE-2018-17294.patch CVE-2022-31783.patch +CVE-2023-26767.patch +CVE-2023-26768-1.patch +CVE-2023-26768-2.patch +CVE-2023-26769-1.patch +CVE-2023-26769-2.patch +CVE-2023-26769-3.patch