diff -Nru freexl-1.0.0g/debian/changelog freexl-1.0.0g/debian/changelog --- freexl-1.0.0g/debian/changelog 2015-04-06 16:30:48.000000000 +0000 +++ freexl-1.0.0g/debian/changelog 2015-11-19 21:36:40.000000000 +0000 @@ -1,3 +1,12 @@ +freexl (1.0.0g-1ubuntu0.14.04.2) trusty-security; urgency=medium + + * SECURITY UPDATE: Fix issues in previous security update (LP: #1516257) + - afl-vulnerabilitities-regression.patch: Fix regression introduced by + afl-vulnerabilitities.patch. + - 32bit-multiplication-overflow.patch: Fix 32 bit multiplication overflow + + -- Bas Couwenberg Thu, 12 Nov 2015 22:04:49 +0100 + freexl (1.0.0g-1ubuntu0.14.04.1) trusty-security; urgency=high * SECURITY UPDATE: Fix multiple vulnerabilities allowing denial of service diff -Nru freexl-1.0.0g/debian/patches/32bit-multiplication-overflow.patch freexl-1.0.0g/debian/patches/32bit-multiplication-overflow.patch --- freexl-1.0.0g/debian/patches/32bit-multiplication-overflow.patch 1970-01-01 00:00:00.000000000 +0000 +++ freexl-1.0.0g/debian/patches/32bit-multiplication-overflow.patch 2015-11-19 21:36:10.000000000 +0000 @@ -0,0 +1,38 @@ +Description: Fixing a critical bug (32 bit multiplication overflow) reported by RHEL maintainers +Origin: https://www.gaia-gis.it/fossil/freexl/fdiff?v1=4f9408c216ead322&v2=44802d385bc32499&sbs=1 +Author: Alessandro Furieri + +--- a/src/freexl.c ++++ b/src/freexl.c +@@ -1066,6 +1066,7 @@ allocate_cells (biff_workbook * workbook + /* allocating the rows and cells for the active Worksheet */ + unsigned int row; + unsigned int col; ++ double dsize; + biff_cell_value *p_cell; + + if (workbook == NULL) +@@ -1073,6 +1074,14 @@ allocate_cells (biff_workbook * workbook + if (workbook->active_sheet == NULL) + return FREEXL_NULL_ARGUMENT; + ++/* testing for an unrealistically high memory size > 256MB */ ++ dsize = ++ (double) sizeof (biff_cell_value) * ++ (double) (workbook->active_sheet->rows) * ++ (double) (workbook->active_sheet->columns); ++ if (dsize > 256.0 * 1024.0 * 1024.0) ++ return FREEXL_INSUFFICIENT_MEMORY; ++ + /* allocating the cell values array */ + workbook->active_sheet->cell_values = + malloc (sizeof (biff_cell_value) * +@@ -1725,6 +1734,8 @@ parse_SST (biff_workbook * workbook, int + } + workbook->shared_strings.utf8_strings = + malloc (sizeof (char **) * workbook->shared_strings.string_count); ++ if (workbook->shared_strings.utf8_strings == NULL) ++ return FREEXL_INSUFFICIENT_MEMORY; + for (i_string = 0; i_string < workbook->shared_strings.string_count; + i_string++) + *(workbook->shared_strings.utf8_strings + i_string) = NULL; diff -Nru freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch --- freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch 1970-01-01 00:00:00.000000000 +0000 +++ freexl-1.0.0g/debian/patches/afl-vulnerabilitities-regression.patch 2015-11-19 21:36:10.000000000 +0000 @@ -0,0 +1,18 @@ +Description: Fix regression introduced by afl-vulnerabilitities.patch. + Initially reported as a bug in GDAL and traced to FreeXL, see: + https://trac.osgeo.org/gdal/ticket/6200 +Origin: https://www.gaia-gis.it/fossil/freexl/fdiff?v1=61618ce51a9b0c15&v2=4f9408c216ead322&sbs=1 +Author: Alessandro Furieri +Bug-Debian: https://bugs.debian.org/781228 + +--- a/src/freexl.c ++++ b/src/freexl.c +@@ -3759,7 +3759,7 @@ read_biff_next_record (biff_workbook * w + unsigned int already_done; + unsigned int chunk = + workbook->sector_end - (workbook->p_in - workbook->sector_buf); +- if (workbook->sector_end <= (workbook->p_in - workbook->sector_buf)) ++ if (workbook->sector_end < (workbook->p_in - workbook->sector_buf)) + return -1; + memcpy (workbook->record, workbook->p_in, chunk); + workbook->p_in += chunk; diff -Nru freexl-1.0.0g/debian/patches/series freexl-1.0.0g/debian/patches/series --- freexl-1.0.0g/debian/patches/series 2015-04-06 16:30:48.000000000 +0000 +++ freexl-1.0.0g/debian/patches/series 2015-11-19 21:36:10.000000000 +0000 @@ -1 +1,3 @@ afl-vulnerabilitities.patch +afl-vulnerabilitities-regression.patch +32bit-multiplication-overflow.patch