diff -Nru teeworlds-0.7.2/debian/changelog teeworlds-0.7.2/debian/changelog --- teeworlds-0.7.2/debian/changelog 2019-02-28 21:35:34.000000000 +0000 +++ teeworlds-0.7.2/debian/changelog 2019-05-06 05:41:59.000000000 +0000 @@ -1,3 +1,20 @@ +teeworlds (0.7.2-5) unstable; urgency=medium + + * Team upload. + * Backport other commits to improve patches for CVE-2019-10877, + CVE-2019-10878 and CVE-2019-10879. + + -- Dylan Aïssi Mon, 06 May 2019 07:41:59 +0200 + +teeworlds (0.7.2-4) unstable; urgency=medium + + * Team upload. + * Add upstream patches to fix CVE-2019-10877 CVE-2019-10878 CVE-2019-10879 + (Closes: #927152). + * Add upstream patch to fix creation of recursive path. (Closes: #928110) + + -- Dylan Aïssi Sat, 04 May 2019 22:14:03 +0200 + teeworlds (0.7.2-3) unstable; urgency=medium * Stop building with -msse2 on i386. (Closes: #921274) diff -Nru teeworlds-0.7.2/debian/patches/CVE-2019-10877.patch teeworlds-0.7.2/debian/patches/CVE-2019-10877.patch --- teeworlds-0.7.2/debian/patches/CVE-2019-10877.patch 1970-01-01 00:00:00.000000000 +0000 +++ teeworlds-0.7.2/debian/patches/CVE-2019-10877.patch 2019-05-06 05:41:59.000000000 +0000 @@ -0,0 +1,41 @@ +Author: Jordy Ruiz , + oy +Description: Fix CVE-2019-10877 +Origin: upstream, https://github.com/teeworlds/teeworlds/commit/d25869626a8cfbdd320929ba93ce73abed1402ce + https://github.com/teeworlds/teeworlds/commit/343ec63e9bcdd827ab70c98b27bfedb29779a259 + https://github.com/teeworlds/teeworlds/commit/c2679bd87807610b153cfec358cf9860e6b3f37b + https://github.com/teeworlds/teeworlds/commit/cb16f7e8f9840953a4e13975ff9336cd563d23ed + https://github.com/teeworlds/teeworlds/commit/e55aab45af0ecec6416d5b81cdd1d3836414f70d +Bug: https://github.com/teeworlds/teeworlds/issues/2071 +Bug-Debian: https://bugs.debian.org/927152 + +--- a/src/engine/shared/map.cpp ++++ b/src/engine/shared/map.cpp +@@ -55,14 +55,24 @@ + + if(pTilemap->m_Version > 3) + { +- CTile *pTiles = static_cast(mem_alloc(pTilemap->m_Width * pTilemap->m_Height * sizeof(CTile), 1)); ++ const int TilemapCount = pTilemap->m_Width * pTilemap->m_Height; ++ const int TilemapSize = TilemapCount * sizeof(CTile); ++ ++ if((TilemapCount / pTilemap->m_Width != pTilemap->m_Height) || (TilemapSize / (int)sizeof(CTile) != TilemapCount)) ++ { ++ dbg_msg("engine", "map layer too big (%d * %d * %u causes an integer overflow)", pTilemap->m_Width, pTilemap->m_Height, unsigned(sizeof(CTile))); ++ return false; ++ } ++ CTile *pTiles = static_cast(mem_alloc(TilemapSize, 1)); ++ if(!pTiles) ++ return false; + + // extract original tile data + int i = 0; + CTile *pSavedTiles = static_cast(m_DataFile.GetData(pTilemap->m_Data)); +- while(i < pTilemap->m_Width * pTilemap->m_Height) ++ while(i < TilemapCount) + { +- for(unsigned Counter = 0; Counter <= pSavedTiles->m_Skip && i < pTilemap->m_Width * pTilemap->m_Height; Counter++) ++ for(unsigned Counter = 0; Counter <= pSavedTiles->m_Skip && i < TilemapCount; Counter++) + { + pTiles[i] = *pSavedTiles; + pTiles[i++].m_Skip = 0; diff -Nru teeworlds-0.7.2/debian/patches/CVE-2019-10878.patch teeworlds-0.7.2/debian/patches/CVE-2019-10878.patch --- teeworlds-0.7.2/debian/patches/CVE-2019-10878.patch 1970-01-01 00:00:00.000000000 +0000 +++ teeworlds-0.7.2/debian/patches/CVE-2019-10878.patch 2019-05-06 05:41:59.000000000 +0000 @@ -0,0 +1,58 @@ +Author: Jordy Ruiz +Description: Fix CVE-2019-10878 +Origin: upstream, https://github.com/teeworlds/teeworlds/commit/e086f4b35b1adf7edc35b4ad332dc7ed1edc5988 + https://github.com/teeworlds/teeworlds/commit/cc3d59ae706752956d6cb8acc4187c8398b61c5c +Bug: https://github.com/teeworlds/teeworlds/issues/2073 +Bug-Debian: https://bugs.debian.org/927152 + +--- a/src/engine/shared/datafile.cpp ++++ b/src/engine/shared/datafile.cpp +@@ -244,6 +244,9 @@ + { + if(!m_pDataFile) { return 0; } + ++ if(Index < 0 || Index >= m_pDataFile->m_Header.m_NumRawData) ++ return 0; ++ + // load it if needed + if(!m_pDataFile->m_ppDataPtrs[Index]) + { +@@ -307,6 +310,9 @@ + + void CDataFileReader::ReplaceData(int Index, char *pData) + { ++ if(Index < 0 || Index >= m_pDataFile->m_Header.m_NumRawData) ++ return; ++ + // make sure the data has been loaded + GetDataImpl(Index, 0); + +@@ -316,10 +322,9 @@ + + void CDataFileReader::UnloadData(int Index) + { +- if(Index < 0) ++ if(Index < 0 || Index >= m_pDataFile->m_Header.m_NumRawData) + return; + +- // + mem_free(m_pDataFile->m_ppDataPtrs[Index]); + m_pDataFile->m_ppDataPtrs[Index] = 0x0; + } +@@ -334,7 +339,15 @@ + + void *CDataFileReader::GetItem(int Index, int *pType, int *pID) + { +- if(!m_pDataFile) { if(pType) *pType = 0; if(pID) *pID = 0; return 0; } ++ if(!m_pDataFile || Index < 0 || Index >= m_pDataFile->m_Header.m_NumItems) ++ { ++ if(pType) ++ *pType = 0; ++ if(pID) ++ *pID = 0; ++ ++ return 0; ++ } + + CDatafileItem *i = (CDatafileItem *)(m_pDataFile->m_Info.m_pItemStart+m_pDataFile->m_Info.m_pItemOffsets[Index]); + if(pType) diff -Nru teeworlds-0.7.2/debian/patches/CVE-2019-10879.patch teeworlds-0.7.2/debian/patches/CVE-2019-10879.patch --- teeworlds-0.7.2/debian/patches/CVE-2019-10879.patch 1970-01-01 00:00:00.000000000 +0000 +++ teeworlds-0.7.2/debian/patches/CVE-2019-10879.patch 2019-05-06 05:41:59.000000000 +0000 @@ -0,0 +1,59 @@ +Author: oy +Description: Fix CVE-2019-10879 +Origin: upstream, https://github.com/teeworlds/teeworlds/commit/4d529dcd2d01022e979ebfa0b91167dee37cdb8e + https://github.com/teeworlds/teeworlds/commit/cb16f7e8f9840953a4e13975ff9336cd563d23ed + https://github.com/teeworlds/teeworlds/commit/7dc19230d04a895cfc1085cf5b0e62326d6e2cd3 +Bug: https://github.com/teeworlds/teeworlds/issues/2070 +Bug-Debian: https://bugs.debian.org/927152 + +--- a/src/engine/shared/datafile.cpp ++++ b/src/engine/shared/datafile.cpp +@@ -124,16 +124,22 @@ + } + + // read in the rest except the data +- unsigned Size = 0; ++ int64 Size = 0; + Size += Header.m_NumItemTypes*sizeof(CDatafileItemType); + Size += (Header.m_NumItems+Header.m_NumRawData)*sizeof(int); + if(Header.m_Version == 4) + Size += Header.m_NumRawData*sizeof(int); // v4 has uncompressed data sizes aswell + Size += Header.m_ItemSize; + +- unsigned AllocSize = Size; ++ int64 AllocSize = Size; + AllocSize += sizeof(CDatafile); // add space for info structure + AllocSize += Header.m_NumRawData*sizeof(void*); // add space for data pointers ++ if(Size > (int64(1)<<31) || Header.m_NumItemTypes < 0 || Header.m_NumItems < 0 || Header.m_NumRawData < 0 || Header.m_ItemSize < 0) ++ { ++ io_close(File); ++ dbg_msg("datafile", "unable to load file, invalid file information"); ++ return false; ++ } + + CDatafile *pTmpDataFile = (CDatafile*)mem_alloc(AllocSize, 1); + pTmpDataFile->m_Header = Header; +@@ -153,7 +159,7 @@ + io_close(pTmpDataFile->m_File); + mem_free(pTmpDataFile); + pTmpDataFile = 0; +- dbg_msg("datafile", "couldn't load the whole thing, wanted=%d got=%d", Size, ReadSize); ++ dbg_msg("datafile", "couldn't load the whole thing, wanted=%d got=%d", unsigned(Size), ReadSize); + return false; + } + +@@ -161,12 +167,12 @@ + m_pDataFile = pTmpDataFile; + + #if defined(CONF_ARCH_ENDIAN_BIG) +- swap_endian(m_pDataFile->m_pData, sizeof(int), min(static_cast(Header.m_Swaplen), Size) / sizeof(int)); ++ swap_endian(m_pDataFile->m_pData, sizeof(int), min(static_cast(Header.m_Swaplen), static_cast(Size)) / sizeof(int)); + #endif + + //if(DEBUG) + { +- dbg_msg("datafile", "allocsize=%d", AllocSize); ++ dbg_msg("datafile", "allocsize=%d", unsigned(AllocSize)); + dbg_msg("datafile", "readsize=%d", ReadSize); + dbg_msg("datafile", "swaplen=%d", Header.m_Swaplen); + dbg_msg("datafile", "item_size=%d", m_pDataFile->m_Header.m_ItemSize); diff -Nru teeworlds-0.7.2/debian/patches/recursiv_dir.patch teeworlds-0.7.2/debian/patches/recursiv_dir.patch --- teeworlds-0.7.2/debian/patches/recursiv_dir.patch 1970-01-01 00:00:00.000000000 +0000 +++ teeworlds-0.7.2/debian/patches/recursiv_dir.patch 2019-05-06 05:41:59.000000000 +0000 @@ -0,0 +1,71 @@ +Author: heinrich5991 +Description: Recursively create directories for the data dir. + Nonrecursively creating directories led to a failure. +Origin: upstream, https://github.com/teeworlds/teeworlds/commit/e117ee0ef1c329f3559fcfb64bd9b33e6adb82d2 +Bug: https://github.com/teeworlds/teeworlds/issues/1643 +Bug-Debian: https://bugs.debian.org/928110 + +--- a/src/base/system.c ++++ b/src/base/system.c +@@ -1513,6 +1513,31 @@ + #endif + } + ++int fs_makedir_recursive(const char *path) ++{ ++ char buffer[2048]; ++ int len; ++ int i; ++ str_copy(buffer, path, sizeof(buffer)); ++ len = str_length(buffer); ++ // ignore a leading slash ++ for(i = 1; i < len; i++) ++ { ++ char b = buffer[i]; ++ if(b == '/' || b == '\\') ++ { ++ buffer[i] = 0; ++ if(fs_makedir(buffer) < 0) ++ { ++ return -1; ++ } ++ buffer[i] = b; ++ ++ } ++ } ++ return fs_makedir(path); ++} ++ + int fs_is_dir(const char *path) + { + #if defined(CONF_FAMILY_WINDOWS) +--- a/src/base/system.h ++++ b/src/base/system.h +@@ -1083,6 +1083,16 @@ + int fs_makedir(const char *path); + + /* ++ Function: fs_makedir_recursive ++ Recursively create directories ++ Parameters: ++ path - Path to create ++ Returns: ++ Returns 0 on success. Negative value on failure. ++*/ ++int fs_makedir_recursive(const char *path); ++ ++/* + Function: fs_storage_path + Fetches per user configuration directory. + +--- a/src/engine/shared/storage.cpp ++++ b/src/engine/shared/storage.cpp +@@ -61,7 +61,7 @@ + // add save directories + if(StorageType != STORAGETYPE_BASIC) + { +- if(m_NumPaths && (!m_aaStoragePaths[TYPE_SAVE][0] || !fs_makedir(m_aaStoragePaths[TYPE_SAVE]))) ++ if(m_NumPaths && (!m_aaStoragePaths[TYPE_SAVE][0] || !fs_makedir_recursive(m_aaStoragePaths[TYPE_SAVE]))) + { + char aPath[MAX_PATH_LENGTH]; + if(StorageType == STORAGETYPE_CLIENT) diff -Nru teeworlds-0.7.2/debian/patches/series teeworlds-0.7.2/debian/patches/series --- teeworlds-0.7.2/debian/patches/series 2019-02-28 21:29:10.000000000 +0000 +++ teeworlds-0.7.2/debian/patches/series 2019-05-06 05:41:59.000000000 +0000 @@ -6,3 +6,7 @@ hardening.patch immintrin_FTBFS.patch no-sse2-required.patch +CVE-2019-10877.patch +CVE-2019-10878.patch +CVE-2019-10879.patch +recursiv_dir.patch