diff -Nru teeworlds-0.7.2/debian/changelog teeworlds-0.7.2/debian/changelog --- teeworlds-0.7.2/debian/changelog 2019-05-04 20:14:03.000000000 +0000 +++ teeworlds-0.7.2/debian/changelog 2019-05-06 05:41:59.000000000 +0000 @@ -1,3 +1,11 @@ +teeworlds (0.7.2-5) unstable; urgency=medium + + * Team upload. + * Backport other commits to improve patches for CVE-2019-10877, + CVE-2019-10878 and CVE-2019-10879. + + -- Dylan Aïssi Mon, 06 May 2019 07:41:59 +0200 + teeworlds (0.7.2-4) unstable; urgency=medium * Team upload. diff -Nru teeworlds-0.7.2/debian/patches/CVE-2019-10877.patch teeworlds-0.7.2/debian/patches/CVE-2019-10877.patch --- teeworlds-0.7.2/debian/patches/CVE-2019-10877.patch 2019-05-04 20:14:03.000000000 +0000 +++ teeworlds-0.7.2/debian/patches/CVE-2019-10877.patch 2019-05-06 05:41:59.000000000 +0000 @@ -1,6 +1,11 @@ -Author: Jordy Ruiz +Author: Jordy Ruiz , + oy Description: Fix CVE-2019-10877 Origin: upstream, https://github.com/teeworlds/teeworlds/commit/d25869626a8cfbdd320929ba93ce73abed1402ce + https://github.com/teeworlds/teeworlds/commit/343ec63e9bcdd827ab70c98b27bfedb29779a259 + https://github.com/teeworlds/teeworlds/commit/c2679bd87807610b153cfec358cf9860e6b3f37b + https://github.com/teeworlds/teeworlds/commit/cb16f7e8f9840953a4e13975ff9336cd563d23ed + https://github.com/teeworlds/teeworlds/commit/e55aab45af0ecec6416d5b81cdd1d3836414f70d Bug: https://github.com/teeworlds/teeworlds/issues/2071 Bug-Debian: https://bugs.debian.org/927152 @@ -14,9 +19,9 @@ + const int TilemapCount = pTilemap->m_Width * pTilemap->m_Height; + const int TilemapSize = TilemapCount * sizeof(CTile); + -+ if((TilemapCount / pTilemap->m_Width != pTilemap->m_Height) || (TilemapSize / sizeof(CTile) != TilemapCount)) ++ if((TilemapCount / pTilemap->m_Width != pTilemap->m_Height) || (TilemapSize / (int)sizeof(CTile) != TilemapCount)) + { -+ dbg_msg("engine", "map layer too big (%d * %d * %d causes an integer overflow)", pTilemap->m_Width, pTilemap->m_Height, sizeof(CTile)); ++ dbg_msg("engine", "map layer too big (%d * %d * %u causes an integer overflow)", pTilemap->m_Width, pTilemap->m_Height, unsigned(sizeof(CTile))); + return false; + } + CTile *pTiles = static_cast(mem_alloc(TilemapSize, 1)); diff -Nru teeworlds-0.7.2/debian/patches/CVE-2019-10878.patch teeworlds-0.7.2/debian/patches/CVE-2019-10878.patch --- teeworlds-0.7.2/debian/patches/CVE-2019-10878.patch 2019-05-04 20:14:03.000000000 +0000 +++ teeworlds-0.7.2/debian/patches/CVE-2019-10878.patch 2019-05-06 05:41:59.000000000 +0000 @@ -1,12 +1,13 @@ Author: Jordy Ruiz Description: Fix CVE-2019-10878 Origin: upstream, https://github.com/teeworlds/teeworlds/commit/e086f4b35b1adf7edc35b4ad332dc7ed1edc5988 + https://github.com/teeworlds/teeworlds/commit/cc3d59ae706752956d6cb8acc4187c8398b61c5c Bug: https://github.com/teeworlds/teeworlds/issues/2073 Bug-Debian: https://bugs.debian.org/927152 --- a/src/engine/shared/datafile.cpp +++ b/src/engine/shared/datafile.cpp -@@ -244,6 +249,9 @@ +@@ -244,6 +244,9 @@ { if(!m_pDataFile) { return 0; } @@ -16,7 +17,7 @@ // load it if needed if(!m_pDataFile->m_ppDataPtrs[Index]) { -@@ -307,6 +315,9 @@ +@@ -307,6 +310,9 @@ void CDataFileReader::ReplaceData(int Index, char *pData) { @@ -26,7 +27,7 @@ // make sure the data has been loaded GetDataImpl(Index, 0); -@@ -316,10 +327,9 @@ +@@ -316,10 +322,9 @@ void CDataFileReader::UnloadData(int Index) { @@ -38,3 +39,20 @@ mem_free(m_pDataFile->m_ppDataPtrs[Index]); m_pDataFile->m_ppDataPtrs[Index] = 0x0; } +@@ -334,7 +339,15 @@ + + void *CDataFileReader::GetItem(int Index, int *pType, int *pID) + { +- if(!m_pDataFile) { if(pType) *pType = 0; if(pID) *pID = 0; return 0; } ++ if(!m_pDataFile || Index < 0 || Index >= m_pDataFile->m_Header.m_NumItems) ++ { ++ if(pType) ++ *pType = 0; ++ if(pID) ++ *pID = 0; ++ ++ return 0; ++ } + + CDatafileItem *i = (CDatafileItem *)(m_pDataFile->m_Info.m_pItemStart+m_pDataFile->m_Info.m_pItemOffsets[Index]); + if(pType) diff -Nru teeworlds-0.7.2/debian/patches/CVE-2019-10879.patch teeworlds-0.7.2/debian/patches/CVE-2019-10879.patch --- teeworlds-0.7.2/debian/patches/CVE-2019-10879.patch 2019-05-04 20:14:03.000000000 +0000 +++ teeworlds-0.7.2/debian/patches/CVE-2019-10879.patch 2019-05-06 05:41:59.000000000 +0000 @@ -1,12 +1,14 @@ Author: oy Description: Fix CVE-2019-10879 Origin: upstream, https://github.com/teeworlds/teeworlds/commit/4d529dcd2d01022e979ebfa0b91167dee37cdb8e + https://github.com/teeworlds/teeworlds/commit/cb16f7e8f9840953a4e13975ff9336cd563d23ed + https://github.com/teeworlds/teeworlds/commit/7dc19230d04a895cfc1085cf5b0e62326d6e2cd3 Bug: https://github.com/teeworlds/teeworlds/issues/2070 Bug-Debian: https://bugs.debian.org/927152 --- a/src/engine/shared/datafile.cpp +++ b/src/engine/shared/datafile.cpp -@@ -124,16 +128,22 @@ +@@ -124,16 +124,22 @@ } // read in the rest except the data @@ -31,3 +33,27 @@ CDatafile *pTmpDataFile = (CDatafile*)mem_alloc(AllocSize, 1); pTmpDataFile->m_Header = Header; +@@ -153,7 +159,7 @@ + io_close(pTmpDataFile->m_File); + mem_free(pTmpDataFile); + pTmpDataFile = 0; +- dbg_msg("datafile", "couldn't load the whole thing, wanted=%d got=%d", Size, ReadSize); ++ dbg_msg("datafile", "couldn't load the whole thing, wanted=%d got=%d", unsigned(Size), ReadSize); + return false; + } + +@@ -161,12 +167,12 @@ + m_pDataFile = pTmpDataFile; + + #if defined(CONF_ARCH_ENDIAN_BIG) +- swap_endian(m_pDataFile->m_pData, sizeof(int), min(static_cast(Header.m_Swaplen), Size) / sizeof(int)); ++ swap_endian(m_pDataFile->m_pData, sizeof(int), min(static_cast(Header.m_Swaplen), static_cast(Size)) / sizeof(int)); + #endif + + //if(DEBUG) + { +- dbg_msg("datafile", "allocsize=%d", AllocSize); ++ dbg_msg("datafile", "allocsize=%d", unsigned(AllocSize)); + dbg_msg("datafile", "readsize=%d", ReadSize); + dbg_msg("datafile", "swaplen=%d", Header.m_Swaplen); + dbg_msg("datafile", "item_size=%d", m_pDataFile->m_Header.m_ItemSize);