From e68da29cac6074fe92f83d08c558b6db26b436e6 Mon Sep 17 00:00:00 2001 From: Bruno Wolff III Date: Tue, 23 Jun 2015 18:12:25 -0500 Subject: [PATCH] Fix for CVE-2015-4645/4646 --- cve-2015-4645.patch | 29 +++++++++++++++++++++++++++++ squashfs-tools.spec | 12 ++++++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 cve-2015-4645.patch diff --git a/cve-2015-4645.patch b/cve-2015-4645.patch new file mode 100644 index 0000000..0f789d5 --- /dev/null +++ b/cve-2015-4645.patch @@ -0,0 +1,29 @@ +diff --git a/unsquash-4.c b/unsquash-4.c +index ecdaac796f09..2c0cf63daf67 100644 +--- a/unsquash-4.c ++++ b/unsquash-4.c +@@ -31,9 +31,9 @@ static unsigned int *id_table; + int read_fragment_table_4(long long *directory_table_end) + { + int res, i; +- int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments); +- int indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments); +- long long fragment_table_index[indexes]; ++ size_t bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments); ++ size_t indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments); ++ long long *fragment_table_index; + + TRACE("read_fragment_table: %d fragments, reading %d fragment indexes " + "from 0x%llx\n", sBlk.s.fragments, indexes, +@@ -44,6 +44,11 @@ int read_fragment_table_4(long long *directory_table_end) + return TRUE; + } + ++ fragment_table_index = malloc(indexes*sizeof(long long)); ++ if(fragment_table_index == NULL) ++ EXIT_UNSQUASH("read_fragment_table: failed to allocate " ++ "fragment table index\n"); ++ + fragment_table = malloc(bytes); + if(fragment_table == NULL) + EXIT_UNSQUASH("read_fragment_table: failed to allocate " diff --git a/squashfs-tools.spec b/squashfs-tools.spec index 9b6823d..e519ab7 100644 --- a/squashfs-tools.spec +++ b/squashfs-tools.spec @@ -1,7 +1,7 @@ Summary: Utility for the creation of squashfs filesystems Name: squashfs-tools Version: 4.3 -Release: 9%{?dist} +Release: 10%{?dist} License: GPLv2+ Group: System Environment/Base URL: http://squashfs.sourceforge.net/ @@ -18,7 +18,11 @@ Patch0: PAE.patch Patch1: mem-overflow.patch # From squashfs-devel@lists.sourceforge.net by Guan Xin # For https://bugzilla.redhat.com/show_bug.cgi?id=1141206 -PAtch2: 2gb.patch +Patch2: 2gb.patch +# From https://github.com/gcanalesb/sasquatch/commit/6777e08cc38bc780d27c69c1d8c272867b74524f +# Which is forked from Phillip's squashfs-tools, though it looks like +# the issue applies to us. +Patch3: cve-2015-4645.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: zlib-devel BuildRequires: xz-devel @@ -35,6 +39,7 @@ contains the utilities for manipulating squashfs filesystems. %patch0 -p1 %patch1 -p1 %patch2 -p0 +%patch3 -p1 %build pushd squashfs-tools @@ -61,6 +66,9 @@ rm -rf %{buildroot} %{_sbindir}/unsquashfs %changelog +* Tue Jun 23 2015 Bruno Wolff III - 4.3-10 +- Fix for CVE 2015-4645/4646 + * Fri Jun 19 2015 Fedora Release Engineering - 4.3-9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild