| 12345678910111213141516171819202122232425262728293031323334353637 |
- From: The FreeBSD Project
- Bug: https://security-tracker.debian.org/tracker/CVE-2014-9862
- Subject: CVE-2014-9862 - check for a negative value on numbers of bytes
- The implementation of bspatch does not check for a negative value on numbers
- of bytes read from the diff and extra streams, allowing an attacker who
- can control the patch file to write at arbitrary locations in the heap.
- .
- bspatch's main loop reads three numbers from the "control" stream in
- the patch: X, Y and Z. The first two are the number of bytes to read
- from "diff" and "extra" (and thus only non-negative), while the
- third one could be positive or negative and moves the oldpos pointer
- on the source image. These 3 values are 64bits signed ints (encoded
- somehow on the file) that are later passed the function that reads
- from the streams, but those values are not verified to be
- non-negative.
- .
- Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
- The patch was downloaded from a link pointed by
- https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp
- ---
- bspatch.c | 4 ++++
- 1 file changed, 4 insertions(+)
- --- a/bspatch.c
- +++ b/bspatch.c
- @@ -152,6 +152,10 @@ int main(int argc,char * argv[])
- };
-
- /* Sanity-check */
- + if ((ctrl[0] < 0) || (ctrl[1] < 0))
- + errx(1,"Corrupt patch\n");
- +
- + /* Sanity-check */
- if(newpos+ctrl[0]>newsize)
- errx(1,"Corrupt patch\n");
-
|
