Ubuntu
swi-prolog package

Merge lp:~logan/ubuntu/raring/swi-prolog/5.10.4-5 into lp:ubuntu/raring/swi-prolog

  1. Raring (13.04)
  2. 5.10.4-5
  3. Merge into raring
Proposed by Logan Rosen
Status: Merged
Merged at revision: 25
Proposed branch: lp:~logan/ubuntu/raring/swi-prolog/5.10.4-5
Merge into: lp:ubuntu/raring/swi-prolog
Diff against target: 447 lines (+289/-25)
8 files modified
.pc/applied-patches (+2/-0)
debian/changelog (+22/-0)
debian/patches/CVE-2012-6089.diff (+97/-0)
debian/patches/CVE-2012-6090.diff (+126/-0)
debian/patches/series (+2/-0)
src/os/pl-buffer.h (+2/-0)
src/os/pl-glob.c (+27/-17)
src/os/pl-os.c (+11/-8)
To merge this branch: bzr merge lp:~logan/ubuntu/raring/swi-prolog/5.10.4-5
Reviewer Review Type Date Requested Status
Ubuntu branches Pending
Review via email: mp+143007@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file '.pc/applied-patches'
2--- .pc/applied-patches 2012-08-08 16:51:24 +0000
3+++ .pc/applied-patches 2013-01-12 00:18:30 +0000
4@@ -1,2 +1,4 @@
5 swi-prolog-mipsel-FTBFS.diff
6 java-compat.patch
7+CVE-2012-6089.diff
8+CVE-2012-6090.diff
9
10=== modified file 'debian/changelog'
11--- debian/changelog 2012-12-19 00:28:22 +0000
12+++ debian/changelog 2013-01-12 00:18:30 +0000
13@@ -1,3 +1,25 @@
14+swi-prolog (5.10.4-5ubuntu1) raring; urgency=low
15+
16+ * Merge from Debian unstable. Remaining changes:
17+ - Transition package to use default java implementation:
18+ + debian/control: BD on default-jdk instead of openjdk-6-jdk, switch
19+ primary runtime dependency to default-jre-headless.
20+ + debian/patches/java-compat.patch: Set source/target = 1.5 to ensure
21+ that backwards compatible bytecode is built.
22+
23+ -- Logan Rosen <logatronico@gmail.com> Fri, 11 Jan 2013 02:26:03 -0500
24+
25+swi-prolog (5.10.4-5) unstable; urgency=medium
26+
27+ * New patches (taken from RedHat bugzilla, closes: #697416):
28+ - CVE-2012-6089.diff - fix for CVE-2012-6089 - possible buffer overrun in
29+ path canonisation code
30+ - CVE-2012-6090.diff - fix for CVE-2012-6090 - Possible buffer overflows
31+ when expanding file-names with long paths
32+ * Urgency "medium" because of a fix for a security bug
33+
34+ -- Євгеній Мещеряков <eugen@debian.org> Sat, 05 Jan 2013 03:43:46 +0100
35+
36 swi-prolog (5.10.4-4ubuntu1) raring; urgency=low
37
38 * Merge from Debian unstable. Remaining changes:
39
40=== added file 'debian/patches/CVE-2012-6089.diff'
41--- debian/patches/CVE-2012-6089.diff 1970-01-01 00:00:00 +0000
42+++ debian/patches/CVE-2012-6089.diff 2013-01-12 00:18:30 +0000
43@@ -0,0 +1,97 @@
44+Author: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
45+Description: Fix for CVE-2012-6089 - Possible buffer overrun in path canonisation code
46+ The patch was taken from RedHat bugzilla, file locations were adjusted.
47+Origin: vendor, RedHat
48+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6089
49+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697416
50+---
51+From 6149f39ada50f7ebc6b0cb7756490a0fea967bd1 Mon Sep 17 00:00:00 2001
52+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
53+Date: Fri, 4 Jan 2013 13:33:11 +0100
54+Subject: [PATCH 1/2] Fix CVE-2012-6089
55+
56+Upstream fix ported to 5.10.2:
57+
58+From a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c Mon Sep 17 00:00:00 2001
59+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
60+Date: Sun, 16 Dec 2012 18:13:17 +0100
61+Subject: [PATCH] FIXED: Possible buffer overrun in patch canonisation code.
62+
63+Pushes pointers on an automatic array without checking for overflow.
64+Can be used for DoS attacks. Will be extremely hard to make it execute
65+arbitrary code.
66+---
67+ src/pl-buffer.h | 2 ++
68+ src/pl-os.c | 19 +++++++++++--------
69+ 2 files changed, 13 insertions(+), 8 deletions(-)
70+
71+--- a/src/os/pl-buffer.h
72++++ b/src/os/pl-buffer.h
73+@@ -83,6 +83,8 @@
74+ sizeof((b)->static_buffer))
75+ #define emptyBuffer(b) ((b)->top = (b)->base)
76+ #define isEmptyBuffer(b) ((b)->top == (b)->base)
77++#define popBuffer(b,type) \
78++ ((b)->top -= sizeof(type), *(type*)(b)->top)
79+
80+ #define discardBuffer(b) \
81+ do \
82+--- a/src/os/pl-os.c
83++++ b/src/os/pl-os.c
84+@@ -1081,8 +1081,7 @@
85+ char *
86+ canoniseFileName(char *path)
87+ { char *out = path, *in = path, *start = path;
88+- char *osave[100];
89+- int osavep = 0;
90++ tmp_buffer saveb;
91+
92+ #ifdef O_HASDRIVES /* C: */
93+ if ( in[1] == ':' && isLetter(in[0]) )
94+@@ -1110,7 +1109,8 @@
95+ in += 2;
96+ if ( in[0] == '/' )
97+ *out++ = '/';
98+- osave[osavep++] = out;
99++ initBuffer(&saveb);
100++ addBuffer(&saveb, out, char*);
101+
102+ while(*in)
103+ { if (*in == '/')
104+@@ -1126,15 +1126,15 @@
105+ }
106+ if ( in[2] == EOS ) /* delete trailing /. */
107+ { *out = EOS;
108+- return path;
109++ goto out;
110+ }
111+ if ( in[2] == '.' && (in[3] == '/' || in[3] == EOS) )
112+- { if ( osavep > 0 ) /* delete /foo/../ */
113+- { out = osave[--osavep];
114++ { if ( !isEmptyBuffer(&saveb) ) /* delete /foo/../ */
115++ { out = popBuffer(&saveb, char*);
116+ in += 3;
117+ if ( in[0] == EOS && out > start+1 )
118+ { out[-1] = EOS; /* delete trailing / */
119+- return path;
120++ goto out;
121+ }
122+ goto again;
123+ } else if ( start[0] == '/' && out == start+1 )
124+@@ -1148,12 +1148,15 @@
125+ in++;
126+ if ( out > path && out[-1] != '/' )
127+ *out++ = '/';
128+- osave[osavep++] = out;
129++ addBuffer(&saveb, out, char*);
130+ } else
131+ *out++ = *in++;
132+ }
133+ *out++ = *in++;
134+
135++out:
136++ discardBuffer(&saveb);
137++
138+ return path;
139+ }
140+
141
142=== added file 'debian/patches/CVE-2012-6090.diff'
143--- debian/patches/CVE-2012-6090.diff 1970-01-01 00:00:00 +0000
144+++ debian/patches/CVE-2012-6090.diff 2013-01-12 00:18:30 +0000
145@@ -0,0 +1,126 @@
146+Author: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
147+Description: Fix for CVE-2012-6090 - Possible buffer overflows when expanding file-names with long paths
148+ The patch was taken from RedHat bugzilla, file locations were adjusted.
149+Origin: vendor, RedHat
150+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6090
151+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697416
152+---
153+From 212e2fcac834dec25a4fa0f4fd4652bfd19cdeea Mon Sep 17 00:00:00 2001
154+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
155+Date: Fri, 4 Jan 2013 13:35:27 +0100
156+Subject: [PATCH 2/2] Fix CVE-2012-6090
157+
158+Upstream fix ported to 5.10.2:
159+
160+From b2c88972e7515ada025e97e7d3ce3e34f81cf33e Mon Sep 17 00:00:00 2001
161+From: Jan Wielemaker <J.Wielemaker@cs.vu.nl>
162+Date: Sun, 16 Dec 2012 17:29:37 +0100
163+Subject: [PATCH] SECURITY: Possible buffer overflows when expanding
164+ file-names with long paths. Affects expand_file_name/2.
165+
166+Can lead to crashes (DoS attacks) and possibly execution of arbitrary
167+code if an attacker can control the names of the files searched for,
168+e.g., if expand_file_name/2 is used in a directory to which an attacker
169+can upload files for which he can control the name.
170+---
171+ src/pl-glob.c | 46 ++++++++++++++++++++++++++++------------------
172+ 1 file changed, 28 insertions(+), 18 deletions(-)
173+
174+diff --git a/src/pl-glob.c b/src/pl-glob.c
175+index 417a69c..1fad6ca 100644
176+--- a/src/os/pl-glob.c
177++++ b/src/os/pl-glob.c
178+@@ -423,6 +423,7 @@ expand(const char *pattern, GlobInfo info)
179+ compiled_pattern cbuf;
180+ char prefix[MAXPATHLEN]; /* before first pattern */
181+ char patbuf[MAXPATHLEN]; /* pattern buffer */
182++ size_t prefix_len;
183+ int end, dot;
184+
185+ initBuffer(&info->files);
186+@@ -441,20 +442,25 @@ expand(const char *pattern, GlobInfo info)
187+ switch( (c=*s++) )
188+ { case EOS:
189+ if ( s > pat ) /* something left and expanded */
190+- { un_escape(prefix, pat, s);
191++ { size_t prefix_len;
192++
193++ un_escape(prefix, pat, s);
194++ prefix_len = strlen(prefix);
195+
196+ end = info->end;
197+ for( ; info->start < end; info->start++ )
198+ { char path[MAXPATHLEN];
199+- size_t plen;
200+-
201+- strcpy(path, expand_entry(info, info->start));
202+- plen = strlen(path);
203+- if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
204+- path[plen++] = '/';
205+- strcpy(&path[plen], prefix);
206+- if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
207+- add_path(path, info);
208++ const char *entry = expand_entry(info, info->start);
209++ size_t plen = strlen(entry);
210++
211++ if ( plen+prefix_len+2 <= MAXPATHLEN )
212++ { strcpy(path, entry);
213++ if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
214++ path[plen++] = '/';
215++ strcpy(&path[plen], prefix);
216++ if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
217++ add_path(path, info);
218++ }
219+ }
220+ }
221+ succeed;
222+@@ -489,8 +495,9 @@ expand(const char *pattern, GlobInfo info)
223+ */
224+ un_escape(prefix, pat, head);
225+ un_escape(patbuf, head, tail);
226++ prefix_len = strlen(prefix);
227+
228+- if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */
229++ if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */
230+ fail;
231+ dot = (patbuf[0] == '.'); /* do dots as well */
232+
233+@@ -502,12 +509,16 @@ expand(const char *pattern, GlobInfo info)
234+ char path[MAXPATHLEN];
235+ char tmp[MAXPATHLEN];
236+ const char *current = expand_entry(info, info->start);
237++ size_t clen = strlen(current);
238++
239++ if ( clen+prefix_len+1 > sizeof(path) )
240++ continue;
241+
242+ strcpy(path, current);
243+- strcat(path, prefix);
244++ strcpy(&path[clen], prefix);
245+
246+ if ( (d=opendir(path[0] ? OsPath(path, tmp) : ".")) )
247+- { size_t plen = strlen(path);
248++ { size_t plen = clen+prefix_len;
249+
250+ if ( plen > 0 && path[plen-1] != '/' )
251+ path[plen++] = '/';
252+@@ -521,12 +532,11 @@ expand(const char *pattern, GlobInfo info)
253+ matchPattern(e->d_name, &cbuf) )
254+ { char newp[MAXPATHLEN];
255+
256+- strcpy(newp, path);
257+- strcpy(&newp[plen], e->d_name);
258+-/* if ( !tail[0] || ExistsDirectory(newp) )
259+- Saves memory, but involves one more file-access
260+-*/
261++ if ( plen+strlen(e->d_name)+1 < sizeof(newp) )
262++ { strcpy(newp, path);
263++ strcpy(&newp[plen], e->d_name);
264+ add_path(newp, info);
265++ }
266+ }
267+ }
268+ closedir(d);
269+--
270+1.7.11.7
271+
272
273=== modified file 'debian/patches/series'
274--- debian/patches/series 2012-08-08 16:51:24 +0000
275+++ debian/patches/series 2013-01-12 00:18:30 +0000
276@@ -1,2 +1,4 @@
277 swi-prolog-mipsel-FTBFS.diff
278 java-compat.patch
279+CVE-2012-6089.diff
280+CVE-2012-6090.diff
281
282=== modified file 'src/os/pl-buffer.h'
283--- src/os/pl-buffer.h 2011-06-19 14:04:49 +0000
284+++ src/os/pl-buffer.h 2013-01-12 00:18:30 +0000
285@@ -83,6 +83,8 @@
286 sizeof((b)->static_buffer))
287 #define emptyBuffer(b) ((b)->top = (b)->base)
288 #define isEmptyBuffer(b) ((b)->top == (b)->base)
289+#define popBuffer(b,type) \
290+ ((b)->top -= sizeof(type), *(type*)(b)->top)
291
292 #define discardBuffer(b) \
293 do \
294
295=== modified file 'src/os/pl-glob.c'
296--- src/os/pl-glob.c 2011-06-19 14:04:49 +0000
297+++ src/os/pl-glob.c 2013-01-12 00:18:30 +0000
298@@ -423,6 +423,7 @@
299 compiled_pattern cbuf;
300 char prefix[MAXPATHLEN]; /* before first pattern */
301 char patbuf[MAXPATHLEN]; /* pattern buffer */
302+ size_t prefix_len;
303 int end, dot;
304
305 initBuffer(&info->files);
306@@ -441,20 +442,25 @@
307 switch( (c=*s++) )
308 { case EOS:
309 if ( s > pat ) /* something left and expanded */
310- { un_escape(prefix, pat, s);
311+ { size_t prefix_len;
312+
313+ un_escape(prefix, pat, s);
314+ prefix_len = strlen(prefix);
315
316 end = info->end;
317 for( ; info->start < end; info->start++ )
318 { char path[MAXPATHLEN];
319- size_t plen;
320+ const char *entry = expand_entry(info, info->start);
321+ size_t plen = strlen(entry);
322
323- strcpy(path, expand_entry(info, info->start));
324- plen = strlen(path);
325- if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
326- path[plen++] = '/';
327- strcpy(&path[plen], prefix);
328- if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
329- add_path(path, info);
330+ if ( plen+prefix_len+2 <= MAXPATHLEN )
331+ { strcpy(path, entry);
332+ if ( prefix[0] && plen > 0 && path[plen-1] != '/' )
333+ path[plen++] = '/';
334+ strcpy(&path[plen], prefix);
335+ if ( end == 1 || AccessFile(path, ACCESS_EXIST) )
336+ add_path(path, info);
337+ }
338 }
339 }
340 succeed;
341@@ -489,8 +495,9 @@
342 */
343 un_escape(prefix, pat, head);
344 un_escape(patbuf, head, tail);
345+ prefix_len = strlen(prefix);
346
347- if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */
348+ if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */
349 fail;
350 dot = (patbuf[0] == '.'); /* do dots as well */
351
352@@ -502,12 +509,16 @@
353 char path[MAXPATHLEN];
354 char tmp[MAXPATHLEN];
355 const char *current = expand_entry(info, info->start);
356+ size_t clen = strlen(current);
357+
358+ if ( clen+prefix_len+1 > sizeof(path) )
359+ continue;
360
361 strcpy(path, current);
362- strcat(path, prefix);
363+ strcpy(&path[clen], prefix);
364
365 if ( (d=opendir(path[0] ? OsPath(path, tmp) : ".")) )
366- { size_t plen = strlen(path);
367+ { size_t plen = clen+prefix_len;
368
369 if ( plen > 0 && path[plen-1] != '/' )
370 path[plen++] = '/';
371@@ -521,12 +532,11 @@
372 matchPattern(e->d_name, &cbuf) )
373 { char newp[MAXPATHLEN];
374
375- strcpy(newp, path);
376- strcpy(&newp[plen], e->d_name);
377-/* if ( !tail[0] || ExistsDirectory(newp) )
378- Saves memory, but involves one more file-access
379-*/
380+ if ( plen+strlen(e->d_name)+1 < sizeof(newp) )
381+ { strcpy(newp, path);
382+ strcpy(&newp[plen], e->d_name);
383 add_path(newp, info);
384+ }
385 }
386 }
387 closedir(d);
388
389=== modified file 'src/os/pl-os.c'
390--- src/os/pl-os.c 2011-06-19 14:04:49 +0000
391+++ src/os/pl-os.c 2013-01-12 00:18:30 +0000
392@@ -1081,8 +1081,7 @@
393 char *
394 canoniseFileName(char *path)
395 { char *out = path, *in = path, *start = path;
396- char *osave[100];
397- int osavep = 0;
398+ tmp_buffer saveb;
399
400 #ifdef O_HASDRIVES /* C: */
401 if ( in[1] == ':' && isLetter(in[0]) )
402@@ -1110,7 +1109,8 @@
403 in += 2;
404 if ( in[0] == '/' )
405 *out++ = '/';
406- osave[osavep++] = out;
407+ initBuffer(&saveb);
408+ addBuffer(&saveb, out, char*);
409
410 while(*in)
411 { if (*in == '/')
412@@ -1126,15 +1126,15 @@
413 }
414 if ( in[2] == EOS ) /* delete trailing /. */
415 { *out = EOS;
416- return path;
417+ goto out;
418 }
419 if ( in[2] == '.' && (in[3] == '/' || in[3] == EOS) )
420- { if ( osavep > 0 ) /* delete /foo/../ */
421- { out = osave[--osavep];
422+ { if ( !isEmptyBuffer(&saveb) ) /* delete /foo/../ */
423+ { out = popBuffer(&saveb, char*);
424 in += 3;
425 if ( in[0] == EOS && out > start+1 )
426 { out[-1] = EOS; /* delete trailing / */
427- return path;
428+ goto out;
429 }
430 goto again;
431 } else if ( start[0] == '/' && out == start+1 )
432@@ -1148,12 +1148,15 @@
433 in++;
434 if ( out > path && out[-1] != '/' )
435 *out++ = '/';
436- osave[osavep++] = out;
437+ addBuffer(&saveb, out, char*);
438 } else
439 *out++ = *in++;
440 }
441 *out++ = *in++;
442
443+out:
444+ discardBuffer(&saveb);
445+
446 return path;
447 }
448

Subscribers

People subscribed via source and target branches

to all changes: