packages/libgsf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-36474, CVE-2024-42415

Browse Source 
(cherry picked from commit 7487c247978570eb56c30aadbd4ff46ac4f35b8e)
This commit is contained in:
Funda Wang 2024-10-04 14:43:40 +08:00 committed by openeuler-sync-bot
parent d4a437c2e5
commit c2923393ff
2 changed files with 119 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
backport-CVE-2024-36474-and-CVE-2024-42415.patch Normal file
View File

@ -0,0 +1,106 @@
From 06d0cb92a4c02e7126ef2ff6f5e29fd74b4be9e0 Mon Sep 17 00:00:00 2001
From: Morten Welinder <terra@gnome.org>
Date: Mon, 30 Sep 2024 20:47:29 -0400
Subject: [PATCH] OLE2: Fix allocation problems.
---
gsf/gsf-infile-msole.c | 27 +++++++++++++++++----------
1 file changed, 17 insertions(+), 10 deletions(-)
diff --git a/gsf/gsf-infile-msole.c b/gsf/gsf-infile-msole.c
index e0a1cc5..b1f1c22 100644
--- a/gsf/gsf-infile-msole.c
+++ b/gsf/gsf-infile-msole.c
@@ -302,7 +302,7 @@ datetime_from_filetime (guint64 ft)
* parent is optional. */
static MSOleDirent *
ole_dirent_new (GsfInfileMSOle *ole, guint32 entry, MSOleDirent *parent,
- guint8 *seen_before)
+ GByteArray *seen_before)
{
MSOleDirent *dirent;
guint32 block, next, prev, child, size;
@@ -315,12 +315,13 @@ ole_dirent_new (GsfInfileMSOle *ole, guint32 entry, MSOleDirent *parent,
return NULL;
g_return_val_if_fail (entry <= G_MAXUINT / DIRENT_SIZE, NULL);
+ g_return_val_if_fail (entry < seen_before->len, NULL);
block = OLE_BIG_BLOCK (entry * DIRENT_SIZE, ole);
g_return_val_if_fail (block < ole->bat.num_blocks, NULL);
- g_return_val_if_fail (!seen_before[entry], NULL);
- seen_before[entry] = TRUE;
+ g_return_val_if_fail (!seen_before->data[entry], NULL);
+ seen_before->data[entry] = TRUE;
data = ole_get_block (ole, ole->bat.block [block], NULL);
if (data == NULL)
@@ -494,13 +495,14 @@ ole_init_info (GsfInfileMSOle *ole, GError **err)
{
static guint8 const signature[] =
{ 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1 };
- guint8 *seen_before;
+ GByteArray *seen_before;
guint8 const *header, *tmp;
guint32 *metabat = NULL;
MSOleInfo *info;
guint32 bb_shift, sb_shift, num_bat, num_sbat, num_metabat, threshold, last, dirent_start;
guint32 metabat_block, *ptr;
gboolean fail;
+ size_t num_blocks, isize;
/* check the header */
if (gsf_input_seek (ole->input, 0, G_SEEK_SET) ||
@@ -536,8 +538,9 @@ ole_init_info (GsfInfileMSOle *ole, GError **err)
* 2) It makes no sense to have a block larger than 2^31 for now.
* Maybe relax this later, but not much.
*/
+ isize = gsf_input_size (ole->input);
if (6 > bb_shift || bb_shift >= 31 || sb_shift > bb_shift ||
- (gsf_input_size (ole->input) >> bb_shift) < 1) {
+ (isize >> bb_shift) < 1) {
if (err != NULL)
*err = g_error_new (gsf_input_error_id (), 0,
_("Unreasonable block sizes"));
@@ -557,7 +560,7 @@ ole_init_info (GsfInfileMSOle *ole, GError **err)
info->threshold = threshold;
info->sbat_start = GSF_LE_GET_GUINT32 (header + OLE_HEADER_SBAT_START);
info->num_sbat = num_sbat;
- info->max_block = (gsf_input_size (ole->input) - OLE_HEADER_SIZE + info->bb.size -1) / info->bb.size;
+ info->max_block = (isize - OLE_HEADER_SIZE + info->bb.size -1) / info->bb.size;
info->sb_file = NULL;
if (info->num_sbat == 0 &&
@@ -566,9 +569,11 @@ ole_init_info (GsfInfileMSOle *ole, GError **err)
g_warning ("There are not supposed to be any blocks in the small block allocation table, yet there is a link to some. Ignoring it.");
}
+ num_blocks = num_bat * (info->bb.size / BAT_INDEX_SIZE);
+
/* very rough heuristic, just in case */
- if (num_bat < info->max_block && info->num_sbat < info->max_block) {
- info->bb.bat.num_blocks = num_bat * (info->bb.size / BAT_INDEX_SIZE);
+ if (num_bat < info->max_block && info->num_sbat < info->max_block && num_blocks < G_MAXINT) {
+ info->bb.bat.num_blocks = num_blocks;
info->bb.bat.block = g_new0 (guint32, info->bb.bat.num_blocks);
metabat = g_try_new (guint32, MAX (info->bb.size, OLE_HEADER_SIZE));
@@ -648,10 +653,12 @@ ole_init_info (GsfInfileMSOle *ole, GError **err)
}
/* Read the directory */
- seen_before = g_malloc0 ((ole->bat.num_blocks << info->bb.shift) * DIRENT_SIZE + 1);
+ seen_before = g_byte_array_new ();
+ g_byte_array_set_size (seen_before, ((size_t)(ole->bat.num_blocks) << info->bb.shift) / DIRENT_SIZE + 1);
+ memset (seen_before->data, 0, seen_before->len);
ole->dirent = info->root_dir =
ole_dirent_new (ole, 0, NULL, seen_before);
- g_free (seen_before);
+ g_byte_array_unref (seen_before);
if (ole->dirent == NULL) {
if (err != NULL)
*err = g_error_new (gsf_input_error_id (), 0,
--
GitLab

35
libgsf.spec
View File

@ -1,10 +1,11 @@
Name: libgsf Name: libgsf
Version: 1.14.50 Version: 1.14.50
Release: 1 Release: 2
Summary: GNOME Structured File library Summary: GNOME Structured File library
License: LGPLv2 License: LGPL-2.1-only
URL: https://gitlab.gnome.org/GNOME/libgsf URL: https://gitlab.gnome.org/GNOME/libgsf
Source: https://download.gnome.org/sources/%{name}/1.14/%{name}-%{version}.tar.xz Source: https://download.gnome.org/sources/%{name}/1.14/%{name}-%{version}.tar.xz
Patch0: backport-CVE-2024-36474-and-CVE-2024-42415.patch
BuildRequires: bzip2-devel chrpath gettext glib2-devel gobject-introspection-devel BuildRequires: bzip2-devel chrpath gettext glib2-devel gobject-introspection-devel
BuildRequires: libxml2-devel intltool gdk-pixbuf2-devel BuildRequires: libxml2-devel intltool gdk-pixbuf2-devel
@ -20,37 +21,26 @@ Requires: libgsf = %{version}-%{release}, glib2-devel, libxml2-devel pkgconfig
%description devel %description devel
Support files necessary to compile applications with libgsf Support files necessary to compile applications with libgsf
%package help %package_help
Summary: The man for %{name}
Requires: libgsf = %{version}-%{release}
%description help
This sub-package provides the man for %{name}
%prep %prep
%autosetup -n %{name}-%{version} -p1 %autosetup -n %{name}-%{version} -p1
%build %build
%configure --disable-gtk-doc --enable-introspection=yes %configure --disable-gtk-doc --enable-introspection=yes --disable-static
%make_build
make %{?_smp_mflags} V=1
%install %install
export GCONF_DISABLE_MAKEFILE_SCHEMA_INSTALL=1
%make_install %make_install
%delete_la
%find_lang %{name} %find_lang %{name}
chrpath --delete %{buildroot}%{_bindir}/gsf* chrpath --delete %{buildroot}%{_bindir}/gsf*
%delete_la_and_a
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files -f libgsf.lang %files -f libgsf.lang
%doc AUTHORS COPYING COPYING.LIB README %license COPYING COPYING.LIB
%doc AUTHORS README
%{_libdir}/libgsf-1.so.* %{_libdir}/libgsf-1.so.*
%{_libdir}/girepository-1.0/Gsf-1.typelib %{_libdir}/girepository-1.0/Gsf-1.typelib
%{_bindir}/gsf-office-thumbnailer %{_bindir}/gsf-office-thumbnailer
@ -66,11 +56,12 @@ chrpath --delete %{buildroot}%{_bindir}/gsf*
%{_datadir}/gir-1.0/Gsf-1.gir %{_datadir}/gir-1.0/Gsf-1.gir
%files help %files help
%{_mandir}/man1/gsf-office-thumbnailer.1.gz %{_mandir}/man1/*
%{_mandir}/man1/gsf.1.gz
%{_mandir}/man1/gsf-vba-dump.1.gz
%changelog %changelog
* Fri Oct 04 2024 Funda Wang <fundawang@yeah.net> - 1.14.50-2
- fix CVE-2024-36474, CVE-2024-42415
* Mon Jan 2 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 1.14.50-1 * Mon Jan 2 2023 lin zhang <lin.zhang@turbolinux.com.cn> - 1.14.50-1
- Update to 1.14.50 - Update to 1.14.50