| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 10-no-bsd-make.patch | Remove BSDism from Makefile | Jari Aalto <jari.aalto@cante.net> | invalid | upstream | ||
| 20-CVE-2014-9862.patch | CVE-2014-9862 - check for a negative value on numbers of bytes The implementation of bspatch does not check for a negative value on numbers of bytes read from the diff and extra streams, allowing an attacker who can control the patch file to write at arbitrary locations in the heap. . bspatch's main loop reads three numbers from the "control" stream in the patch: X, Y and Z. The first two are the number of bytes to read from "diff" and "extra" (and thus only non-negative), while the third one could be positive or negative and moves the oldpos pointer on the source image. These 3 values are 64bits signed ints (encoded somehow on the file) that are later passed the function that reads from the streams, but those values are not verified to be non-negative. . Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862 The patch was downloaded from a link pointed by https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp |
The FreeBSD Project | yes | upstream | ||
| 30-bug-632585-mmap-src-file-instead-of-malloc-read-it.patch | [PATCH 1/3] mmap() src file instead of malloc() + read() it | Sebastian Andrzej Siewior <sebastian@breakpoint.cc> | invalid | upstream | 2016-10-31 | |
| 31-bug-632585-mmap-dst-file-instead-of-malloc-read-it.patch | [PATCH 2/3] mmap() dst file instead of malloc() + read() it This drops the memory pressure since the OS may now drop and reload parts of the old and new file on demand. |
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> | invalid | upstream | 2011-07-02 | |
| 32-bug-632585-use-int32_t-instead-off_t-for-file-size.patch | [PATCH 3/3] use int32_t instead off_t for file size Using off_t (64bit) is kinda waste. With last change we only need 16x the size of the old file. So for a 2GiB - 1 file we would allocate almost 32GiB (the content of the old file would be loaded on demand from disk). This is a lot. Since the file size is less than 2GiB we leave the upper 4 bytes unused. With this change the max file size is limitted to 2GiB - 1 and we require 8x the size of the oldfile which makes almost 16GiB. When we assume a virtual address space of 3GiB on a 32bit then the max oldsize increased from about ~180MiB to ~341MiB. _If_ some sees this as a regression because files >2GiB can not be used anymore please provide another binary with -DUSE_OFF_T. The binary has less than 20KiB. |
Sebastian Andrzej Siewior <bigeasy@linutronix.de> | invalid | upstream | 2016-10-31 | |
| 33-CVE-2020-14315.patch | patch for CVE-2020-14315 A memory corruption vulnerability is present in bspatch as shipped in Colin Percival’s bsdiff tools version 4.3. Insufficient checks when handling external inputs allows an attacker to bypass the sanity checks in place and write out of a dynamically allocated buffer boundaries. "Confirmed Patched Version" [1] documented in the X41 D-SEC GmbH Security Advisory: X41-2020-006 [2]. References to FreeBSD capsicum have been dropped. Definitions for TYPE_MINIMUM and TYPE_MAXIMUM have been borrowed from the Debian coreutils package sources but originate in gnulib [3] and are used to define OFF_MIN and OFF_MAX (limits of off_t). Whitespace changes from the confirmed patched version are also included and keep the difference between the Debian sources and the confirmed patched version minimal. . [1] https://svnweb.freebsd.org/base/head/usr.bin/bsdiff/bspatch/bspatch.c?revision=352742&view=co [2] https://www.openwall.com/lists/oss-security/2020/07/09/2 [3] https://www.gnu.org/software/gnulib/ |
tony mancill <tmancill@debian.org> | not-needed | debian | 2021-04-03 |