Debian Patches

Status for bsdiff/4.3-22

Patch Description Author Forwarded Bugs Origin Last update
10-no-bsd-make.patch Remove BSDism from Makefile Jari Aalto <jari.aalto@cante.net> invalid upstream
20-CVE-2014-9862.patch CVE-2014-9862 - check for a negative value on numbers of bytes The implementation of bspatch does not check for a negative value on numbers
of bytes read from the diff and extra streams, allowing an attacker who
can control the patch file to write at arbitrary locations in the heap.
.
bspatch's main loop reads three numbers from the "control" stream in
the patch: X, Y and Z. The first two are the number of bytes to read
from "diff" and "extra" (and thus only non-negative), while the
third one could be positive or negative and moves the oldpos pointer
on the source image. These 3 values are 64bits signed ints (encoded
somehow on the file) that are later passed the function that reads
from the streams, but those values are not verified to be
non-negative.
.
Official report https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862
The patch was downloaded from a link pointed by
https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp
The FreeBSD Project yes upstream
30-bug-632585-mmap-src-file-instead-of-malloc-read-it.patch [PATCH 1/3] mmap() src file instead of malloc() + read() it Sebastian Andrzej Siewior <sebastian@breakpoint.cc> invalid upstream 2016-10-31
31-bug-632585-mmap-dst-file-instead-of-malloc-read-it.patch [PATCH 2/3] mmap() dst file instead of malloc() + read() it
This drops the memory pressure since the OS may now drop and reload parts of
the old and new file on demand.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> invalid upstream 2011-07-02
32-bug-632585-use-int32_t-instead-off_t-for-file-size.patch [PATCH 3/3] use int32_t instead off_t for file size
Using off_t (64bit) is kinda waste. With last change we only need 16x the
size of the old file. So for a 2GiB - 1 file we would allocate almost
32GiB (the content of the old file would be loaded on demand from disk).
This is a lot. Since the file size is less than 2GiB we leave the upper 4
bytes unused.
With this change the max file size is limitted to 2GiB - 1 and we require
8x the size of the oldfile which makes almost 16GiB.

When we assume a virtual address space of 3GiB on a 32bit then the max
oldsize increased from about ~180MiB to ~341MiB.

_If_ some sees this as a regression because files >2GiB can not be used
anymore please provide another binary with -DUSE_OFF_T. The binary has
less than 20KiB.
Sebastian Andrzej Siewior <bigeasy@linutronix.de> invalid upstream 2016-10-31
33-CVE-2020-14315.patch patch for CVE-2020-14315 A memory corruption vulnerability is present in bspatch as shipped in
Colin Percival’s bsdiff tools version 4.3. Insufficient checks when
handling external inputs allows an attacker to bypass the sanity checks
in place and write out of a dynamically allocated buffer boundaries.
"Confirmed Patched Version" [1] documented in the
X41 D-SEC GmbH Security Advisory: X41-2020-006 [2].
References to FreeBSD capsicum have been dropped. Definitions for
TYPE_MINIMUM and TYPE_MAXIMUM have been borrowed from the Debian
coreutils package sources but originate in gnulib [3] and are used to
define OFF_MIN and OFF_MAX (limits of off_t). Whitespace changes from
the confirmed patched version are also included and keep the difference
between the Debian sources and the confirmed patched version minimal.
.
[1] https://svnweb.freebsd.org/base/head/usr.bin/bsdiff/bspatch/bspatch.c?revision=352742&view=co
[2] https://www.openwall.com/lists/oss-security/2020/07/09/2
[3] https://www.gnu.org/software/gnulib/
tony mancill <tmancill@debian.org> not-needed debian 2021-04-03

All known versions for source package 'bsdiff'

Links