bsdiff-portable

A more portable version of Colin Percival's bsdiff
git clone git://git.sgregoratto.me/bsdiff-portable
Log | Files | Refs | LICENSE

commit 7438b720cf491848fb724fdfaaea63fd8f54ecf9
parent e75aed98c0290999f101c56161c7ce38004693d7
Author: The FreeBSD Project <secteam@FreeBSD.org>
Date:   Wed, 23 Sep 2020 16:36:46 +1000

CVE-2014-9862 - check for a negative value on numbers of bytes

The implementation of bspatch does not check for a negative value on
numbers of bytes read from the diff and extra streams, allowing an
attacker who can control the patch file to write at arbitrary locations
in the heap.

bspatch's main loop reads three numbers from the "control" stream in the
patch: X, Y and Z. The first two are the number of bytes to read from
"diff" and "extra" (and thus only non-negative), while the third one
could be positive or negative and moves the oldpos pointer on the source
image. These 3 values are 64bits signed ints (encoded somehow on the
file) that are later passed the function that reads from the streams,
but those values are not verified to be non-negative.

Official report
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9862

The patch was downloaded from a link pointed by
https://security.freebsd.org/advisories/FreeBSD-SA-16:25.bsp

Diffstat:
Mbspatch.c | 4++++
1 file changed, 4 insertions(+), 0 deletions(-)

diff --git a/bspatch.c b/bspatch.c @@ -155,6 +155,10 @@ int main(int argc,char * argv[]) }; /* Sanity-check */ + if ((ctrl[0] < 0) || (ctrl[1] < 0)) + errx(1,"Corrupt patch\n"); + + /* Sanity-check */ if(newpos+ctrl[0]>newsize) errx(1,"Corrupt patch\n");