CVE-2023-45897 Add debian/patches/CVE-2023-45897-out-of-bounds-memory-access

to fix three out-of-bounds issues.

diff --git a/debian/changelog b/debian/changelog
index 4824b1faf9d7a2a2f5c270aed289874daae5fab2..5507bdf772a5d2f5a84fc4cccc11074f135d72ca 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+exfatprogs (1.2.0-1+deb12u1) UNRELEASED; urgency=medium
+
+  * CVE-2023-45897 Add debian/patches/CVE-2023-45897-out-of-bounds-memory-access
+    to fix three out-of-bounds issues.
+
+ -- Sven Hoexter <hoexter@debian.org>  Tue, 31 Oct 2023 19:43:18 +0100
+
 exfatprogs (1.2.0-1) unstable; urgency=medium
 
   * New upstream release.

diff --git a/debian/patches/CVE-2023-45897-out-of-bounds-memory-access b/debian/patches/CVE-2023-45897-out-of-bounds-memory-access
new file mode 100644 (file)
index 0000000..85a296f
--- /dev/null
+++ b/debian/patches/CVE-2023-45897-out-of-bounds-memory-access
@@ -0,0 +1,67 @@
+Description: CVE-2023-45897 out-of-bounds memory access
+Origin: https://github.com/exfatprogs/exfatprogs/commit/ec78688e5fb5a70e13df82b4c0da1e6228d3ccdf
+ https://github.com/exfatprogs/exfatprogs/commit/22d0e43e8d24119cbfc6efafabb0dec6517a86c4
+ https://github.com/exfatprogs/exfatprogs/commit/4abc55e976573991e6a1117bb2b3711e59da07ae
+Last-Update: 2023-10-31
+Index: exfatprogs/exfat2img/exfat2img.c
+===================================================================
+--- exfatprogs.orig/exfat2img/exfat2img.c
++++ exfatprogs/exfat2img/exfat2img.c
+@@ -319,7 +319,7 @@ static int read_file_dentry_set(struct e
+       if (!node)
+               return -ENOMEM;
+ 
+-      for (i = 2; i <= file_de->file_num_ext; i++) {
++      for (i = 2; i <= MIN(file_de->file_num_ext, 1 + MAX_NAME_DENTRIES); i++) {
+               ret = exfat_de_iter_get(iter, i, &dentry);
+               if (ret || dentry->type != EXFAT_NAME)
+                       break;
+Index: exfatprogs/fsck/fsck.c
+===================================================================
+--- exfatprogs.orig/fsck/fsck.c
++++ exfatprogs/fsck/fsck.c
+@@ -769,7 +769,7 @@ ask_again:
+               char *rename = NULL;
+               __u16 hash;
+               struct exfat_dentry *stream_de;
+-              int name_len, ret;
++              int ret;
+ 
+               switch (num) {
+               case 1:
+@@ -798,11 +798,11 @@ ask_again:
+               if (ret < 0)
+                       return ret;
+ 
++              ret >>=1;
+               memcpy(dentry->name_unicode, utf16_name, ENTRY_NAME_MAX * 2);
+-              name_len = exfat_utf16_len(utf16_name, ENTRY_NAME_MAX * 2);
+-              hash = exfat_calc_name_hash(iter->exfat, utf16_name, (int)name_len);
++              hash = exfat_calc_name_hash(iter->exfat, utf16_name, ret);
+               exfat_de_iter_get_dirty(iter, 1, &stream_de);
+-              stream_de->stream_name_len = (__u8)name_len;
++              stream_de->stream_name_len = (__u8)ret;
+               stream_de->stream_name_hash = cpu_to_le16(hash);
+       }
+ 
+@@ -856,7 +856,7 @@ static int read_file_dentry_set(struct e
+       if (!node)
+               return -ENOMEM;
+ 
+-      for (i = 2; i <= file_de->file_num_ext; i++) {
++      for (i = 2; i <= MIN(file_de->file_num_ext, 1 + MAX_NAME_DENTRIES); i++) {
+               ret = exfat_de_iter_get(iter, i, &dentry);
+               if (ret || dentry->type != EXFAT_NAME) {
+                       if (i > 2 && repair_file_ask(iter, NULL, ER_DE_NAME,
+Index: exfatprogs/include/exfat_ondisk.h
+===================================================================
+--- exfatprogs.orig/include/exfat_ondisk.h
++++ exfatprogs/include/exfat_ondisk.h
+@@ -40,6 +40,7 @@
+ /* exFAT allows 8388608(256MB) directory entries */
+ #define MAX_EXFAT_DENTRIES    8388608
+ #define MIN_FILE_DENTRIES     3
++#define MAX_NAME_DENTRIES     17
+ 
+ /* dentry types */
+ #define MSDOS_DELETED         0xE5    /* deleted mark */

diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644 (file)
index 0000000..4449077
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2023-45897-out-of-bounds-memory-access