From: sms
Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb()
Bug-Debian: http://bugs.debian.org/773722

--- a/extract.c
+++ b/extract.c
@@ -2234,10 +2234,17 @@
     if (compr_offset < 4)                /* field is not compressed: */
         return PK_OK;                    /* do nothing and signal OK */
 
+    /* Return no/bad-data error status if any problem is found:
+     *    1. eb_size is too small to hold the uncompressed size
+     *       (eb_ucsize).  (Else extract eb_ucsize.)
+     *    2. eb_ucsize is zero (invalid).  2014-12-04 SMS.
+     *    3. eb_ucsize is positive, but eb_size is too small to hold
+     *       the compressed data header.
+     */
     if ((eb_size < (EB_UCSIZE_P + 4)) ||
-        ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
-         eb_size <= (compr_offset + EB_CMPRHEADLEN)))
-        return IZ_EF_TRUNC;               /* no compressed data! */
+     ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
+     ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
+        return IZ_EF_TRUNC;             /* no/bad compressed data! */
 
     if (
 #ifdef INT_16BIT
e' href='/guix/log/gnu/packages/gnupg.scm'>log</a><a href='/guix/tree/gnu/packages/gnupg.scm?id=101a4e2718db6b9b96333d75cacb761640074405'>tree</a><a href='/guix/commit/gnu/packages/gnupg.scm?id=101a4e2718db6b9b96333d75cacb761640074405'>commit</a><a href='/guix/diff/gnu/packages/gnupg.scm?id=101a4e2718db6b9b96333d75cacb761640074405'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/gnu/packages/gnupg.scm'>
<input type='hidden' name='id' value='101a4e2718db6b9b96333d75cacb761640074405'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=101a4e2718db6b9b96333d75cacb761640074405'>root</a>/<a href='/guix/log/gnu?id=101a4e2718db6b9b96333d75cacb761640074405'>gnu</a>/<a href='/guix/log/gnu/packages?id=101a4e2718db6b9b96333d75cacb761640074405'>packages</a>/<a href='/guix/log/gnu/packages/gnupg.scm?id=101a4e2718db6b9b96333d75cacb761640074405'>gnupg.scm</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/packages/gnupg.scm?id=101a4e2718db6b9b96333d75cacb761640074405&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2022-11-22 08:37:23 +0100'>2022-11-22</span></td><td><a href='/guix/commit/gnu/packages/gnupg.scm?id=3d2de69c066518a95bb8bc07e306cd2c337ef12c'>gnu: gpgme: Add 1.18.0.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gnupg.scm (gpgme-1.18, qgpgme-1.18): New variables.
</span></span></td><td>Marius Bakke</td></tr>
<tr><td><span title='2022-10-30 02:00:03 +0100'>2022-10-30</span></td><td><a href='/guix/commit/gnu/packages/gnupg.scm?id=bb453af580ef92b843d02ef3f2b0c6d9ecfc132a'>gnu: jetring: Update to 0.31.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gnupg.scm (jetring): Update to 0.31.
[arguments]: Don't explicitly return #t from phases.
</span></span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2022-10-23 02:00:15 +0200'>2022-10-23</span></td><td><a href='/guix/commit/gnu/packages/gnupg.scm?id=6e7102c5f740fc5abb8d2ceea847ba5acb8a19df'>gnu: pinentry-tty: Update to 1.2.1.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gnupg.scm (pinentry-tty): Update to 1.2.1.
</span></span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2022-10-16 02:00:00 +0200'>2022-10-16</span></td><td><a href='/guix/commit/gnu/packages/gnupg.scm?id=033cbd11a837dbc7602799f15d691221653e1996'>gnu: libksba: Graft to 1.6.2 [fixes CVE-2022-3515].</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gnupg.scm (libksba/fixed): New variable.
(libksba): Use it as grafted replacement.
</span></span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2022-08-29 18:22:58 +0200'>2022-08-29</span></td><td><a href='/guix/commit/gnu/packages/gnupg.scm?id=52aa21cc9a15cdbbae1c72b8fd28adeb66791a9b'>gnu: gnupg: Use mirror URL.</a><span class='msg-avail'>...<span class='msg-tooltip'>In commit 38747a27f36dbaadadb1399ec085d88e48c97555, the package switched from
a mirror:// URL to a ftp:// URL, but there doesn't appear to have been any
particular reason for that.

* gnu/packages/gnupg.scm (gnupg)[source]{uri}: Use a mirror:// again.

Signed-off-by: Marius Bakke &lt;marius@gnu.org&gt;
</span></span></td><td>Maxime Devos</td></tr>
<tr><td><span title='2022-08-09 22:39:26 +0300'>2022-08-09</span></td><td><a href='/guix/commit/gnu/packages/gnupg.scm?id=9a53a79fc54e01932bd727ec519403ea4c2c3efc'>gnu: gnupg: Patch CVE-2022-34903.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gnupg.scm (gnupg)[replacement]: New field.
(gnupg/replacement): New variable.
* gnu/packages/patches/gnupg-CVE-2022-34903.patch: New file.
* gnu/local.mk (dist_patch_DATA): Register it.
</span></span></td><td>Efraim Flashner</td></tr>
<tr><td><span title='2022-05-29 02:00:13 +0200'>2022-05-29</span></td><td><a href='/guix/commit/gnu/packages/gnupg.scm?id=00411836d9ece114a46f44ae1b8f7cb6d1a5ae35'>gnu: pgpdump: Update to 0.35.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gnupg.scm (pgpdump): Update to 0.35.
</span></span></td><td>Tobias Geerinckx-Rice</td></tr>
<tr><td><span title='2022-05-31 14:52:29 -0400'>2022-05-31</span></td><td><a href='/guix/commit/gnu/packages/gnupg.scm?id=5a2079594f8049447c09af21e27d977bafe2c92d'>gnu: pius: Update to 3.0.0.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gnupg.scm (pius): Update to 3.0.0.
[arguments]: Delete tests? and python arguments.
[phases]{set-gpg-file-name}: Streamline.
[description]: Spell key signing as two words.  Mark commands with Texinfo
markup.
</span></span></td><td>Maxim Cournoyer</td></tr>
<tr><td><span title='2022-05-31 14:52:29 -0400'>2022-05-31</span></td><td><a href='/guix/commit/gnu/packages/gnupg.scm?id=9d3c37b2c98093fd6c6c1fc0f8e698b6850c49ef'>gnu: Remove python2-pygpgme.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gnupg.scm (python2-pygpgme): Delete variable.
</span></span></td><td>Maxim Cournoyer</td></tr>
<tr><td><span title='2022-05-31 14:52:29 -0400'>2022-05-31</span></td><td><a href='/guix/commit/gnu/packages/gnupg.scm?id=14129029e26bbe18e6a63311447575e81e0e451f'>gnu: Remove python2-gpg.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/gnupg.scm (python2-gpg): Delete variable.
</span></span></td><td>Maxim Cournoyer</td></tr>

Age	Commit message (Expand)	Author
2022-11-22	gnu: gpgme: Add 1.18.0....* gnu/packages/gnupg.scm (gpgme-1.18, qgpgme-1.18): New variables.	Marius Bakke
2022-10-30	gnu: jetring: Update to 0.31....* gnu/packages/gnupg.scm (jetring): Update to 0.31. [arguments]: Don't explicitly return #t from phases.	Tobias Geerinckx-Rice
2022-10-23	gnu: pinentry-tty: Update to 1.2.1....* gnu/packages/gnupg.scm (pinentry-tty): Update to 1.2.1.	Tobias Geerinckx-Rice
2022-10-16	gnu: libksba: Graft to 1.6.2 [fixes CVE-2022-3515]....* gnu/packages/gnupg.scm (libksba/fixed): New variable. (libksba): Use it as grafted replacement.	Tobias Geerinckx-Rice
2022-08-29	gnu: gnupg: Use mirror URL....In commit 38747a27f36dbaadadb1399ec085d88e48c97555, the package switched from a mirror:// URL to a ftp:// URL, but there doesn't appear to have been any particular reason for that. * gnu/packages/gnupg.scm (gnupg)[source]{uri}: Use a mirror:// again. Signed-off-by: Marius Bakke <marius@gnu.org>	Maxime Devos
2022-08-09	gnu: gnupg: Patch CVE-2022-34903....* gnu/packages/gnupg.scm (gnupg)[replacement]: New field. (gnupg/replacement): New variable. * gnu/packages/patches/gnupg-CVE-2022-34903.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.	Efraim Flashner
2022-05-29	gnu: pgpdump: Update to 0.35....* gnu/packages/gnupg.scm (pgpdump): Update to 0.35.	Tobias Geerinckx-Rice
2022-05-31	gnu: pius: Update to 3.0.0....* gnu/packages/gnupg.scm (pius): Update to 3.0.0. [arguments]: Delete tests? and python arguments. [phases]{set-gpg-file-name}: Streamline. [description]: Spell key signing as two words. Mark commands with Texinfo markup.	Maxim Cournoyer
2022-05-31	gnu: Remove python2-pygpgme....* gnu/packages/gnupg.scm (python2-pygpgme): Delete variable.	Maxim Cournoyer
2022-05-31	gnu: Remove python2-gpg....* gnu/packages/gnupg.scm (python2-gpg): Delete variable.	Maxim Cournoyer