Update #826
Update #826
Conversation
eustas
commented
Aug 26, 2020
eustas
commented
- IMPORTANT: decoder: fix overflow when input chunk is >2GiB
- simplify max Huffman table size calculation
- eliminate symbol duplicates (static arrays in .h files)
- minor combing in research/ code
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
2 similar comments
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
❌ Build brotli 1.0.0#1502 failed (commit ed2a606f70 by @) |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
❌ Build brotli 1.0.0#1503 failed (commit 705e32652b by @) |
|
❌ Build brotli 1.0.0#1504 failed (commit 1f1f91b8e4 by @) |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
❌ Build brotli 1.0.0#1505 failed (commit a1ecc6a04f by @) |
|
✅ Build brotli 1.0.0#1506 completed (commit 153c21cde7 by @) |
|
All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the ℹ️ Googlers: Go here for more info. |
|
@eustas I am preparing an update for brotli in Debian (based on an older release, 0.5.2) to address CVE-2020-8927. Since the PR you merged included four distinct and separate changes in a single commit it is difficult for me to determine the minimum change needed to address CVE-2020-8927. My belief is that the specific change that I need to isolate is associated with the changelog entry `IMPORTANT: decoder: fix overflow when input chunk is >2GiB. Though I attempted to isolate the part of the commit that was necessary I was unsure and so I consulted with another Debian developer. His assessment of my proposed patch was that it was perhaps too broad. Could you identify the specific hunks that are needed to address CVE-2020-8927? Also, is there any available information regarding a proof of concept of the vulnerability or a reproducer? |
|
Hi @rcsanchez97 , first of all sorry I didn't see the comment before. Due to the way we have set up the import/export changes like this one it didn't generate a small commit with just the CVE fix, sorry about that. I discussed this with my colleagues here and we think the only change on top of 1.0.7 needed to fix that CVE-2020-8927 is the one attached here. I didn't verify if there were other changes that could affect this from 0.5.2 which is quite old, but given that the fix is a cap in the bit reader's BrotliGetRemainingBytes() function I don't expect other changes to affect it. Let me know if you need any help and thanks for your maintainer work on brotli. |
|
@deymo No worries on the delay; the issue has been around for a while and as you pointed out I am dealing with a quite old version. Thanks for verifying the necessary components of the fix. I will get this updated in Debian. Your assistance is very much appreciated. |
* IMPORTANT: decoder: fix potential overflow when input chunk is >2GiB * simplify max Huffman table size calculation * eliminate symbol duplicates (static arrays in .h files) * minor combing in research/ code
* IMPORTANT: decoder: fix potential overflow when input chunk is >2GiB * simplify max Huffman table size calculation * eliminate symbol duplicates (static arrays in .h files) * minor combing in research/ code
