Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package zbar for openSUSE:Factory checked in at 2023-12-20 21:00:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zbar (Old) and /work/SRC/openSUSE:Factory/.zbar.new.9037 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zbar" Wed Dec 20 21:00:18 2023 rev:19 rq:1134153 version:0.23.90 Changes: -------- --- /work/SRC/openSUSE:Factory/zbar/zbar.changes 2023-06-21 22:37:15.229430406 +0200 +++ /work/SRC/openSUSE:Factory/.zbar.new.9037/zbar.changes 2023-12-20 21:00:24.950449341 +0100 @@ -1,0 +2,11 @@ +Wed Dec 13 18:36:21 UTC 2023 - Michael Vetter <[email protected]> + +- security update: + * CVE-2023-40889 [bsc#1214770] + Fix heap based buffer overflow in qr_reader_match_centers() + + zbar-CVE-2023-40889.patch + * CVE-2023-40890 [bsc#1214771] + Fix stack based buffer overflow in lookup_sequence() + + zbar-CVE-2023-40890.patch + +------------------------------------------------------------------- New: ---- zbar-CVE-2023-40889.patch zbar-CVE-2023-40890.patch BETA DEBUG BEGIN: New: Fix heap based buffer overflow in qr_reader_match_centers() + zbar-CVE-2023-40889.patch * CVE-2023-40890 [bsc#1214771] New: Fix stack based buffer overflow in lookup_sequence() + zbar-CVE-2023-40890.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zbar.spec ++++++ --- /var/tmp/diff_new_pack.5zlVbN/_old 2023-12-20 21:00:25.826481212 +0100 +++ /var/tmp/diff_new_pack.5zlVbN/_new 2023-12-20 21:00:25.830481358 +0100 @@ -29,6 +29,10 @@ Source98: baselibs.conf # PATCH-FIX-UPSTREAM: fix build against python 3.11 - https://github.com/mchehab/zbar/commit/9bb0cc43f7f9e9c676e07b2e511f03bfa1c491cb Patch1: py311.patch +# PATCH-FIX-UPSTREAM -- [email protected] -- bsc#1214770 +Patch2: zbar-CVE-2023-40889.patch +# PATCH-FIX-UPSTREAM -- [email protected] -- bsc#1214771 +Patch3: zbar-CVE-2023-40890.patch BuildRequires: libjpeg-devel BuildRequires: pkgconfig >= 0.9.0 BuildRequires: xmlto ++++++ zbar-CVE-2023-40889.patch ++++++ https://salsa.debian.org/debian/zbar/-/commit/1c3ddc8d7d828d68688c7f4f2ea35a2eee18594c Index: zbar-0.23.1/zbar/qrcode/qrdec.c =================================================================== --- zbar-0.23.1.orig/zbar/qrcode/qrdec.c +++ zbar-0.23.1/zbar/qrcode/qrdec.c @@ -3900,8 +3900,8 @@ void qr_reader_match_centers(qr_reader * /*TODO: We might be able to accelerate this step significantly by considering the remaining finder centers in a more intelligent order, based on the first finder center we just chose.*/ - for(j=i+1;!mark[i]&&j<_ncenters;j++){ - for(k=j+1;!mark[j]&&k<_ncenters;k++)if(!mark[k]){ + for (j=i+1;i<_ncenters&&!mark[i]&&j<_ncenters;j++) { + for (k=j+1;j<_ncenters&&!mark[j]&&k<_ncenters;k++)if(!mark[k]) { qr_finder_center *c[3]; qr_code_data qrdata; int version; ++++++ zbar-CVE-2023-40890.patch ++++++ https://salsa.debian.org/debian/zbar/-/blob/master/debian/patches/0004-Add-bounds-check-for-CVE-2023-40890.patch Index: zbar-0.23.1/zbar/decoder/databar.c =================================================================== --- zbar-0.23.1.orig/zbar/decoder/databar.c +++ zbar-0.23.1/zbar/decoder/databar.c @@ -23,6 +23,8 @@ #include <config.h> #include <zbar.h> +#include <stdlib.h> +#include <stdio.h> #ifdef DEBUG_DATABAR # define DEBUG_LEVEL (DEBUG_DATABAR) @@ -663,10 +665,11 @@ match_segment (zbar_decoder_t *dcode, return(ZBAR_DATABAR); } -static inline unsigned +static inline signed lookup_sequence (databar_segment_t *seg, int fixed, - int seq[22]) + int seq[22], + const size_t maxsize) { unsigned n = seg->data / 211, i; const unsigned char *p; @@ -676,6 +679,13 @@ lookup_sequence (databar_segment_t *seg, dbprintf(2, " {%d,%d:", i, n); p = exp_sequences + i; + if (n >= maxsize-1) { + // The loop below checks i<n and increments i by one within the loop + // when accessing seq[22]. For this to be safe, n needs to be < 21. + // See CVE-2023-40890. + return -1; + } + fixed >>= 1; seq[0] = 0; seq[1] = 1; @@ -755,10 +765,15 @@ match_segment_exp (zbar_decoder_t *dcode } if(!i) { - if(!lookup_sequence(seg, fixed, seq)) { + signed int lu = lookup_sequence(seg, fixed, seq, sizeof(seq)/sizeof(seq[0])); + if(!lu) { dbprintf(2, "[nf]"); continue; } + if(lu < 0) { + dbprintf(1, " [aborted]\n"); + goto abort; + } width = seg->width; dbprintf(2, " A00@%d", j); } @@ -829,6 +844,8 @@ match_segment_exp (zbar_decoder_t *dcode dcode->direction = (1 - 2 * (seg->side ^ seg->color)) * dir; dcode->modifiers = MOD(ZBAR_MOD_GS1); return(ZBAR_DATABAR_EXP); +abort: + return (ZBAR_NONE); } #undef IDX
