Bug#928213: marked as done (stretch-pu: package libcaca/0.99.beta19-2.1~deb9u1)

Debian Bug Tracking System Sat, 07 Sep 2019 06:50:01 -0700

Your message dated Sat, 07 Sep 2019 14:37:11 +0100
with message-id 
<17351b82f829eb6917f78885cb849c4060b0a4a6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 9.10 point release
has caused the Debian Bug report #928213,
regarding stretch-pu: package libcaca/0.99.beta19-2.1~deb9u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
928213: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928213
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu
Control: fixed 917807 0.99.beta19-2+deb8u1

This is a rebuild of the buster package (migrated three weeks ago)
which contains the following change:

  * Cherry-Pick fixes from upstream git repository:
    - CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and
      CVE-2018-20549 (Closes: #917807)

Effectively the same changes (but with somewhat different patches)
are already in jessie-lts since January (I checked by diffing the trees
with patches applied).

The type change from unsigned int to size_t in some structs might be an
ABI/API break on 64-bit architectures, but there has neither been a
transition in sid nor have any bugs been reported for jessie, buster or
sid.

The following packages might be affected in stretch:

# Depends:
ffmpeg: libavdevice57
gst-plugins-good1.0: gstreamer1.0-plugins-good
libsdl1.2: libsdl1.2-dev
           libsdl1.2debian
minbif: minbif
mplayer: mplayer
         mplayer-gui
toilet: toilet
vlc: vlc-plugin-video-output
xine-lib-1.2: libxine2-console
xine-ui: xine-console

# Build-Depends:
diffoscope: caca-utils
ffmpeg: libcaca-dev
gst-plugins-good1.0: libcaca-dev
libsdl1.2: libcaca-dev
minbif: libcaca-dev
mplayer: libcaca-dev
toilet: libcaca-dev (>= 0.99.beta18)
vlc: libcaca-dev (>= 0.99.beta4)
xine-lib-1.2: libcaca-dev
xine-ui: libcaca-dev


I primarily noticed (and want to fix) the version ordering violation
between jessie-lts (0.99.beta19-2+deb8u1) and stretch (0.99.beta19-2),
I have no clue about or any interest in libcaca itself.


Andreas

diff -Nru libcaca-0.99.beta19/debian/changelog 
libcaca-0.99.beta19/debian/changelog
--- libcaca-0.99.beta19/debian/changelog        2014-06-02 22:39:11.000000000 
+0200
+++ libcaca-0.99.beta19/debian/changelog        2019-04-29 23:17:44.000000000 
+0200
@@ -1,3 +1,19 @@
+libcaca (0.99.beta19-2.1~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann <[email protected]>  Mon, 29 Apr 2019 23:17:44 +0200
+
+libcaca (0.99.beta19-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Cherry-Pick fixes from upstream git repository:
+    - CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and
+      CVE-2018-20549 (Closes: #917807)
+
+ -- Tobias Frost <[email protected]>  Sat, 06 Apr 2019 22:18:41 +0200
+
 libcaca (0.99.beta19-2) unstable; urgency=medium
 
   * debian/patches/100_doxygen.diff: remove deprecated Doxygen variables.
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch 
libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch     1970-01-01 
01:00:00.000000000 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch     2019-04-06 
21:36:52.000000000 +0200
@@ -0,0 +1,45 @@
+From 84bd155087b93ab2d8d7cb5b1ac94ecd4cf4f93c Mon Sep 17 00:00:00 2001
+From: Sam Hocevar <[email protected]>
+Date: Sat, 29 Dec 2018 22:13:56 +0100
+Subject: [PATCH] dither: fix integer overflows that were causing a division by
+ zero.
+
+Fixes: #36 (CVE-2018-20544)
+---
+ caca/dither.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/caca/dither.c b/caca/dither.c
+index 04b678e0..c6ebab1b 100644
+--- a/caca/dither.c
++++ b/caca/dither.c
+@@ -991,10 +991,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int y, 
int w, int h,
+         /* First get RGB */
+         if(d->antialias)
+         {
+-            fromx = (x - x1) * w / deltax;
+-            fromy = (y - y1) * h / deltay;
+-            tox = (x - x1 + 1) * w / deltax;
+-            toy = (y - y1 + 1) * h / deltay;
++            fromx = (uint64_t)(x - x1) * w / deltax;
++            fromy = (uint64_t)(y - y1) * h / deltay;
++            tox = (uint64_t)(x - x1 + 1) * w / deltax;
++            toy = (uint64_t)(y - y1 + 1) * h / deltay;
+ 
+             /* We want at least one pixel */
+             if(tox == fromx) tox++;
+@@ -1017,10 +1017,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int 
y, int w, int h,
+         }
+         else
+         {
+-            fromx = (x - x1) * w / deltax;
+-            fromy = (y - y1) * h / deltay;
+-            tox = (x - x1 + 1) * w / deltax;
+-            toy = (y - y1 + 1) * h / deltay;
++            fromx = (uint64_t)(x - x1) * w / deltax;
++            fromy = (uint64_t)(y - y1) * h / deltay;
++            tox = (uint64_t)(x - x1 + 1) * w / deltax;
++            toy = (uint64_t)(y - y1 + 1) * h / deltay;
+ 
+             /* tox and toy can overflow the canvas, but they cannot overflow
+              * when averaged with fromx and fromy because these are guaranteed
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch 
libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch 
1970-01-01 01:00:00.000000000 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch 
2019-04-06 22:08:34.000000000 +0200
@@ -0,0 +1,34 @@
+Description: img2txt: fix an integer overflow in the BMP loader.
+Origin: 
https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592
+Forwarded: not-needed
+Applied-Upstream: 
https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592
+Last-Update: 2019-04-06
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/common-image.h
++++ b/src/common-image.h
+@@ -1,19 +1,19 @@
+ /*
+  *  Imaging tools for cacaview and img2irc
+- *  Copyright (c) 2003-2012 Sam Hocevar <[email protected]>
+- *                All Rights Reserved
++ *  Copyright (c) 2003-2018 Sam Hocevar <[email protected]>
++ *              All Rights Reserved
+  *
+  *  This program is free software. It comes without any warranty, to
+  *  the extent permitted by applicable law. You can redistribute it
+  *  and/or modify it under the terms of the Do What the Fuck You Want
+- *  to Public License, Version 2, as published by Sam Hocevar. See
+- *  http://www.wtfpl.net/ for more details.
++ *  to Public License, Version 2, as published by the WTFPL Task Force.
++ *  See http://www.wtfpl.net/ for more details.
+  */
+ 
+ struct image
+ {
+     char *pixels;
+-    unsigned int w, h;
++    size_t w, h;
+     struct caca_dither *dither;
+     void *priv;
+ };
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch 
libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch       
1970-01-01 01:00:00.000000000 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch       
2019-04-06 21:39:32.000000000 +0200
@@ -0,0 +1,36 @@
+From 02a09ec9e5ed8981e7a810bfb6a0172dc24f0790 Mon Sep 17 00:00:00 2001
+From: Sam Hocevar <[email protected]>
+Date: Sun, 30 Dec 2018 13:18:27 +0100
+Subject: [PATCH] dither: fix integer multiplication overflow that caused
+ crashes.
+
+Fixes: #38 (CVE-2018-20546)
+Fixes: #39 (CVE-2018-20547)
+---
+ caca/dither.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/caca/dither.c b/caca/dither.c
+index c6ebab1b..b2e24e55 100644
+--- a/caca/dither.c
++++ b/caca/dither.c
+@@ -6,8 +6,8 @@
+  *  This library is free software. It comes without any warranty, to
+  *  the extent permitted by applicable law. You can redistribute it
+  *  and/or modify it under the terms of the Do What the Fuck You Want
+- *  to Public License, Version 2, as published by Sam Hocevar. See
+- *  http://www.wtfpl.net/ for more details.
++ *  to Public License, Version 2, as published by the WTFPL Task Force.
++ *  See http://www.wtfpl.net/ for more details.
+  */
+ 
+ /*
+@@ -116,7 +116,7 @@ enum color_mode
+ struct caca_dither
+ {
+     int bpp, has_palette, has_alpha;
+-    int w, h, pitch;
++    size_t w, h, pitch;
+     int rmask, gmask, bmask, amask;
+     int rright, gright, bright, aright;
+     int rleft, gleft, bleft, aleft;
diff -Nru libcaca-0.99.beta19/debian/patches/series 
libcaca-0.99.beta19/debian/patches/series
--- libcaca-0.99.beta19/debian/patches/series   2014-05-16 21:30:34.000000000 
+0200
+++ libcaca-0.99.beta19/debian/patches/series   2019-04-06 21:46:52.000000000 
+0200
@@ -1,2 +1,5 @@
 100_doxygen.diff
 200_glut_header.diff
+CVE-2018-20544.patch
+CVE-2018-20545+20547+20549.patch
+CVE-2018-20546+20547.patch

--- End Message ---

--- Begin Message ---

Version: 9.10

Hi,

The fixes referenced by each of these bugs were included in today's
stretch point release (9.10).

Regards,

Adam

--- End Message ---

Bug#928213: marked as done (stretch-pu: package libcaca/0.99.beta19-2.1~deb9u1)

Reply via email to