On Fri, May 19, 2017 at 07:22:12AM +0200, Salvatore Bonaccorso wrote: > The full debdiff is attached t othis mail as debdiff against the current > version in testing.
Or not... Salvatore
diff -Nru jbig2dec-0.13/debian/changelog jbig2dec-0.13/debian/changelog --- jbig2dec-0.13/debian/changelog 2017-01-23 21:13:34.000000000 +0100 +++ jbig2dec-0.13/debian/changelog 2017-05-16 20:08:21.000000000 +0200 @@ -1,3 +1,13 @@ +jbig2dec (0.13-4.1) unstable; urgency=high + + * Non-maintainer upload. + * Prevent integer overflow vulnerability (CVE-2017-7885) (Closes: #860460) + * Prevent SEGV due to integer overflow (CVE-2017-7975) (Closes: #860788) + * Bounds check before reading from image source data (CVE-2017-7976) + (Closes: #860787) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 16 May 2017 20:08:21 +0200 + jbig2dec (0.13-4) unstable; urgency=medium * Add patches cherry-picked upstream to squash signed/unsigned diff -Nru jbig2dec-0.13/debian/patches/020170426~5e57e48.patch jbig2dec-0.13/debian/patches/020170426~5e57e48.patch --- jbig2dec-0.13/debian/patches/020170426~5e57e48.patch 1970-01-01 01:00:00.000000000 +0100 +++ jbig2dec-0.13/debian/patches/020170426~5e57e48.patch 2017-05-16 20:08:21.000000000 +0200 @@ -0,0 +1,26 @@ +Description: Bug 697693: Prevent SEGV due to integer overflow. + While building a Huffman table, the start and end points were susceptible + to integer overflow. + . +Thank you to Jiaqi for finding this issue and suggesting a patch. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e57e483298dae8b +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697693 +Bug-Debian: https://bugs.debian.org/860788 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7975 +Forwarded: not-needed +Author: Shailesh Mistry <shailesh.mis...@hotmail.co.uk> +Last-Update: 2017-05-16 + +--- a/jbig2_huffman.c ++++ b/jbig2_huffman.c +@@ -422,8 +422,8 @@ jbig2_build_huffman_table(Jbig2Ctx *ctx, + + if (PREFLEN == CURLEN) { + int RANGELEN = lines[CURTEMP].RANGELEN; +- int start_j = CURCODE << shift; +- int end_j = (CURCODE + 1) << shift; ++ uint32_t start_j = CURCODE << shift; ++ uint32_t end_j = (CURCODE + 1) << shift; + byte eflags = 0; + + if (end_j > max_j) { diff -Nru jbig2dec-0.13/debian/patches/020170503~b184e78.patch jbig2dec-0.13/debian/patches/020170503~b184e78.patch --- jbig2dec-0.13/debian/patches/020170503~b184e78.patch 1970-01-01 01:00:00.000000000 +0100 +++ jbig2dec-0.13/debian/patches/020170503~b184e78.patch 2017-05-16 20:08:21.000000000 +0200 @@ -0,0 +1,27 @@ +Description: Bug 697703: Prevent integer overflow vulnerability. + Add extra check for the offset being greater than the size + of the image and hence reading off the end of the buffer. + . + Thank you to Dai Ge for finding this issue and suggesting a patch. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=b184e783702246e15 +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697703 +Bug-Debian: https://bugs.debian.org/860460 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7885 +Forwarded: not-needed +Author: Shailesh Mistry <shailesh.mis...@hotmail.co.uk> +Last-Update: 2017-05-16 +--- + jbig2dec/jbig2_symbol_dict.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/jbig2_symbol_dict.c ++++ b/jbig2_symbol_dict.c +@@ -629,7 +629,7 @@ jbig2_decode_symbol_dict(Jbig2Ctx *ctx, + byte *dst = image->data; + + /* SumatraPDF: prevent read access violation */ +- if (size - jbig2_huffman_offset(hs) < image->height * stride) { ++ if ((size - jbig2_huffman_offset(hs) < image->height * stride) || (size < jbig2_huffman_offset(hs))) { + jbig2_error(ctx, JBIG2_SEVERITY_FATAL, segment->number, "not enough data for decoding (%d/%d)", image->height * stride, + size - jbig2_huffman_offset(hs)); + jbig2_image_release(ctx, image); diff -Nru jbig2dec-0.13/debian/patches/020170510~ed6c513.patch jbig2dec-0.13/debian/patches/020170510~ed6c513.patch --- jbig2dec-0.13/debian/patches/020170510~ed6c513.patch 1970-01-01 01:00:00.000000000 +0100 +++ jbig2dec-0.13/debian/patches/020170510~ed6c513.patch 2017-05-16 20:08:21.000000000 +0200 @@ -0,0 +1,28 @@ +Description: Bug 697683: Bounds check before reading from image source data. + Add extra check to prevent reading off the end of the image source + data buffer. + . + Thank you to Dai Ge for finding this issue and suggesting a patch. +Origin: upstream, http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ed6c5133a1004ce8d +Bug: https://bugs.ghostscript.com/show_bug.cgi?id=697683 +Bug-Debian: https://bugs.debian.org/860787 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7976 +Forwarded: not-needed +Author: Shailesh Mistry <shailesh.mis...@hotmail.co.uk> +Last-Update: 2017-05-16 +--- + jbig2dec/jbig2_image.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/jbig2_image.c ++++ b/jbig2_image.c +@@ -256,7 +256,8 @@ jbig2_image_compose(Jbig2Ctx *ctx, Jbig2 + /* general OR case */ + s = ss; + d = dd = dst->data + y * dst->stride + leftbyte; +- if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride) { ++ if (d < dst->data || leftbyte > dst->stride || d - leftbyte + h * dst->stride > dst->data + dst->height * dst->stride || ++ s - leftbyte + (h - 1) * src->stride + rightbyte > src->data + src->height * src->stride) { + return jbig2_error(ctx, JBIG2_SEVERITY_FATAL, -1, "preventing heap overflow in jbig2_image_compose"); + } + if (leftbyte == rightbyte) { diff -Nru jbig2dec-0.13/debian/patches/series jbig2dec-0.13/debian/patches/series --- jbig2dec-0.13/debian/patches/series 2017-01-23 21:07:51.000000000 +0100 +++ jbig2dec-0.13/debian/patches/series 2017-05-16 20:08:21.000000000 +0200 @@ -1,6 +1,9 @@ 020160518~1369359.patch 020161212~e698d5c.patch 020161214~9d2c4f3.patch +020170426~5e57e48.patch +020170503~b184e78.patch +020170510~ed6c513.patch 1001_ignore_python_test.patch 1004_extract_infile_from_autogen-sh.patch 2001_disable_memento.patch