Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org
Dear release team, [ Reason ] I would like to fix CVE-2019-5086 and CVE-2019-5087. The same fix has been applied in unstable and stretch already. The security team marked these issues as no-dsa. [ Impact ] xcftools would still be vulnerable if not approved. [ Tests ] Tested with a manipulated xcf file. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Regards, Markus
diff -Nru xcftools-1.0.7/debian/changelog xcftools-1.0.7/debian/changelog --- xcftools-1.0.7/debian/changelog 2016-05-18 12:34:05.000000000 +0200 +++ xcftools-1.0.7/debian/changelog 2021-02-09 23:17:14.000000000 +0100 @@ -1,3 +1,16 @@ +xcftools (1.0.7-6+deb10u1) buster; urgency=medium + + * Non-maintainer upload by the LTS team. + * Fix CVE-2019-5086 and CVE-2019-5087: + An exploitable integer overflow vulnerability exists in the + flattenIncrementally function in the xcf2png and xcf2pnm binaries of + xcftools. An integer overflow can occur while walking through tiles that + could be exploited to corrupt memory and execute arbitrary code. In order + to trigger this vulnerability, a victim would need to open a specially + crafted XCF file. + + -- Markus Koschany <a...@debian.org> Tue, 09 Feb 2021 23:17:14 +0100 + xcftools (1.0.7-6) unstable; urgency=medium * Team upload (collab-maint) diff -Nru xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch --- xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch 1970-01-01 01:00:00.000000000 +0100 +++ xcftools-1.0.7/debian/patches/CVE-2019-5086-and-CVE-2019-5087.patch 2021-02-09 23:17:14.000000000 +0100 @@ -0,0 +1,53 @@ +From: Markus Koschany <a...@debian.org> +Date: Mon, 8 Feb 2021 17:57:56 +0100 +Subject: CVE-2019-5086 and CVE-2019-5087 + +Patch by Anton Gladky and Markus Koschany. + +Bug-Debian: https://bugs.debian.org/945317 +Origin: https://github.com/j-jorge/xcftools/pull/15 +--- + xcf-general.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/xcf-general.c b/xcf-general.c +index 9d0b4dc..7cb1613 100644 +--- a/xcf-general.c ++++ b/xcf-general.c +@@ -19,6 +19,8 @@ + #include "xcftools.h" + #include <string.h> + #include <errno.h> ++#include <limits.h> ++#include <stdlib.h> + #ifdef HAVE_ICONV + # include <iconv.h> + #elif !defined(ICONV_CONST) +@@ -182,6 +184,27 @@ xcfString(uint32_t ptr,uint32_t *after) + void + computeDimensions(struct tileDimensions *d) + { ++ // [ CVE-2019-5086 and CVE-2019-5087 ] ++ // This part of the code is the check to prevent integer overflow, see CVE-2019-5086 and CVE-2019-5087 ++ ++ if (d->c.l < INT_MIN/4) { ++ fprintf(stderr,("d->c.l is too small (%d)! Stopping execution...\n"), (d->c.l)); ++ exit(0); ++ } ++ if (d->c.t < INT_MIN/4) { ++ fprintf(stderr,("d->c.t is too small (%d)! Stopping execution...\n"), (d->c.t)); ++ exit(0); ++ } ++ if (d->width > (INT_MAX - d->c.l)/4) { ++ fprintf(stderr,("Width is too large (%d)! Stopping execution...\n"), (d->c.l + d->width)); ++ exit(0); ++ } ++ if (d->height > (INT_MAX - d->c.t)/4) { ++ fprintf(stderr,("Height is too large (%d)! Stopping execution...\n"), (d->c.t + d->height)); ++ exit(0); ++ } ++ // [ CVE-2019-5086 and CVE-2019-5087 ] ++ + d->c.r = d->c.l + d->width ; + d->c.b = d->c.t + d->height ; + d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ; diff -Nru xcftools-1.0.7/debian/patches/series xcftools-1.0.7/debian/patches/series --- xcftools-1.0.7/debian/patches/series 2016-05-18 12:27:32.000000000 +0200 +++ xcftools-1.0.7/debian/patches/series 2021-02-09 23:17:14.000000000 +0100 @@ -4,3 +4,4 @@ fix-as-needed-linking libpng16.patch fix-test-UTF8.patch +CVE-2019-5086-and-CVE-2019-5087.patch