Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: haavard_aa...@yahoo.no
This updates fixes CVE-2019-19630 and CVE-2021-20308 which is bug: #984765. Both patches is from upstream and has very small changes. CVE-2019-19630 is marked with no DSA and CVE-2021-20308 is marked unimportant, so I have not contacted the security team. [ Reason ] Fix CVE-2019-19630 and CVE-2021-20308 [ Impact ] Minor [ Tests ] None [ Risks ] Small to none [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] The patches adds additional if-statements to prevent buffer-overflows. Regards, Håvard https://security-tracker.debian.org/tracker/CVE-2019-19630 https://security-tracker.debian.org/tracker/CVE-2021-20308 https://bugs.debian.org/#984765
diff -Nru htmldoc-1.9.3/debian/changelog htmldoc-1.9.3/debian/changelog --- htmldoc-1.9.3/debian/changelog 2018-04-11 20:04:27.000000000 +0200 +++ htmldoc-1.9.3/debian/changelog 2021-05-11 12:03:14.000000000 +0200 @@ -1,3 +1,13 @@ +htmldoc (1.9.3-1+deb10u1) buster; urgency=medium + + * QA upload. + * Add patch to fix a stack-based buffer overflow in the hd_strlcpy() + Fixes: CVE-2019-19630 + * Add patch to fix buffer-overflow caused by integer-overflow + Closes: #984765 Fixes: CVE-2021-20308 + + -- Håvard Flaget Aasen <haavard_aa...@yahoo.no> Tue, 11 May 2021 12:03:14 +0200 + htmldoc (1.9.3-1) unstable; urgency=medium * QA upload. diff -Nru htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch --- htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch 1970-01-01 01:00:00.000000000 +0100 +++ htmldoc-1.9.3/debian/patches/Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch 2021-05-11 11:55:58.000000000 +0200 @@ -0,0 +1,28 @@ +From: Michael R Sweet <michael.r.sw...@gmail.com> +Date: Sun, 8 Dec 2019 14:00:26 -0500 +Subject: Fix a buffer underflow issue with GCC on Linux (Issue #360) + +CVE-2019-19630 + +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/8a129c520e90fc967351f3e165f967128a88f09c +Bug: https://github.com/michaelrsweet/htmldoc/issues/370 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2019-19630 +--- + htmldoc/ps-pdf.cxx | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx +index 78a0183..5d96591 100644 +--- a/htmldoc/ps-pdf.cxx ++++ b/htmldoc/ps-pdf.cxx +@@ -3721,7 +3721,9 @@ render_contents(tree_t *t, /* I - Tree to parse */ + nptr < (number + sizeof(number) - 1) && width < right; + width += dot_width) + *nptr++ = '.'; +- nptr --; ++ ++ if (nptr > number) ++ nptr --; + + strlcpy((char *)nptr, pages[hpage].page_text, sizeof(number) - (size_t)(nptr - number)); + diff -Nru htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch --- htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch 1970-01-01 01:00:00.000000000 +0100 +++ htmldoc-1.9.3/debian/patches/Fix-crash-bug-with-bad-GIFs-Issue-423.patch 2021-05-11 11:55:58.000000000 +0200 @@ -0,0 +1,27 @@ +From: Michael R Sweet <michael.r.sw...@gmail.com> +Date: Wed, 31 Mar 2021 20:18:00 -0400 +Subject: Fix crash bug with bad GIFs (Issue #423) + +CVE-2021-20308 + +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6a8322a718b2ba5c440bd33e6f26d9e281c39654 +Bug: https://github.com/michaelrsweet/htmldoc/issues/423 +Bug-Debian: https://bugs.debian.org/#984765 +--- + htmldoc/image.cxx | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx +index 907db8f..9d36a41 100644 +--- a/htmldoc/image.cxx ++++ b/htmldoc/image.cxx +@@ -1245,6 +1245,9 @@ image_load_gif(image_t *img, /* I - Image pointer */ + img->height = (buf[9] << 8) | buf[8]; + ncolors = 2 << (buf[10] & 0x07); + ++ if (img->width <= 0 || img->width > 32767 || img->height <= 0 || img->height > 32767) ++ return (-1); ++ + // If we are writing an encrypted PDF file, bump the use count so we create + // an image object (Acrobat 6 bug workaround) + if (Encryption) diff -Nru htmldoc-1.9.3/debian/patches/series htmldoc-1.9.3/debian/patches/series --- htmldoc-1.9.3/debian/patches/series 2018-04-11 20:04:27.000000000 +0200 +++ htmldoc-1.9.3/debian/patches/series 2021-05-11 11:55:58.000000000 +0200 @@ -4,3 +4,5 @@ autoheader_support.patch disable_libz.patch remove-os-check.patch +Fix-crash-bug-with-bad-GIFs-Issue-423.patch +Fix-a-buffer-underflow-issue-with-GCC-on-Linux-Issue-360.patch