Package: release.debian.org Severity: normal Tags: trixie X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:libass User: [email protected] Usertags: pu
[ Reason ] The update contains an upstream provided fix for a out-of-bounds read and write issue with malicious ASS file. The issue is tracked as GHSA-pjjp-65r7-ppgm. https://github.com/libass/libass/security/advisories/GHSA-pjjp-65r7-ppgm The same fix is included in 1:0.17.5-1 in unstable. [ Impact ] A security issue remains unfixed. [ Tests ] None, backport of an upstream provided fix. [ Risks ] Regressions would also affect unstable and we can backport necessary fixes in future stable updates. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Path from upstream and an undocumented update for debian/gbp.conf to track the correct branches. [ Other info ] I have already uploaded the changes. Cheers -- Sebastian Ramacher
diff -Nru libass-0.17.3/debian/changelog libass-0.17.3/debian/changelog --- libass-0.17.3/debian/changelog 2024-07-04 19:58:16.000000000 +0200 +++ libass-0.17.3/debian/changelog 2026-06-24 19:36:02.000000000 +0200 @@ -1,3 +1,11 @@ +libass (1:0.17.3-1+deb13u1) trixie; urgency=medium + + [ Oneric ] + * Backport security fixes from 0.15.5 to 0.17.3 + - Out-of-bounds read and write in wrap_lines_measure (GHSA-pjjp-65r7-ppgm) + + -- Sebastian Ramacher <[email protected]> Wed, 24 Jun 2026 19:36:02 +0200 + libass (1:0.17.3-1) unstable; urgency=medium * New upstream version 0.17.3 diff -Nru libass-0.17.3/debian/gbp.conf libass-0.17.3/debian/gbp.conf --- libass-0.17.3/debian/gbp.conf 2022-05-14 09:59:38.000000000 +0200 +++ libass-0.17.3/debian/gbp.conf 2026-06-24 19:08:12.000000000 +0200 @@ -1,3 +1,4 @@ [DEFAULT] pristine-tar = True -debian-branch = master +debian-branch = debian/trixie +upstream-branch = upstream.trixie diff -Nru libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch --- libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch 1970-01-01 01:00:00.000000000 +0100 +++ libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch 2026-06-24 19:18:54.000000000 +0200 @@ -0,0 +1,66 @@ +From: Oneric <[email protected]> +Date: Wed, 27 May 2026 00:00:00 +0000 +Subject: render/wrap_lines_measure: fix oob read and write +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +If the last line of an event consisted entirely of skippable characters +yet could not be trimmed away entirely early on in parsing the +while loops in wrap_line_measure overshot the end of the glyph array +by one entry. +This can happen in wrap modes other than two if a line ends with a '\n' +sequence and otherwise consists entirely of this sequence or spaces. + +If furthermore the total text size exactly matches the +currently allocated size of the glyph array, this first +lead to reading a 32-bit fixed-point value (pos.x) +from uninitialised memory. + +By itself this would have been entirely harmless since +the read value never ends up being used if the first loop +overread and in the second loop the read value is not applied +to any real glyph or line property and thus unobservable. + +However, the second while loop also writes two 32-bit fixed point +values to the overread position (pos.x and pos.y). +Due to using the overread value itself here this ended up +zeroing out the first and adding an easily controllable offset +to the second. + +A POC for the second out-of-bound read was originally reported +by Ada Logics’ David Korczynski who in turn was validating +scan reports generated by Anthropic using their Claude tool. + +Fixes: https://github.com/libass/libass/security/advisories/GHSA-pjjp-65r7-ppgm +--- + libass/ass_render.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/libass/ass_render.c b/libass/ass_render.c +index d7f143d..4a4a58b 100644 +--- a/libass/ass_render.c ++++ b/libass/ass_render.c +@@ -1881,13 +1881,21 @@ wrap_lines_measure(RenderContext *state, char *unibrks) + + while (i < text_info->length && text_info->glyphs[i].skip) + ++i; ++ ++ if (i == text_info->length) { ++ text_info->lines[0].len = 0; ++ text_info->lines[0].offset = 0; ++ return; ++ } ++ + double pen_shift_x = d6_to_double(-text_info->glyphs[i].pos.x); + double pen_shift_y = 0.; + + for (i = 0; i < text_info->length; ++i) { + GlyphInfo *cur = text_info->glyphs + i; ++ + if (cur->linebreak) { +- while (i < text_info->length && cur->skip && !FORCEBREAK(cur->symbol, i)) ++ while (i < text_info->length - 1 && cur->skip && !FORCEBREAK(cur->symbol, i)) + cur = text_info->glyphs + ++i; + double height = + text_info->lines[cur_line - 1].desc + diff -Nru libass-0.17.3/debian/patches/series libass-0.17.3/debian/patches/series --- libass-0.17.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ libass-0.17.3/debian/patches/series 2026-06-24 19:18:54.000000000 +0200 @@ -0,0 +1 @@ +0001-render-wrap_lines_measure-fix-oob-read-and-write.patch

