Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libass
User: [email protected]
Usertags: pu

[ Reason ]
The update contains an upstream provided fix for a out-of-bounds read
and write issue with malicious ASS file. The issue is tracked as
GHSA-pjjp-65r7-ppgm.

https://github.com/libass/libass/security/advisories/GHSA-pjjp-65r7-ppgm

The same fix is included in 1:0.17.5-1 in unstable.

[ Impact ]
A security issue remains unfixed.

[ Tests ]
None, backport of an upstream provided fix.

[ Risks ]
Regressions would also affect unstable and we can backport necessary
fixes in future stable updates.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Path from upstream and an undocumented update for debian/gbp.conf to
track the correct branches.

[ Other info ]
I have already uploaded the changes.

Cheers
-- 
Sebastian Ramacher
diff -Nru libass-0.17.3/debian/changelog libass-0.17.3/debian/changelog
--- libass-0.17.3/debian/changelog      2024-07-04 19:58:16.000000000 +0200
+++ libass-0.17.3/debian/changelog      2026-06-24 19:36:02.000000000 +0200
@@ -1,3 +1,11 @@
+libass (1:0.17.3-1+deb13u1) trixie; urgency=medium
+
+  [ Oneric ]
+  * Backport security fixes from 0.15.5 to 0.17.3
+    - Out-of-bounds read and write in wrap_lines_measure (GHSA-pjjp-65r7-ppgm)
+
+ -- Sebastian Ramacher <[email protected]>  Wed, 24 Jun 2026 19:36:02 +0200
+
 libass (1:0.17.3-1) unstable; urgency=medium
 
   * New upstream version 0.17.3
diff -Nru libass-0.17.3/debian/gbp.conf libass-0.17.3/debian/gbp.conf
--- libass-0.17.3/debian/gbp.conf       2022-05-14 09:59:38.000000000 +0200
+++ libass-0.17.3/debian/gbp.conf       2026-06-24 19:08:12.000000000 +0200
@@ -1,3 +1,4 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = master
+debian-branch = debian/trixie
+upstream-branch = upstream.trixie
diff -Nru 
libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch
 
libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch
--- 
libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch
    2026-06-24 19:18:54.000000000 +0200
@@ -0,0 +1,66 @@
+From: Oneric <[email protected]>
+Date: Wed, 27 May 2026 00:00:00 +0000
+Subject: render/wrap_lines_measure: fix oob read and write
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+If the last line of an event consisted entirely of skippable characters
+yet could not be trimmed away entirely early on in parsing the
+while loops in wrap_line_measure overshot the end of the glyph array
+by one entry.
+This can happen in wrap modes other than two if a line ends with a '\n'
+sequence and otherwise consists entirely of this sequence or spaces.
+
+If furthermore the total text size exactly matches the
+currently allocated size of the glyph array, this first
+lead to reading a 32-bit fixed-point value (pos.x)
+from uninitialised memory.
+
+By itself this would have been entirely harmless since
+the read value never ends up being used if the first loop
+overread and in the second loop the read value is not applied
+to any real glyph or line property and thus unobservable.
+
+However, the second while loop also writes two 32-bit fixed point
+values to the overread position (pos.x and pos.y).
+Due to using the overread value itself here this ended up
+zeroing out the first and adding an easily controllable offset
+to the second.
+
+A POC for the second out-of-bound read was originally reported
+by Ada Logics’ David Korczynski who in turn was validating
+scan reports generated by Anthropic using their Claude tool.
+
+Fixes: https://github.com/libass/libass/security/advisories/GHSA-pjjp-65r7-ppgm
+---
+ libass/ass_render.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/libass/ass_render.c b/libass/ass_render.c
+index d7f143d..4a4a58b 100644
+--- a/libass/ass_render.c
++++ b/libass/ass_render.c
+@@ -1881,13 +1881,21 @@ wrap_lines_measure(RenderContext *state, char *unibrks)
+ 
+     while (i < text_info->length && text_info->glyphs[i].skip)
+         ++i;
++
++    if (i == text_info->length) {
++        text_info->lines[0].len = 0;
++        text_info->lines[0].offset = 0;
++        return;
++    }
++
+     double pen_shift_x = d6_to_double(-text_info->glyphs[i].pos.x);
+     double pen_shift_y = 0.;
+ 
+     for (i = 0; i < text_info->length; ++i) {
+         GlyphInfo *cur = text_info->glyphs + i;
++
+         if (cur->linebreak) {
+-            while (i < text_info->length && cur->skip && 
!FORCEBREAK(cur->symbol, i))
++            while (i < text_info->length - 1 && cur->skip && 
!FORCEBREAK(cur->symbol, i))
+                 cur = text_info->glyphs + ++i;
+             double height =
+                 text_info->lines[cur_line - 1].desc +
diff -Nru libass-0.17.3/debian/patches/series 
libass-0.17.3/debian/patches/series
--- libass-0.17.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libass-0.17.3/debian/patches/series 2026-06-24 19:18:54.000000000 +0200
@@ -0,0 +1 @@
+0001-render-wrap_lines_measure-fix-oob-read-and-write.patch

Reply via email to