Hello! Thank you for pointing out these CVEs. I investigated deeper into the issues and reviewed the code as of 0.1+dfsg-1 version of the package. Luckily, most of these issues are not related to rlottie as currently packaged in Debian.
Below are some of my notes. They do not imply 100% guarantee, and real tests are needed. CVE-2021-31323: Code was refactored. mData is now an std::vector this is extended before parseProperty() call. https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/lottie/lottieparser.cpp/#L1741 CVE-2021-31322, CVE-2021-31319: Seems unaffected due to checking added by Fix-crash-on-invalid- data.patch https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/lottie/lottiemodel.cpp/#L248 CVE-2021-31320: The mentioned while loop has been enhanced by Fix-crash-on-invalid- data.patch https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/vector/vdrawhelper.cpp/#L168 CVE-2021-31318: Seems unaffected, because Fix-crash-on-invalid-data.patch inserts type checking before static_cast<> operator. https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/lottie/lottieitem.cpp/#L454 CVE-2021-31315: Seems to be already fixed by Check-buffer-length.patch https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/vector/vrle.cpp/#L559 CVE-2021-31321: Code differs, but bez_stack is an array of constant size on the gray_TWorker structure. It is twice the size of mentioned in the advisory. However, the vulnerability may be still present. https://sources.debian.org/src/rlottie/0.1+dfsg-1/src/vector/freetype/v_ft_raster.cpp/#L308 CVE-2021-31317: Not fixed. Need tests. As for the penultimate bug, I think it would be better to dispose of bundled freetype code and rely solely on libfreetype already packaged in Debian. But this may require a lot of changes that are unacceptable during freeze. Also note, these issues are all described in context of Telegram Android client. Nowadays, telegram-desktop is the only package in Debian main archive that depends on rlottie. Telegram Desktop does not support end- to-end encrypted secret chats, and so incoming animated stickers are subject to filtering by Telegram servers. Because of this, a remote attack is a little more difficult. There is another thing. For Debian, rlottie is built without a redefined RAPIDJSON_ASSERT macro, in contrast to upstream Telegram Desktop. By default the macro expands to abort() function call. This fact may result in additional SIGABRT crashes on invalid input data. But it will protect against more dangerous failures. https://github.com/desktop-app/cmake_helpers/blob/ac193a597d6b953f9869a240e21e275ce6e388cb/external/rlottie/CMakeLists.txt#L116
signature.asc
Description: This is a digitally signed message part