Hello, Same issue as my previous emails. camlimage is modified in Ubuntu. I think the security issue is fixed in latest Debian package. (confirmation?) What about the coma added to Build: header?
https://patches.ubuntu.com/c/camlimages/camlimages_1:3.0.1-1ubuntu1.patch diff -pruN 1:3.0.1-1/debian/changelog 1:3.0.1-1ubuntu1/debian/changelog --- 1:3.0.1-1/debian/changelog 2009-07-07 18:20:29.000000000 +0100 +++ 1:3.0.1-1ubuntu1/debian/changelog 2009-07-07 18:17:32.000000000 +0100 @@ -1,3 +1,12 @@ +camlimages (1:3.0.1-1ubuntu1) karmic; urgency=low + + * debian/patches/fix_integer_overflows.dpatch: + Add patch from ocamlimages 1:3.0.1-2 to fix CVE-2009-2295 as we don't want + to transition to OCaml 3.11.1 yet. + * debian/control: Add missing comma in Build-Depends (lp: #391546). + + -- Michael Bienia <[email protected]> Tue, 07 Jul 2009 16:54:47 +0200 + camlimages (1:3.0.1-1) unstable; urgency=low [ Ralf Treinen ] diff -pruN 1:3.0.1-1/debian/control 1:3.0.1-1ubuntu1/debian/control --- 1:3.0.1-1/debian/control 2009-07-07 18:20:29.000000000 +0100 +++ 1:3.0.1-1ubuntu1/debian/control 2009-07-07 18:17:32.000000000 +0100 @@ -1,7 +1,8 @@ Source: camlimages Section: devel Priority: optional -Maintainer: Debian OCaml Maintainers <[email protected]> +Maintainer: Ubuntu Developers <[email protected]> +XSBC-Original-Maintainer: Debian OCaml Maintainers <[email protected]> Uploaders: Ralf Treinen <[email protected]>, Stefano Zacchiroli <[email protected]>, Sylvain Le Gall <[email protected]> @@ -20,7 +21,7 @@ Build-Depends: cdbs (>= 0.4.23), liblablgtk2-ocaml-dev (>= 2.12.0-2), chrpath, ghostscript, - dh-ocaml (>= 0.4.1) + dh-ocaml (>= 0.4.1), automake1.9 Standards-Version: 3.8.0 Vcs-Git: git://git.debian.org/git/pkg-ocaml-maint/packages/camlimages.git diff -pruN 1:3.0.1-1/debian/patches/00list 1:3.0.1-1ubuntu1/debian/patches/00list --- 1:3.0.1-1/debian/patches/00list 2009-07-07 18:20:29.000000000 +0100 +++ 1:3.0.1-1ubuntu1/debian/patches/00list 2009-07-07 18:17:32.000000000 +0100 @@ -1 +1,2 @@ fix_3_0_1_release +fix_integer_overflows diff -pruN 1:3.0.1-1/debian/patches/fix_integer_overflows.dpatch 1:3.0.1-1ubuntu1/debian/patches/fix_integer_overflows.dpatch --- 1:3.0.1-1/debian/patches/fix_integer_overflows.dpatch 1970-01-01 01:00:00.000000000 +0100 +++ 1:3.0.1-1ubuntu1/debian/patches/fix_integer_overflows.dpatch 2009-07-07 18:17:32.000000000 +0100 @@ -0,0 +1,89 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## fix_integer_overflows.dpatch by Mehdi Dogguy <[email protected]> +## +## DP: Fix multiple integer overflows. +## DP: http://www.ocert.org/advisories/ocert-2009-009.html + +...@dpatch@ +diff -urNad camlimages~/src/pngread.c camlimages/src/pngread.c +--- camlimages~/src/pngread.c 2009-06-23 11:22:20.000000000 +0200 ++++ camlimages/src/pngread.c 2009-07-03 17:51:31.000000000 +0200 +@@ -15,6 +15,8 @@ + #include "config.h" + #endif + ++#include <limits.h> ++ + #include <png.h> + + #include <caml/mlvalues.h> +@@ -26,6 +28,12 @@ + #define PNG_TAG_INDEX16 2 + #define PNG_TAG_INDEX4 3 + ++/* Test if x or y are negative, or if multiplying x * y would cause an ++ * arithmetic overflow. ++ */ ++#define oversized(x, y) \ ++ ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y))) ++ + value read_png_file_as_rgb24( name ) + value name; + { +@@ -81,6 +89,9 @@ + png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, + &interlace_type, NULL, NULL); + ++ if (oversized (width, height)) ++ failwith ("png error: image contains oversized or bogus width and height"); ++ + if ( color_type == PNG_COLOR_TYPE_GRAY || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { + png_set_gray_to_rgb(png_ptr); +@@ -102,10 +113,16 @@ + + rowbytes = png_get_rowbytes(png_ptr, info_ptr); + ++ if (oversized (rowbytes, height)) ++ failwith ("png error: image contains oversized or bogus rowbytes and height"); ++ + { + int i; + png_bytep *row_pointers; + ++ if (oversized (sizeof (png_bytep), height)) ++ failwith ("png error: image contains oversized or bogus height"); ++ + row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height); + + res = alloc_tuple(3); +@@ -235,6 +252,9 @@ + png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, + &interlace_type, NULL, NULL); + ++ if (oversized (width, height)) ++ failwith ("png error: image contains oversized or bogus width and height"); ++ + if ( color_type == PNG_COLOR_TYPE_GRAY || + color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) { + png_set_gray_to_rgb(png_ptr); +@@ -251,6 +271,9 @@ + + rowbytes = png_get_rowbytes(png_ptr, info_ptr); + ++ if (oversized (rowbytes, height)) ++ failwith ("png error: image contains oversized or bogus rowbytes and height"); ++ + /* + fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr); + */ +@@ -259,6 +282,9 @@ + png_bytep *row_pointers; + char mesg[256]; + ++ if (oversized (sizeof (png_bytep), height)) ++ failwith ("png error: image contains oversized or bogus height"); ++ + row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height); + res = alloc_tuple(3); + -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
