--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
The attached debdiff for gthumb fixes CVE-2019-20326 in Buster.
The additional patch fixes another non-security related bug and is
needed to apply the upstream patch for the CVE.
The CVE is marked as no-dsa by the security team.
After upload of DLA-2066-1 to Jessie-LTS no one complained about
something broken.
Thorsten
diff -Nru gthumb-3.6.2/debian/changelog gthumb-3.6.2/debian/changelog
--- gthumb-3.6.2/debian/changelog 2019-02-24 22:17:43.000000000 +0100
+++ gthumb-3.6.2/debian/changelog 2021-08-26 21:03:02.000000000 +0200
@@ -1,3 +1,15 @@
+gthumb (3:3.6.2-4+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2019-20326 (Closes: #948197)
+ A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg()
+ in extensions/cairo_io/cairo-image-surface-jpeg.c allows attackers to
+ cause a crash and potentially execute arbitrary code via a crafted JPEG
+ file.
+ * additional fix in case orientation swaps width and height
+
+ -- Thorsten Alteholz <[email protected]> Thu, 26 Aug 2021 21:03:02 +0200
+
gthumb (3:3.6.2-4) unstable; urgency=medium
* debian/control:
diff -Nru gthumb-3.6.2/debian/patches/CVE-2019-20326.patch
gthumb-3.6.2/debian/patches/CVE-2019-20326.patch
--- gthumb-3.6.2/debian/patches/CVE-2019-20326.patch 1970-01-01
01:00:00.000000000 +0100
+++ gthumb-3.6.2/debian/patches/CVE-2019-20326.patch 2021-08-24
12:54:08.000000000 +0200
@@ -0,0 +1,105 @@
+Index: gthumb-3.6.2/extensions/cairo_io/cairo-image-surface-jpeg.c
+===================================================================
+--- gthumb-3.6.2.orig/extensions/cairo_io/cairo-image-surface-jpeg.c
2021-08-24 12:54:05.412649431 +0200
++++ gthumb-3.6.2/extensions/cairo_io/cairo-image-surface-jpeg.c
2021-08-24 12:54:05.408649432 +0200
+@@ -171,6 +171,7 @@
+ unsigned char *surface_row;
+ JSAMPARRAY buffer;
+ int buffer_stride;
++ int scanned_lines;
+ JDIMENSION n_lines;
+ JSAMPARRAY buffer_row;
+ int l;
+@@ -294,6 +295,7 @@
+ _cairo_metadata_set_has_alpha (metadata, FALSE);
+ surface_data = _cairo_image_surface_flush_and_get_data (surface);
+ surface_row = surface_data + line_start;
++ scanned_lines = 0;
+
+ switch (srcinfo.out_color_space) {
+ case JCS_CMYK:
+@@ -309,6 +311,8 @@
+ goto stop_loading;
+
+ n_lines = jpeg_read_scanlines (&srcinfo,
buffer, srcinfo.rec_outbuf_height);
++ if (scanned_lines + n_lines > output_height)
++ n_lines = output_height - scanned_lines;
+
+ buffer_row = buffer;
+ for (l = 0; l < n_lines; l++) {
+@@ -345,6 +349,7 @@
+
+ surface_row += line_step;
+ buffer_row += buffer_stride;
++ scanned_lines += 1;
+ }
+ }
+ }
+@@ -357,6 +362,8 @@
+ goto stop_loading;
+
+ n_lines = jpeg_read_scanlines (&srcinfo,
buffer, srcinfo.rec_outbuf_height);
++ if (scanned_lines + n_lines > output_height)
++ n_lines = output_height - scanned_lines;
+
+ buffer_row = buffer;
+ for (l = 0; l < n_lines; l++) {
+@@ -377,6 +384,7 @@
+
+ surface_row += line_step;
+ buffer_row += buffer_stride;
++ scanned_lines += 1;
+ }
+ }
+ }
+@@ -389,6 +397,8 @@
+ goto stop_loading;
+
+ n_lines = jpeg_read_scanlines (&srcinfo,
buffer, srcinfo.rec_outbuf_height);
++ if (scanned_lines + n_lines > output_height)
++ n_lines = output_height - scanned_lines;
+
+ buffer_row = buffer;
+ for (l = 0; l < n_lines; l++) {
+@@ -411,6 +421,7 @@
+
+ surface_row += line_step;
+ buffer_row += buffer_stride;
++ scanned_lines += 1;
+ }
+ }
+ }
+@@ -436,6 +447,8 @@
+ goto stop_loading;
+
+ n_lines = jpeg_read_scanlines (&srcinfo,
buffer, srcinfo.rec_outbuf_height);
++ if (scanned_lines + n_lines > output_height)
++ n_lines = output_height - scanned_lines;
+
+ buffer_row = buffer;
+ for (l = 0; l < n_lines; l++) {
+@@ -462,6 +475,7 @@
+
+ surface_row += line_step;
+ buffer_row += buffer_stride;
++ scanned_lines += 1;
+ }
+ }
+ }
+@@ -491,6 +505,8 @@
+ goto stop_loading;
+
+ n_lines = jpeg_read_scanlines (&srcinfo,
buffer, srcinfo.rec_outbuf_height);
++ if (scanned_lines + n_lines > output_height)
++ n_lines = output_height - scanned_lines;
+
+ buffer_row = buffer;
+ for (l = 0; l < n_lines; l++) {
+@@ -524,6 +540,7 @@
+
+ surface_row += line_step;
+ buffer_row += buffer_stride;
++ scanned_lines += 1;
+ }
+ }
+ }
diff -Nru
gthumb-3.6.2/debian/patches/error_if_orientation_swaps_width_and_height.patch
gthumb-3.6.2/debian/patches/error_if_orientation_swaps_width_and_height.patch
---
gthumb-3.6.2/debian/patches/error_if_orientation_swaps_width_and_height.patch
1970-01-01 01:00:00.000000000 +0100
+++
gthumb-3.6.2/debian/patches/error_if_orientation_swaps_width_and_height.patch
2021-08-24 16:22:05.000000000 +0200
@@ -0,0 +1,117 @@
+Index: gthumb-3.6.2/extensions/cairo_io/cairo-image-surface-jpeg.c
+===================================================================
+--- gthumb-3.6.2.orig/extensions/cairo_io/cairo-image-surface-jpeg.c
2021-08-24 16:15:47.663965223 +0200
++++ gthumb-3.6.2/extensions/cairo_io/cairo-image-surface-jpeg.c
2021-08-24 16:22:02.507863935 +0200
+@@ -155,6 +155,8 @@
+ JpegInfoFlags info_flags;
+ gboolean load_scaled;
+ GthTransform orientation;
++ int output_width;
++ int output_height;
+ int destination_width;
+ int destination_height;
+ int line_start;
+@@ -264,9 +266,11 @@
+
+ jpeg_start_decompress (&srcinfo);
+
++ output_width = MIN (srcinfo.output_width, CAIRO_MAX_IMAGE_SIZE);
++ output_height = MIN (srcinfo.output_height, CAIRO_MAX_IMAGE_SIZE);
+ _cairo_image_surface_transform_get_steps (CAIRO_FORMAT_ARGB32,
+- MIN (srcinfo.output_width,
CAIRO_MAX_IMAGE_SIZE),
+- MIN (srcinfo.output_height,
CAIRO_MAX_IMAGE_SIZE),
++ output_width,
++ output_height,
+ orientation,
+ &destination_width,
+ &destination_height,
+@@ -306,7 +310,7 @@
+ CMYK_table_init ();
+ cmyk_tab = CMYK_Tab;
+
+- while (srcinfo.output_scanline < srcinfo.output_height)
{
++ while (srcinfo.output_scanline < output_height) {
+ if (g_cancellable_is_cancelled (cancellable))
+ goto stop_loading;
+
+@@ -322,7 +326,7 @@
+ if (g_cancellable_is_cancelled
(cancellable))
+ goto stop_loading;
+
+- for (x = 0; x < srcinfo.output_width;
x++) {
++ for (x = 0; x < output_width; x++) {
+ if (srcinfo.saw_Adobe_marker) {
+ c = p_buffer[0];
+ m = p_buffer[1];
+@@ -357,7 +361,7 @@
+
+ case JCS_GRAYSCALE:
+ {
+- while (srcinfo.output_scanline < srcinfo.output_height)
{
++ while (srcinfo.output_scanline < output_height) {
+ if (g_cancellable_is_cancelled (cancellable))
+ goto stop_loading;
+
+@@ -373,7 +377,7 @@
+ if (g_cancellable_is_cancelled
(cancellable))
+ goto stop_loading;
+
+- for (x = 0; x < srcinfo.output_width;
x++) {
++ for (x = 0; x < output_width; x++) {
+ r = g = b = p_buffer[0];
+ pixel = CAIRO_RGBA_TO_UINT32
(r, g, b, 0xff);
+ memcpy (p_surface, &pixel,
sizeof (guint32));
+@@ -392,7 +396,7 @@
+
+ case JCS_RGB:
+ {
+- while (srcinfo.output_scanline < srcinfo.output_height)
{
++ while (srcinfo.output_scanline < output_height) {
+ if (g_cancellable_is_cancelled (cancellable))
+ goto stop_loading;
+
+@@ -408,7 +412,7 @@
+ if (g_cancellable_is_cancelled
(cancellable))
+ goto stop_loading;
+
+- for (x = 0; x < srcinfo.output_width;
x++) {
++ for (x = 0; x < output_width; x++) {
+ r = p_buffer[0];
+ g = p_buffer[1];
+ b = p_buffer[2];
+@@ -442,7 +446,7 @@
+ g_cr_tab = YCbCr_G_Cr_Tab;
+ b_cb_tab = YCbCr_B_Cb_Tab;
+
+- while (srcinfo.output_scanline < srcinfo.output_height)
{
++ while (srcinfo.output_scanline < output_height) {
+ if (g_cancellable_is_cancelled (cancellable))
+ goto stop_loading;
+
+@@ -458,7 +462,7 @@
+ if (g_cancellable_is_cancelled
(cancellable))
+ goto stop_loading;
+
+- for (x = 0; x < srcinfo.output_width;
x++) {
++ for (x = 0; x < output_width; x++) {
+ Y = p_buffer[0];
+ Cb = p_buffer[1];
+ Cr = p_buffer[2];
+@@ -500,7 +504,7 @@
+ CMYK_table_init ();
+ cmyk_tab = CMYK_Tab;
+
+- while (srcinfo.output_scanline < srcinfo.output_height)
{
++ while (srcinfo.output_scanline < output_height) {
+ if (g_cancellable_is_cancelled (cancellable))
+ goto stop_loading;
+
+@@ -516,7 +520,7 @@
+ if (g_cancellable_is_cancelled
(cancellable))
+ goto stop_loading;
+
+- for (x = 0; x < srcinfo.output_width;
x++) {
++ for (x = 0; x < output_width; x++) {
+ Y = p_buffer[0];
+ Cb = p_buffer[1];
+ Cr = p_buffer[2];
diff -Nru gthumb-3.6.2/debian/patches/series gthumb-3.6.2/debian/patches/series
--- gthumb-3.6.2/debian/patches/series 2019-02-24 22:13:21.000000000 +0100
+++ gthumb-3.6.2/debian/patches/series 2021-08-24 16:03:13.000000000 +0200
@@ -4,3 +4,6 @@
contact_sheet_theme_not_loaded.patch
02-preserve_upstream_files.patch
privacy-breach-C-legal.patch
+
+CVE-2019-20326.patch
+error_if_orientation_swaps_width_and_height.patch
--- End Message ---
