Bug#1021130: bullseye-pu: package tinyexr/1.0.1+dfsg-1+deb11u1

Sun, 02 Oct 2022 10:42:31 -0700 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian....@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear release team,
I'd like to update tinyexr in bullseye

[ Reason ]
The update fixes two vulnerabilities with low priority, i.e.
the security team has decided not to issue a DSA.

[ Impact ]
CVE-2022-34300: Heap overflow in DecodePixelData
CVE-2022-38529: Heap overflow in rleUncompress

[ Tests ]
I have verified that the changes fix the aforementioned vulnerabilities
and do not cause regressions in the package test suite.

[ Risks ]
tinyexr is a low popcon package with two reverse dependencies
(both of which I maintain).
Both code fixes are localized and unlikely to cause further issues.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The update patches two statements in two functions


Cheers
Timo


-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmM5zIAACgkQ+C8H+466
LVnfmAv7BCTx2RPhA8gGGRGpHjQGY9o8gwWoTfKocWmPfJgEz3KLt3HntP7jo3fn
x6QooHIYCJ8iveUPD1J0zK5wgr//22Z9iER1Uuk/48SVAVKXDbuvak3wJer5ssDl
pAwluYXdMNREfOcu49sJ0cs5WmaPFsv7Kt1LLWfsTBRru3ekLwYI4AkHrCFpSfy0
SVEm4zF/99athm4Pd/teV1znvXcmhAW64UxoypsSJpdJm46kyZ2fHZPxMOVkaQGe
Vz4mROOoAMA60stDL0ot/iFjiUCen/dUlR/K8VP3h3l3NI6/hgLiGW7QvrVom07j
J0knQxnnMn+RVJGQRxaWFm/Qculk9xvY8H/uekvgZglWMxoW2FmJCvTnlizETCB6
MxIf0aHQRDgY+0g1VbAGsOZ12xjkTV5BhsKADN+eOHI0hfwiNJEkjMLVOnUNdnhC
qHYZILTfH4sTXs/xNlGJ49KJlFYmizsNwEIL0CTi6eVf062whzUFiRmDN/JYMvax
+/SrWuWb
=WbEi
-----END PGP SIGNATURE-----

diff -Nru tinyexr-1.0.1+dfsg/debian/changelog 
tinyexr-1.0.1+dfsg/debian/changelog
--- tinyexr-1.0.1+dfsg/debian/changelog 2021-08-29 20:43:34.000000000 +0200
+++ tinyexr-1.0.1+dfsg/debian/changelog 2022-10-01 23:13:34.000000000 +0200
@@ -1,3 +1,11 @@
+tinyexr (1.0.1+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Fix low-priority vulnerabilities
+    - CVE-2022-34300: Heap overflow in DecodePixelData
+    - CVE-2022-38529: Heap overflow in rleUncompress
+
+ -- Timo Röhling <roehl...@debian.org>  Sat, 01 Oct 2022 23:13:34 +0200
+
 tinyexr (1.0.1+dfsg-1) unstable; urgency=medium
 
   * New upstream version 1.0.1+dfsg
diff -Nru tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch 
tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch
--- tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch 1970-01-01 
01:00:00.000000000 +0100
+++ tinyexr-1.0.1+dfsg/debian/patches/0005-CVE-2022-38529.patch 2022-10-01 
23:13:34.000000000 +0200
@@ -0,0 +1,25 @@
+From: =?utf-8?q?Timo_R=C3=B6hling?= <roehl...@debian.org>
+Date: Thu, 8 Sep 2022 19:31:26 +0200
+Subject: CVE-2022-38529
+
+Fix heap buffer overflow in rleUncompress.
+Backported from upstream commit cc1b199dd17b700c3130a53866ea462ab88e7f82
+
+Forwarded: not-needed
+---
+ tinyexr.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tinyexr.h b/tinyexr.h
+index eb5e5c0..ba05fdf 100644
+--- a/tinyexr.h
++++ b/tinyexr.h
+@@ -1480,7 +1480,7 @@ static int rleUncompress(int inLength, int maxLength, 
const signed char in[],
+       int count = *in++;
+       inLength -= 2;
+ 
+-      if (0 > (maxLength -= count + 1)) return 0;
++      if (0 > (maxLength -= count + 1) || inLength < 0) return 0;
+ 
+       memset(out, *reinterpret_cast<const char *>(in), count + 1);
+       out += count + 1;
diff -Nru tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch 
tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch
--- tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch 1970-01-01 
01:00:00.000000000 +0100
+++ tinyexr-1.0.1+dfsg/debian/patches/0006-CVE-2022-34300.patch 2022-10-01 
23:13:34.000000000 +0200
@@ -0,0 +1,26 @@
+From: =?utf-8?q?Timo_R=C3=B6hling?= <roehl...@debian.org>
+Date: Thu, 8 Sep 2022 20:38:54 +0200
+Subject: CVE-2022-34300
+
+Fix heap buffer overflow in DecodePixelData.
+
+Forwarded: https://github.com/syoyo/tinyexr/pull/175
+---
+ tinyexr.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tinyexr.h b/tinyexr.h
+index ba05fdf..c36e6ec 100644
+--- a/tinyexr.h
++++ b/tinyexr.h
+@@ -3568,8 +3568,8 @@ static bool DecodePixelData(/* out */ unsigned char 
**out_images,
+         assert(requested_pixel_types[c] == TINYEXR_PIXELTYPE_FLOAT);
+         for (size_t v = 0; v < static_cast<size_t>(num_lines); v++) {
+           const float *line_ptr = reinterpret_cast<float *>(&outBuf.at(
+-              v * pixel_data_size * static_cast<size_t>(x_stride) +
+-              channel_offset_list[c] * static_cast<size_t>(x_stride)));
++              v * pixel_data_size * static_cast<size_t>(width) +
++              channel_offset_list[c] * static_cast<size_t>(width)));
+           for (size_t u = 0; u < static_cast<size_t>(width); u++) {
+             float val;
+             // val = line_ptr[u];
diff -Nru tinyexr-1.0.1+dfsg/debian/patches/series 
tinyexr-1.0.1+dfsg/debian/patches/series
--- tinyexr-1.0.1+dfsg/debian/patches/series    2021-08-29 20:43:34.000000000 
+0200
+++ tinyexr-1.0.1+dfsg/debian/patches/series    2022-10-01 23:13:34.000000000 
+0200
@@ -2,3 +2,5 @@
 0002-Explicitly-export-required-symbols.patch
 0003-Fix-CMake-build-system.patch
 0004-Add-test-executable-for-CTest.patch
+0005-CVE-2022-38529.patch
+0006-CVE-2022-34300.patch

Reply via email to