Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: iml...@packages.debian.org, a...@debian.org Control: affects -1 + src:imlib2
[ Reason ] Fixing CVE-2024-25447, CVE-2024-25448 and CVE-2024-25450 in bullseye. [ Impact ] CVE remain unfixed in bullseye while they are already fixed in stable and newer distributions. [ Tests ] Code changes are trivial [ Risks ] Code changes are trivial and are already present in bookworm. No regressions have been reported. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] A variable in the tgaflip function was multiplied with the height and not the width which can cause a heap buffer overflow.
diff -Nru imlib2-1.7.1/debian/changelog imlib2-1.7.1/debian/changelog --- imlib2-1.7.1/debian/changelog 2021-01-23 22:00:25.000000000 +0100 +++ imlib2-1.7.1/debian/changelog 2024-04-06 22:40:50.000000000 +0200 @@ -1,3 +1,11 @@ +imlib2 (1.7.1-2+deb11u1) bullseye; urgency=medium + + * Fix CVE-2024-25447 and CVE-2024-25448 and CVE-2024-25450. + A heap-buffer overflow vulnerability was discovered in imlib2 when using + the tgaflip function in loader_tga.c + + -- Markus Koschany <a...@debian.org> Sat, 06 Apr 2024 22:40:50 +0200 + imlib2 (1.7.1-2) unstable; urgency=medium * Drop obsolete libltdl3-dev dependency. diff -Nru imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch --- imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch 1970-01-01 01:00:00.000000000 +0100 +++ imlib2-1.7.1/debian/patches/CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch 2024-04-06 22:40:50.000000000 +0200 @@ -0,0 +1,26 @@ +From: Markus Koschany <a...@debian.org> +Date: Fri, 5 Apr 2024 16:29:27 +0200 +Subject: CVE-2024-25447 and CVE-2024-25448 and CVE-2024-25450 + +Origin: https://git.enlightenment.org/old/legacy-imlib2/commit/e9c09deb08047c9e902ce37144e82b6edb8aedb6 +--- + src/modules/loaders/loader_tga.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/modules/loaders/loader_tga.c b/src/modules/loaders/loader_tga.c +index e9729b0..ae96a3b 100644 +--- a/src/modules/loaders/loader_tga.c ++++ b/src/modules/loaders/loader_tga.c +@@ -595,9 +595,9 @@ tgaflip(DATA32 * in, int w, int h, int fliph, int flipv) + x2 = fliph ? w - 1 : 0; + for (x = 0; x < nx; x++, x2 += dx) + { +- tmp = in[y * h + x]; +- in[y * h + x] = in[y2 * h + x2]; +- in[y2 * h + x2] = tmp; ++ tmp = in[y * w + x]; ++ in[y * w + x] = in[y2 * w + x2]; ++ in[y2 * w + x2] = tmp; + } + } + } diff -Nru imlib2-1.7.1/debian/patches/series imlib2-1.7.1/debian/patches/series --- imlib2-1.7.1/debian/patches/series 2021-01-23 22:00:25.000000000 +0100 +++ imlib2-1.7.1/debian/patches/series 2024-04-06 22:40:50.000000000 +0200 @@ -1 +1,2 @@ 01_removed-data-dir.patch +CVE-2024-25447-and-CVE-2024-25448-and-CVE-2024-25450.patch