Package: release.debian.org Severity: normal Tags: trixie User: [email protected] Usertags: pu
Dear Release Team,
rLottie is a platform independent C++ library for rendering vector based
animations and art. Its format is used by Telegram Desktop, the only
reverse dependency in Debian.
[ Reason ]
Several flaws caused by C++ undefined behaviour in this library have
recently been reported as CVE issues. The proposed update is fixing
three of them along with a smaller defect in the existing patch.
[ Impact ]
The update provides fixes for relatively harmless crashes which may
happen during rendering of specially crafted animations. Telegram
servers additionally filter such animations before sending stickers to
the client. There is a theoretical possibility of bypassing the check
and doing something malicious with user's account, though.
[ Tests ]
I did manual tests in Debian 13.5 booted from Live ISO in VirtualBox. No
glitches in animated stickers were spotted.
[ Risks ]
Minimal. There is only one dependant package in trixie-backports.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in stable
[x] the issue is verified as fixed in unstable
[ Changes ]
rlottie (0.1+dfsg-4.2+deb13u2) trixie; urgency=medium
* Fix off-by-one error in Fortify-FreeType-raster.patch.
* Add Fixed-vpath-potential-issue.patch to fix CVE-2026-47319.
(Closes: #1138919)
* Add Limit-recursion-in-LOTLayerItem.patch to fix CVE-2026-47320.
(Closes: #1138920)
* New Fixed-signed-shift-issue.patch probably fixes CVE-2026-10305.
(Closes: #1139179)
* New Fix-heap-buffer-overflow-from-short-truncation.patch.
The latter Fix-heap-buffer-overflow-from-short-truncation.patch came the
day before yesterday from the pull request on GitHub, and the fix is not
yet uploaded to unstable. I am going to include the patch into the
future -6 revision before the next year or sooner when enough other
changes accumulate. I hope I might be forgiven for this deviation from
the updating procedure, considering the short time remaining until the
upcoming point release.
[ Other info ]
I discussed the changes with the Security Team and Moritz Mühlenhoff
assured me that no DSA is needed in this case. So I already uploaded the
update using dput(1).
diffstat for rlottie-0.1+dfsg rlottie-0.1+dfsg changelog | 13 ++ patches/Fix-crash-on-invalid-data.patch | 12 -- patches/Fix-heap-buffer-overflow-from-short-truncation.patch | 31 +++++ patches/Fixed-signed-shift-issue.patch | 64 +++++++++++ patches/Fixed-vpath-potential-issue.patch | 29 ++++ patches/Fortify-FreeType-raster.patch | 4 patches/Limit-recursion-in-LOTLayerItem.patch | 39 ++++++ patches/series | 4 8 files changed, 183 insertions(+), 13 deletions(-) diff -Nru rlottie-0.1+dfsg/debian/changelog rlottie-0.1+dfsg/debian/changelog --- rlottie-0.1+dfsg/debian/changelog 2025-11-25 14:05:10.000000000 +0300 +++ rlottie-0.1+dfsg/debian/changelog 2026-07-03 14:01:02.000000000 +0300 @@ -1,3 +1,16 @@ +rlottie (0.1+dfsg-4.2+deb13u2) trixie; urgency=medium + + * Fix off-by-one error in Fortify-FreeType-raster.patch. + * Add Fixed-vpath-potential-issue.patch to fix CVE-2026-47319. + (Closes: #1138919) + * Add Limit-recursion-in-LOTLayerItem.patch to fix CVE-2026-47320. + (Closes: #1138920) + * New Fixed-signed-shift-issue.patch probably fixes CVE-2026-10305. + (Closes: #1139179) + * New Fix-heap-buffer-overflow-from-short-truncation.patch. + + -- Nicholas Guriev <[email protected]> Fri, 03 Jul 2026 14:01:02 +0300 + rlottie (0.1+dfsg-4.2+deb13u1) trixie; urgency=medium * Non-maintainer upload by the LTS Team. diff -Nru rlottie-0.1+dfsg/debian/patches/Fix-crash-on-invalid-data.patch rlottie-0.1+dfsg/debian/patches/Fix-crash-on-invalid-data.patch --- rlottie-0.1+dfsg/debian/patches/Fix-crash-on-invalid-data.patch 2021-05-22 19:07:06.000000000 +0300 +++ rlottie-0.1+dfsg/debian/patches/Fix-crash-on-invalid-data.patch 2026-07-01 17:17:45.000000000 +0300 @@ -52,17 +52,7 @@ void LOTGradient::update(std::unique_ptr<VGradient> &grad, int frameNo) --- a/src/vector/vdrawhelper.cpp +++ b/src/vector/vdrawhelper.cpp -@@ -146,6 +146,9 @@ bool VGradientCache::generateGradientCol - float opacity, - uint32_t *colorTable, int size) - { -+ if (stops.empty()) { -+ return false; -+ } - int dist, idist, pos = 0; - size_t i; - bool alpha = false; -@@ -165,7 +168,7 @@ bool VGradientCache::generateGradientCol +@@ -165,7 +165,7 @@ bool VGradientCache::generateGradientCol colorTable[pos++] = curColor; diff -Nru rlottie-0.1+dfsg/debian/patches/Fixed-signed-shift-issue.patch rlottie-0.1+dfsg/debian/patches/Fixed-signed-shift-issue.patch --- rlottie-0.1+dfsg/debian/patches/Fixed-signed-shift-issue.patch 1970-01-01 03:00:00.000000000 +0300 +++ rlottie-0.1+dfsg/debian/patches/Fixed-signed-shift-issue.patch 2026-07-01 17:17:45.000000000 +0300 @@ -0,0 +1,64 @@ +Description: Fixed signed shift issue, CVE-2026-10305 +Author: Michal Szczecinski <[email protected]> +Origin: https://github.com/Samsung/rlottie/commit/b4f5101a4d1a8da60cc14cfd05608551b3448c77 +Forwarded: https://github.com/Samsung/rlottie/pull/587 +Bug-Debian: https://bugs.debian.org/1139179 +Acked-By: Nicholas Guriev <[email protected]> +Last-Update: Tue, 09 Jun 2026 16:16:06 +0300 + +--- a/src/vector/freetype/v_ft_raster.cpp ++++ b/src/vector/freetype/v_ft_raster.cpp +@@ -198,17 +198,17 @@ typedef struct SW_FT_Outline_Funcs_ { + #define ONE_PIXEL (1L << PIXEL_BITS) + #define PIXEL_MASK (-1L << PIXEL_BITS) + #define TRUNC(x) ((TCoord)((x) >> PIXEL_BITS)) +-#define SUBPIXELS(x) ((TPos)(x) << PIXEL_BITS) ++#define SUBPIXELS(x) ((TPos)((unsigned long)(x) << PIXEL_BITS)) + #define FLOOR(x) ((x) & -ONE_PIXEL) + #define CEILING(x) (((x) + ONE_PIXEL - 1) & -ONE_PIXEL) + #define ROUND(x) (((x) + ONE_PIXEL / 2) & -ONE_PIXEL) + + #if PIXEL_BITS >= 6 +-#define UPSCALE(x) ((x) << (PIXEL_BITS - 6)) ++#define UPSCALE(x) ((TPos)((unsigned long)(x) << (PIXEL_BITS - 6))) + #define DOWNSCALE(x) ((x) >> (PIXEL_BITS - 6)) + #else +-#define UPSCALE(x) ((x) >> (6 - PIXEL_BITS)) +-#define DOWNSCALE(x) ((x) << (6 - PIXEL_BITS)) ++#define UPSCALE(x) ((x) >> (6 - PIXEL_BITS)) ++#define DOWNSCALE(x) ((TPos)((unsigned long)(x) << (6 - PIXEL_BITS))) + #endif + + /* Compute `dividend / divisor' and return both its quotient and */ +@@ -1072,7 +1072,7 @@ static int SW_FT_Outline_Decompose(const + void* user) + { + #undef SCALED +-#define SCALED(x) (((x) << shift) - delta) ++#define SCALED(x) ((TPos)((unsigned long)(x) << shift) - delta) + + SW_FT_Vector v_last; + SW_FT_Vector v_control; +--- a/src/vector/vdrawhelper.cpp ++++ b/src/vector/vdrawhelper.cpp +@@ -156,6 +156,11 @@ bool VGradientCache::generateGradientCol + + if (!vCompare(opacity, 1.0f)) alpha = true; + ++ if (stopCount == 0) { ++ for (int j = 0; j < size; ++j) colorTable[j] = 0; ++ return alpha; ++ } ++ + start = stops.data(); + curr = start; + if (!curr->second.isOpaque()) alpha = true; +@@ -171,7 +176,7 @@ bool VGradientCache::generateGradientCol + fpos += incr; + } + +- for (i = 0; i < stopCount - 1; ++i) { ++ for (i = 0; i + 1 < stopCount; ++i) { + curr = (start + i); + next = (start + i + 1); + delta = 1 / (next->first - curr->first); diff -Nru rlottie-0.1+dfsg/debian/patches/Fixed-vpath-potential-issue.patch rlottie-0.1+dfsg/debian/patches/Fixed-vpath-potential-issue.patch --- rlottie-0.1+dfsg/debian/patches/Fixed-vpath-potential-issue.patch 1970-01-01 03:00:00.000000000 +0300 +++ rlottie-0.1+dfsg/debian/patches/Fixed-vpath-potential-issue.patch 2026-07-01 17:17:45.000000000 +0300 @@ -0,0 +1,29 @@ +Description: Fix potential huge memory allocation in VPath + Fixes CVE-2026-47319 +Author: Michal Szczecinski <[email protected]> +Origin: https://github.com/Samsung/rlottie/commit/5def9f402b1cb5b09f52655e414f0afba4ffd959 +Forwarded: https://github.com/Samsung/rlottie/pull/588 +Bug-Debian: https://bugs.debian.org/1138919 +Acked-By: Nicholas Guriev <[email protected]> +Last-Update: Tue, 09 Jun 2026 16:16:04 +0300 + +--- a/src/vector/vpath.cpp ++++ b/src/vector/vpath.cpp +@@ -514,6 +514,8 @@ void VPath::VPathData::addPolystar(float + float outerRoundness, float startAngle, + float cx, float cy, VPath::Direction dir) + { ++ constexpr float MAX_POLY_POINTS = 1024.0f; ++ if (points > MAX_POLY_POINTS) points = MAX_POLY_POINTS; + const static float POLYSTAR_MAGIC_NUMBER = 0.47829f / 0.28f; + float currentAngle = (startAngle - 90.0f) * K_PI / 180.0f; + float x; +@@ -619,6 +621,8 @@ void VPath::VPathData::addPolygon(float + VPath::Direction dir) + { + // TODO: Need to support floating point number for number of points ++ constexpr float MAX_POLY_POINTS = 1024.0f; ++ if (points > MAX_POLY_POINTS) points = MAX_POLY_POINTS; + const static float POLYGON_MAGIC_NUMBER = 0.25; + float currentAngle = (startAngle - 90.0f) * K_PI / 180.0f; + float x; diff -Nru rlottie-0.1+dfsg/debian/patches/Fix-heap-buffer-overflow-from-short-truncation.patch rlottie-0.1+dfsg/debian/patches/Fix-heap-buffer-overflow-from-short-truncation.patch --- rlottie-0.1+dfsg/debian/patches/Fix-heap-buffer-overflow-from-short-truncation.patch 1970-01-01 03:00:00.000000000 +0300 +++ rlottie-0.1+dfsg/debian/patches/Fix-heap-buffer-overflow-from-short-truncation.patch 2026-07-02 08:27:08.000000000 +0300 @@ -0,0 +1,31 @@ +Description: Fix heap buffer overflow from short truncation of span Y coordinate + SW_FT_Span.y is a 16-bit short, so limit our coordinates appropriately. The + clamp (and its "is an integer" comment) was inherited from upstream FreeType's + ftgrays.c, where FT_Span has no y field and the scanline y is carried + separately as an int. rLottie added a `short y` to the span struct without + adapting the clamp, so the INT_MAX bound never prevented the (short) narrowing + at the store site. + . + This patch based on Michal Maciola's pull request with the numeral literals + replaced by the standard macro from the <limits.h> header. +Forwarded: https://github.com/Samsung/rlottie/pull/595 +Author: Michal Maciola <[email protected]> +Acked-By: Nicholas Guriev <[email protected]> +Last-Updated: Thu, 02 Jul 2026 07:55:03 +0300 + +--- a/src/vector/freetype/v_ft_raster.cpp ++++ b/src/vector/freetype/v_ft_raster.cpp +@@ -935,10 +935,10 @@ static void gray_hline(RAS_ARG_ TCoord x + x += (TCoord)ras.min_ex; + + /* SW_FT_Span.x is a 16-bit short, so limit our coordinates appropriately */ +- if (x >= 32767) x = 32767; ++ if (x >= SHRT_MAX) x = SHRT_MAX; + +- /* SW_FT_Span.y is an integer, so limit our coordinates appropriately */ +- if (y >= SW_FT_INT_MAX) y = SW_FT_INT_MAX; ++ /* SW_FT_Span.y is a 16-bit short, so limit our coordinates appropriately */ ++ if (y >= SHRT_MAX) y = SHRT_MAX; + + if (coverage) { + SW_FT_Span* span; diff -Nru rlottie-0.1+dfsg/debian/patches/Fortify-FreeType-raster.patch rlottie-0.1+dfsg/debian/patches/Fortify-FreeType-raster.patch --- rlottie-0.1+dfsg/debian/patches/Fortify-FreeType-raster.patch 2022-03-04 18:11:16.000000000 +0300 +++ rlottie-0.1+dfsg/debian/patches/Fortify-FreeType-raster.patch 2026-07-01 17:17:45.000000000 +0300 @@ -4,7 +4,7 @@ . Also check the number of ycells in gray_find_cell(). Author: Nicholas Guriev <[email protected]> -Last-Update: Wed, 02 Mar 2022 19:12:30 +0300 +Last-Update: Thu, 23 Apr 2026 13:06:37 +0300 --- a/src/vector/freetype/v_ft_raster.cpp +++ b/src/vector/freetype/v_ft_raster.cpp @@ -56,7 +56,7 @@ } Split: -+ if (arc + 6 > std::end(ras.bez_stack)) return; ++ if (arc + 6 >= std::end(ras.bez_stack)) return; + gray_split_cubic(arc); arc += 3; diff -Nru rlottie-0.1+dfsg/debian/patches/Limit-recursion-in-LOTLayerItem.patch rlottie-0.1+dfsg/debian/patches/Limit-recursion-in-LOTLayerItem.patch --- rlottie-0.1+dfsg/debian/patches/Limit-recursion-in-LOTLayerItem.patch 1970-01-01 03:00:00.000000000 +0300 +++ rlottie-0.1+dfsg/debian/patches/Limit-recursion-in-LOTLayerItem.patch 2026-07-01 17:17:45.000000000 +0300 @@ -0,0 +1,39 @@ +Description: Limit recurion depth in LOTLayerItem + This patch is based on Michal Szczecinski's commit and adapted to version 0.1 + before Lottie model refactoring. Should fix CVE-2026-47320. + . + https://github.com/Samsung/rlottie/commit/bf689b72b8482c5ea674235854bd11b6d1b42588 +Author: Nicholas Guriev <[email protected]> +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/1138920 +Last-Update: Tue, 09 Jun 2026 16:16:05 +0300 + +--- a/src/lottie/lottieitem.cpp ++++ b/src/lottie/lottieitem.cpp +@@ -419,8 +419,13 @@ void LOTLayerItem::update(int frameNumbe + + VMatrix LOTLayerItem::matrix(int frameNo) const + { +- return mParentLayer +- ? (mLayerData->matrix(frameNo) * mParentLayer->matrix(frameNo)) ++ return matrix(frameNo, 0); ++} ++ ++VMatrix LOTLayerItem::matrix(int frameNo, int depth) const ++{ ++ return mParentLayer && depth < 64 ++ ? mLayerData->matrix(frameNo) * mParentLayer->matrix(frameNo, depth + 1) + : mLayerData->matrix(frameNo); + } + +--- a/src/lottie/lottieitem.h ++++ b/src/lottie/lottieitem.h +@@ -180,6 +180,8 @@ protected: + float opacity(int frameNo) const {return mLayerData->opacity(frameNo);} + inline DirtyFlag flag() const {return mDirtyFlag;} + bool skipRendering() const {return (!visible() || vIsZero(combinedAlpha()));} ++private: ++ VMatrix matrix(int frameNo, int depth) const; + protected: + std::unique_ptr<LOTLayerMaskItem> mLayerMask; + LOTLayerData *mLayerData{nullptr}; diff -Nru rlottie-0.1+dfsg/debian/patches/series rlottie-0.1+dfsg/debian/patches/series --- rlottie-0.1+dfsg/debian/patches/series 2025-11-18 21:02:45.000000000 +0300 +++ rlottie-0.1+dfsg/debian/patches/series 2026-07-02 08:27:08.000000000 +0300 @@ -27,3 +27,7 @@ fix-static-variable-delete.patch CVE-2025-0634-CVE-2025-53074-CVE-2025-53075.patch +Fixed-vpath-potential-issue.patch +Limit-recursion-in-LOTLayerItem.patch +Fixed-signed-shift-issue.patch +Fix-heap-buffer-overflow-from-short-truncation.patch
signature.asc
Description: This is a digitally signed message part.

