Your message dated Sat, 11 Jul 2026 10:32:47 +0000
with message-id <[email protected]>
and subject line Released in 13.6
has caused the Debian Bug report #1140695,
regarding trixie-pu: package libass/1:0.17.3-1+deb13u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1140695: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1140695
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:libass
User: [email protected]
Usertags: pu

[ Reason ]
The update contains an upstream provided fix for a out-of-bounds read
and write issue with malicious ASS file. The issue is tracked as
GHSA-pjjp-65r7-ppgm.

https://github.com/libass/libass/security/advisories/GHSA-pjjp-65r7-ppgm

The same fix is included in 1:0.17.5-1 in unstable.

[ Impact ]
A security issue remains unfixed.

[ Tests ]
None, backport of an upstream provided fix.

[ Risks ]
Regressions would also affect unstable and we can backport necessary
fixes in future stable updates.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Path from upstream and an undocumented update for debian/gbp.conf to
track the correct branches.

[ Other info ]
I have already uploaded the changes.

Cheers
-- 
Sebastian Ramacher
diff -Nru libass-0.17.3/debian/changelog libass-0.17.3/debian/changelog
--- libass-0.17.3/debian/changelog      2024-07-04 19:58:16.000000000 +0200
+++ libass-0.17.3/debian/changelog      2026-06-24 19:36:02.000000000 +0200
@@ -1,3 +1,11 @@
+libass (1:0.17.3-1+deb13u1) trixie; urgency=medium
+
+  [ Oneric ]
+  * Backport security fixes from 0.15.5 to 0.17.3
+    - Out-of-bounds read and write in wrap_lines_measure (GHSA-pjjp-65r7-ppgm)
+
+ -- Sebastian Ramacher <[email protected]>  Wed, 24 Jun 2026 19:36:02 +0200
+
 libass (1:0.17.3-1) unstable; urgency=medium
 
   * New upstream version 0.17.3
diff -Nru libass-0.17.3/debian/gbp.conf libass-0.17.3/debian/gbp.conf
--- libass-0.17.3/debian/gbp.conf       2022-05-14 09:59:38.000000000 +0200
+++ libass-0.17.3/debian/gbp.conf       2026-06-24 19:08:12.000000000 +0200
@@ -1,3 +1,4 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = master
+debian-branch = debian/trixie
+upstream-branch = upstream.trixie
diff -Nru 
libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch
 
libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch
--- 
libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
libass-0.17.3/debian/patches/0001-render-wrap_lines_measure-fix-oob-read-and-write.patch
    2026-06-24 19:18:54.000000000 +0200
@@ -0,0 +1,66 @@
+From: Oneric <[email protected]>
+Date: Wed, 27 May 2026 00:00:00 +0000
+Subject: render/wrap_lines_measure: fix oob read and write
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+If the last line of an event consisted entirely of skippable characters
+yet could not be trimmed away entirely early on in parsing the
+while loops in wrap_line_measure overshot the end of the glyph array
+by one entry.
+This can happen in wrap modes other than two if a line ends with a '\n'
+sequence and otherwise consists entirely of this sequence or spaces.
+
+If furthermore the total text size exactly matches the
+currently allocated size of the glyph array, this first
+lead to reading a 32-bit fixed-point value (pos.x)
+from uninitialised memory.
+
+By itself this would have been entirely harmless since
+the read value never ends up being used if the first loop
+overread and in the second loop the read value is not applied
+to any real glyph or line property and thus unobservable.
+
+However, the second while loop also writes two 32-bit fixed point
+values to the overread position (pos.x and pos.y).
+Due to using the overread value itself here this ended up
+zeroing out the first and adding an easily controllable offset
+to the second.
+
+A POC for the second out-of-bound read was originally reported
+by Ada Logics’ David Korczynski who in turn was validating
+scan reports generated by Anthropic using their Claude tool.
+
+Fixes: https://github.com/libass/libass/security/advisories/GHSA-pjjp-65r7-ppgm
+---
+ libass/ass_render.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/libass/ass_render.c b/libass/ass_render.c
+index d7f143d..4a4a58b 100644
+--- a/libass/ass_render.c
++++ b/libass/ass_render.c
+@@ -1881,13 +1881,21 @@ wrap_lines_measure(RenderContext *state, char *unibrks)
+ 
+     while (i < text_info->length && text_info->glyphs[i].skip)
+         ++i;
++
++    if (i == text_info->length) {
++        text_info->lines[0].len = 0;
++        text_info->lines[0].offset = 0;
++        return;
++    }
++
+     double pen_shift_x = d6_to_double(-text_info->glyphs[i].pos.x);
+     double pen_shift_y = 0.;
+ 
+     for (i = 0; i < text_info->length; ++i) {
+         GlyphInfo *cur = text_info->glyphs + i;
++
+         if (cur->linebreak) {
+-            while (i < text_info->length && cur->skip && 
!FORCEBREAK(cur->symbol, i))
++            while (i < text_info->length - 1 && cur->skip && 
!FORCEBREAK(cur->symbol, i))
+                 cur = text_info->glyphs + ++i;
+             double height =
+                 text_info->lines[cur_line - 1].desc +
diff -Nru libass-0.17.3/debian/patches/series 
libass-0.17.3/debian/patches/series
--- libass-0.17.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libass-0.17.3/debian/patches/series 2026-06-24 19:18:54.000000000 +0200
@@ -0,0 +1 @@
+0001-render-wrap_lines_measure-fix-oob-read-and-write.patch

--- End Message ---
--- Begin Message ---
Version: 13.6

This update was released as part of 13.6.

--- End Message ---

Reply via email to