Bug#849725: jessie-pu cairo/1.14.0-2.1+deb8u2

2017-01-02 Thread Adam D. Barratt 
Control: tags -1 + pending

Hi,

On Sat, 2016-12-31 at 20:08 +0100, Salvatore Bonaccorso wrote:
> Hi Adam,
> 
> On Sat, Dec 31, 2016 at 04:58:46PM +, Adam D. Barratt wrote:
> > Control: tags -1 + confirmed
> > 
> > On Fri, 2016-12-30 at 07:52 +0100, Salvatore Bonaccorso wrote:
> > > src:cairo in jessie is affected by CVE-2016-9082 which would not
> > > warrant a DSA. A while back in october the issue was already fixed in
> > > unstable, cf. #842289. I would like to propose the attached debdiff
> > > for the upcoming point release.
> > 
> > Please go ahead.
> 
> Thanks uploaded.

Flagged for acceptance; thanks.

> > > Note: in the 1.14.0-2.1 -> 1.14.0-2.1+deb8u1 the binary package
> > > binary-cairo-perf-utils got one more binary added
> > > (/usr/bin/cairo-perf-graph-files). Whit this update that goes back to
> > > the 1.14.0-2.1 situation.
> > 
> > Do we know why that happened?
> 
> I do not know. Cc'ing Moritz. But I guess the build environment might
> have had an addtional package installed. Because it is not the case
> for the binary packages built by the buildd's, e.g. i386:
> 
> $ debdiff cairo-perf-utils_1.14.0-2.1_i386.deb 
> cairo-perf-utils_1.14.0-2.1+deb8u1_i386.deb
> File lists identical (after any substitutions)
> 
> Control files: lines which differ (wdiff format)
> 
> Version: [-1.14.0-2.1-] {+1.14.0-2.1+deb8u1+}

Okay, thanks.

Regards,

Adam

Bug#849725: jessie-pu cairo/1.14.0-2.1+deb8u2

2016-12-31 Thread Salvatore Bonaccorso 
Hi Adam,

On Sat, Dec 31, 2016 at 04:58:46PM +, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Fri, 2016-12-30 at 07:52 +0100, Salvatore Bonaccorso wrote:
> > src:cairo in jessie is affected by CVE-2016-9082 which would not
> > warrant a DSA. A while back in october the issue was already fixed in
> > unstable, cf. #842289. I would like to propose the attached debdiff
> > for the upcoming point release.
> 
> Please go ahead.

Thanks uploaded.

> > Note: in the 1.14.0-2.1 -> 1.14.0-2.1+deb8u1 the binary package
> > binary-cairo-perf-utils got one more binary added
> > (/usr/bin/cairo-perf-graph-files). Whit this update that goes back to
> > the 1.14.0-2.1 situation.
> 
> Do we know why that happened?

I do not know. Cc'ing Moritz. But I guess the build environment might
have had an addtional package installed. Because it is not the case
for the binary packages built by the buildd's, e.g. i386:

$ debdiff cairo-perf-utils_1.14.0-2.1_i386.deb 
cairo-perf-utils_1.14.0-2.1+deb8u1_i386.deb
File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)

Version: [-1.14.0-2.1-] {+1.14.0-2.1+deb8u1+}

Regards,
Salvatore

Bug#849725: jessie-pu cairo/1.14.0-2.1+deb8u2

2016-12-31 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Fri, 2016-12-30 at 07:52 +0100, Salvatore Bonaccorso wrote:
> src:cairo in jessie is affected by CVE-2016-9082 which would not
> warrant a DSA. A while back in october the issue was already fixed in
> unstable, cf. #842289. I would like to propose the attached debdiff
> for the upcoming point release.

Please go ahead.

> Note: in the 1.14.0-2.1 -> 1.14.0-2.1+deb8u1 the binary package
> binary-cairo-perf-utils got one more binary added
> (/usr/bin/cairo-perf-graph-files). Whit this update that goes back to
> the 1.14.0-2.1 situation.

Do we know why that happened?

Regards,

Adam

Bug#849725: jessie-pu cairo/1.14.0-2.1+deb8u2

2016-12-29 Thread Salvatore Bonaccorso 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu

Hi

src:cairo in jessie is affected by CVE-2016-9082 which would not
warrant a DSA. A while back in october the issue was already fixed in
unstable, cf. #842289. I would like to propose the attached debdiff
for the upcoming point release.

Note: in the 1.14.0-2.1 -> 1.14.0-2.1+deb8u1 the binary package
binary-cairo-perf-utils got one more binary added
(/usr/bin/cairo-perf-graph-files). Whit this update that goes back to
the 1.14.0-2.1 situation.

Regards,
Salvatore
diff -Nru cairo-1.14.0/debian/changelog cairo-1.14.0/debian/changelog
--- cairo-1.14.0/debian/changelog   2016-03-19 22:38:11.0 +0100
+++ cairo-1.14.0/debian/changelog   2016-12-30 07:30:39.0 +0100
@@ -1,3 +1,12 @@
+cairo (1.14.0-2.1+deb8u2) jessie; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-9082: DoS attack based on using SVG to generate invalid pointers
+from a _cairo_image_surface in write_png.
+(Closes: #842289)
+
+ -- Salvatore Bonaccorso   Fri, 30 Dec 2016 07:30:39 +0100
+
 cairo (1.14.0-2.1+deb8u1) jessie; urgency=medium
 
   * Fix CVE-2016-3190
diff -Nru cairo-1.14.0/debian/patches/CVE-2016-9082.patch 
cairo-1.14.0/debian/patches/CVE-2016-9082.patch
--- cairo-1.14.0/debian/patches/CVE-2016-9082.patch 1970-01-01 
01:00:00.0 +0100
+++ cairo-1.14.0/debian/patches/CVE-2016-9082.patch 2016-12-30 
07:30:39.0 +0100
@@ -0,0 +1,107 @@
+From c812d1c1935cccf096a60ad904e640fdc83bd41c Mon Sep 17 00:00:00 2001
+From: Adrian Johnson 
+Date: Thu, 20 Oct 2016 21:12:30 +1030
+Subject: [PATCH] image: prevent invalid ptr access for > 4GB images
+
+Image data is often accessed using:
+
+  image->data + y * image->stride
+
+On 64-bit achitectures if the image data is > 4GB, this computation
+will overflow since both y and stride are 32-bit types.
+
+https://bugs.freedesktop.org/show_bug.cgi?id=98165
+---
+ boilerplate/cairo-boilerplate.c | 4 +++-
+ src/cairo-image-compositor.c| 4 ++--
+ src/cairo-image-surface-private.h   | 2 +-
+ src/cairo-mesh-pattern-rasterizer.c | 2 +-
+ src/cairo-png.c | 2 +-
+ src/cairo-script-surface.c  | 3 ++-
+ 6 files changed, 10 insertions(+), 7 deletions(-)
+
+--- a/boilerplate/cairo-boilerplate.c
 b/boilerplate/cairo-boilerplate.c
+@@ -42,6 +42,7 @@
+ #undef CAIRO_VERSION_H
+ #include "../cairo-version.h"
+ 
++#include 
+ #include 
+ #include 
+ #include 
+@@ -976,7 +977,8 @@ cairo_surface_t *
+ cairo_boilerplate_image_surface_create_from_ppm_stream (FILE *file)
+ {
+ char format;
+-int width, height, stride;
++int width, height;
++ptrdiff_t stride;
+ int x, y;
+ unsigned char *data;
+ cairo_surface_t *image = NULL;
+--- a/src/cairo-image-compositor.c
 b/src/cairo-image-compositor.c
+@@ -1575,7 +1575,7 @@ typedef struct _cairo_image_span_rendere
+ pixman_image_t *src, *mask;
+ union {
+   struct fill {
+-  int stride;
++  ptrdiff_t stride;
+   uint8_t *data;
+   uint32_t pixel;
+   } fill;
+@@ -1594,7 +1594,7 @@ typedef struct _cairo_image_span_rendere
+   struct finish {
+   cairo_rectangle_int_t extents;
+   int src_x, src_y;
+-  int stride;
++  ptrdiff_t stride;
+   uint8_t *data;
+   } mask;
+ } u;
+--- a/src/cairo-image-surface-private.h
 b/src/cairo-image-surface-private.h
+@@ -71,7 +71,7 @@ struct _cairo_image_surface {
+ 
+ int width;
+ int height;
+-int stride;
++ptrdiff_t stride;
+ int depth;
+ 
+ unsigned owns_data : 1;
+--- a/src/cairo-mesh-pattern-rasterizer.c
 b/src/cairo-mesh-pattern-rasterizer.c
+@@ -470,7 +470,7 @@ draw_pixel (unsigned char *data, int wid
+   tg += tg >> 16;
+   tb += tb >> 16;
+ 
+-  *((uint32_t*) (data + y*stride + 4*x)) = ((ta << 16) & 0xff00) |
++  *((uint32_t*) (data + y*(ptrdiff_t)stride + 4*x)) = ((ta << 16) & 
0xff00) |
+   ((tr >> 8) & 0xff) | ((tg >> 16) & 0xff00) | (tb >> 24);
+ }
+ }
+--- a/src/cairo-png.c
 b/src/cairo-png.c
+@@ -671,7 +671,7 @@ read_png (struct png_read_closure_t *png
+ }
+ 
+ for (i = 0; i < png_height; i++)
+-row_pointers[i] = &data[i * stride];
++row_pointers[i] = &data[i * (ptrdiff_t)stride];
+ 
+ png_read_image (png, row_pointers);
+ png_read_end (png, info);
+--- a/src/cairo-script-surface.c
 b/src/cairo-script-surface.c
+@@ -1201,7 +1201,8 @@ static cairo_status_t
+ _write_image_surface (cairo_output_stream_t *output,
+ const cairo_image_surface_t *image)
+ {
+-int stride, row, width;
++int row, width;
++ptrdiff_t stride;
+ uint8_t row_stack[CAIRO_STACK_BUFFER_SIZE];
+ uint8_t *rowdata;
+ uint8_t *data;
diff -Nru cairo-1.14.0/debian/patches/series cairo-1.14.0/debian/patches/series
--- cairo-1.14.0/debian/patches/series  2016-03-19 22:36:20.