Bug#892031: stretch-pu: package wayland/1.12.0-1
Hello, Missatge de Salvatore Bonaccorso del dia dv., 9 de nov. 2018 a les 6:57: > Friendly ping, can you upload the fixed package? Unfortunately this > will not make it for 9.6 but can then for 9.7. I have uploaded the package. Regards -- Héctor Orón -.. . -... .. .- -. -.. . ...- . .-.. --- .--. . .-.
Bug#892031: stretch-pu: package wayland/1.12.0-1
Hi Héctor, On Sun, Aug 26, 2018 at 02:43:43PM +0100, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On 2018-07-14 08:00, Salvatore Bonaccorso wrote: > > Control: tags -1 - moreinfo > > > > Hi Adam, > > > > On Tue, Jul 03, 2018 at 08:55:44PM +0100, Adam D. Barratt wrote: > > > Control: tags -1 + moreinfo > > > > > > On Sun, 2018-03-04 at 12:42 +0100, Héctor Orón Martínez wrote: > > > > I would like to apply fix in stable for #889681. > > > > > > > > > > The metadata for that bug report suggests that it still applies to > > > unstable, possibly because the current changelog is based on the > > > experimental uploads and contains no reference to either the 1.14.0-2 > > > upload or #889681. Please confirm that the bug is actually fixed in > > > unstable and fix up the metadata appropriately. > > > > What I think what happened. The issue really was fixed with the > > unstable upload as 1.14.0-2 > > https://tracker.debian.org/news/937846/accepted-wayland-1140-2-source-into-unstable/ > > > > A later 1.15.0-1 upload did though not merged in the debian/changelog > > information from 1.14.0-2 and that got lost, which is probably what > > confused the BTS version tracking then because 1.14.0-2 not anymore > > known. > > That's the conclusion I came to as well, but I was trying to prod Héctor > towards fixing it. ;-) I see that you did so, thanks. > > Please feel free to go ahead. Friendly ping, can you upload the fixed package? Unfortunately this will not make it for 9.6 but can then for 9.7. Regards, Salvatore
Bug#892031: stretch-pu: package wayland/1.12.0-1
Control: tags -1 + confirmed On 2018-07-14 08:00, Salvatore Bonaccorso wrote: Control: tags -1 - moreinfo Hi Adam, On Tue, Jul 03, 2018 at 08:55:44PM +0100, Adam D. Barratt wrote: Control: tags -1 + moreinfo On Sun, 2018-03-04 at 12:42 +0100, Héctor Orón Martínez wrote: > I would like to apply fix in stable for #889681. > The metadata for that bug report suggests that it still applies to unstable, possibly because the current changelog is based on the experimental uploads and contains no reference to either the 1.14.0-2 upload or #889681. Please confirm that the bug is actually fixed in unstable and fix up the metadata appropriately. What I think what happened. The issue really was fixed with the unstable upload as 1.14.0-2 https://tracker.debian.org/news/937846/accepted-wayland-1140-2-source-into-unstable/ A later 1.15.0-1 upload did though not merged in the debian/changelog information from 1.14.0-2 and that got lost, which is probably what confused the BTS version tracking then because 1.14.0-2 not anymore known. That's the conclusion I came to as well, but I was trying to prod Héctor towards fixing it. ;-) I see that you did so, thanks. Please feel free to go ahead. Regards, Adam
Bug#892031: stretch-pu: package wayland/1.12.0-1
Control: tags -1 - moreinfo Hi Adam, On Tue, Jul 03, 2018 at 08:55:44PM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On Sun, 2018-03-04 at 12:42 +0100, Héctor Orón Martínez wrote: > > I would like to apply fix in stable for #889681. > > > > The metadata for that bug report suggests that it still applies to > unstable, possibly because the current changelog is based on the > experimental uploads and contains no reference to either the 1.14.0-2 > upload or #889681. Please confirm that the bug is actually fixed in > unstable and fix up the metadata appropriately. What I think what happened. The issue really was fixed with the unstable upload as 1.14.0-2 https://tracker.debian.org/news/937846/accepted-wayland-1140-2-source-into-unstable/ A later 1.15.0-1 upload did though not merged in the debian/changelog information from 1.14.0-2 and that got lost, which is probably what confused the BTS version tracking then because 1.14.0-2 not anymore known. Regards, Salvatore
Bug#892031: stretch-pu: package wayland/1.12.0-1
Control: tags -1 + moreinfo On Sun, 2018-03-04 at 12:42 +0100, Héctor Orón Martínez wrote: > I would like to apply fix in stable for #889681. > The metadata for that bug report suggests that it still applies to unstable, possibly because the current changelog is based on the experimental uploads and contains no reference to either the 1.14.0-2 upload or #889681. Please confirm that the bug is actually fixed in unstable and fix up the metadata appropriately. Regards, Adam
Bug#892031: stretch-pu: package wayland/1.12.0-1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu Hello, I would like to apply fix in stable for #889681. I have asked security team if they want the fix via security queue or stable update, however I have gotten no reply yet. I am attaching the patch I intend to upload to stable if you acknowledge it. Regards -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled From 2471b0463e9395bd981f8b875e3280f1fc6b995f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= Date: Sun, 4 Mar 2018 11:54:40 +0100 Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer overflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Héctor Orón Martínez --- debian/changelog| 11 + debian/patches/CVE-2017-16612.patch | 47 + debian/patches/series | 1 + 3 files changed, 59 insertions(+) create mode 100644 debian/patches/CVE-2017-16612.patch create mode 100644 debian/patches/series diff --git a/debian/changelog b/debian/changelog index 2f84b50..7495ef3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +wayland (1.12.0-1+deb9u1) stretch; urgency=medium + + * debian/patches/CVE-2017-16612.patch: (Closes: #889681) +- libXcursor before 1.1.15 has various integer overflows that could lead + to heap buffer overflows when processing malicious cursors, e.g., with + programs like GIMP. It is also possible that an attack vector exists + against the related code in cursor/xcursor.c in Wayland through + 1.14.0. + + -- Héctor Orón Martínez Sun, 04 Mar 2018 11:43:29 +0100 + wayland (1.12.0-1) unstable; urgency=medium * New upstream release. Closes: #840752. diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch new file mode 100644 index 000..9d91f70 --- /dev/null +++ b/debian/patches/CVE-2017-16612.patch @@ -0,0 +1,47 @@ +commit 5d201df72f3d4f4cb8b8f75f980169b03507da38 +Author: Tobias Stoeckmann +Date: Tue Nov 28 21:38:07 2017 +0100 + +cursor: Fix heap overflows when parsing malicious files. + +It is possible to trigger heap overflows due to an integer overflow +while parsing images. + +The integer overflow occurs because the chosen limit 0x1 for +dimensions is too large for 32 bit systems, because each pixel takes +4 bytes. Properly chosen values allow an overflow which in turn will +lead to less allocated memory than needed for subsequent reads. + +See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 +Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961 + +Signed-off-by: Tobias Stoeckmann +[Pekka: add link to the corresponding libXcursor commit] +Signed-off-by: Pekka Paalanen + +diff --git a/cursor/xcursor.c b/cursor/xcursor.c +index ca41c4a..689c702 100644 +--- a/cursor/xcursor.c b/cursor/xcursor.c +@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height) + { + XcursorImage*image; + ++if (width < 0 || height < 0) ++ return NULL; ++if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) ++ return NULL; ++ + image = malloc (sizeof (XcursorImage) + + width * height * sizeof (XcursorPixel)); + if (!image) +@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file, + if (!_XcursorReadUInt (file, &head.delay)) + return NULL; + /* sanity check data */ +-if (head.width >= 0x1 || head.height > 0x1) ++if (head.width > XCURSOR_IMAGE_MAX_SIZE || ++ head.height > XCURSOR_IMAGE_MAX_SIZE) + return NULL; + if (head.width == 0 || head.height == 0) + return NULL; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..4c42ec7 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2017-16612.patch -- 2.16.2