Control: tags 928729 + patch Control: tags 928729 + pending Control: tags 928730 + patch Control: tags 928730 + pending Control: severity 928729 serious # should not enter with open CVE in buster Control: severity 928730 serious # should not enter with open CVE in buster
Dear maintainer, I've prepared an NMU for advancecomp (versioned as 2.1-2.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Note I raised the severity to make sure the fixes enter buster and buster will not release with open CVEs for advancecomp. The severity of both issues might not warrant an RC status otherwise per se. If you though disagree on the severity raise to make it RC feel free to downgrade. Regards, Salvatore
diff -Nru advancecomp-2.1/debian/changelog advancecomp-2.1/debian/changelog --- advancecomp-2.1/debian/changelog 2019-03-17 22:28:03.000000000 +0100 +++ advancecomp-2.1/debian/changelog 2019-05-18 22:50:20.000000000 +0200 @@ -1,3 +1,13 @@ +advancecomp (2.1-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix a buffer overflow caused by invalid images (CVE-2019-8383) + (Closes: #928730) + * Fix a buffer overflow caused by invalid chunks (CVE-2019-8379) + (Closes: #928729) + + -- Salvatore Bonaccorso <car...@debian.org> Sat, 18 May 2019 22:50:20 +0200 + advancecomp (2.1-2) unstable; urgency=high [ Salvatore Bonaccorso ] diff -Nru advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-chunks.patch advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-chunks.patch --- advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-chunks.patch 1970-01-01 01:00:00.000000000 +0100 +++ advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-chunks.patch 2019-05-18 22:50:20.000000000 +0200 @@ -0,0 +1,94 @@ +From: Andrea Mazzoleni <amadva...@gmail.com> +Date: Fri, 4 Jan 2019 20:49:48 +0100 +Subject: Fix a buffer overflow caused by invalid chunks +Origin: https://github.com/amadvance/advancecomp/commit/7894a6e684ce68ddff9f4f4919ab8e3911ac8040 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-8379 +Bug-Debian: https://bugs.debian.org/928729 +Bug: https://sourceforge.net/p/advancemame/bugs/271/ + +--- + pngex.cc | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/pngex.cc b/pngex.cc +index 55d16f5d066e..3f5b49f101b0 100644 +--- a/pngex.cc ++++ b/pngex.cc +@@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + + switch (type) { + case ADV_MNG_CN_MHDR : ++ if (size < 28) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8); + cout << " simplicity:" << be_uint32_read(data+24); + cout << "(bit"; +@@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + cout << ")"; + break; + case ADV_MNG_CN_DHDR : ++ if (size < 4) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id:" << be_uint16_read(data+0); + switch (data[2]) { + case 0 : cout << " img:unspecified"; break; +@@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_MNG_CN_DEFI : ++ if (size < 2) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id:" << be_uint16_read(data+0); + if (size >= 3) { + switch (data[2]) { +@@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_MNG_CN_MOVE : ++ if (size < 13) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2); + switch (data[4]) { + case 0 : cout << " type:replace"; break; +@@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9); + break; + case ADV_MNG_CN_PPLT : ++ if (size < 1) { ++ cout << " invalid chunk size"; ++ break; ++ } + switch (data[0]) { + case 0 : cout << " type:replacement_rgb"; break; + case 1 : cout << " type:delta_rgb"; break; +@@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + default : cout << " type:?"; break; + } + i = 1; +- while (i<size) { ++ while (i + 1 < size) { + unsigned ssize; + cout << " " << (unsigned)data[i] << ":" << (unsigned)data[i+1]; + if (data[0] == 0 || data[1] == 1) +@@ -298,6 +318,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_PNG_CN_IHDR : ++ if (size < 13) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " width:" << be_uint32_read(data) << " height:" << be_uint32_read(data + 4); + cout << " depth:" << (unsigned)data[8]; + cout << " color_type:" << (unsigned)data[9]; +-- +2.11.0 + diff -Nru advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-images.patch advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-images.patch --- advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-images.patch 1970-01-01 01:00:00.000000000 +0100 +++ advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-images.patch 2019-05-18 22:50:20.000000000 +0200 @@ -0,0 +1,53 @@ +From: Andrea Mazzoleni <amadva...@gmail.com> +Date: Fri, 4 Jan 2019 20:49:25 +0100 +Subject: Fix a buffer overflow caused by invalid images +Origin: https://github.com/amadvance/advancecomp/commit/78a56b21340157775be2462a19276b4d31d2bd01 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-8383 +Bug-Debian: https://bugs.debian.org/928730 +Bug: https://sourceforge.net/p/advancemame/bugs/272/ + +--- + lib/png.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/lib/png.c b/lib/png.c +index 0939a5a0f041..cbf140b2ca6d 100644 +--- a/lib/png.c ++++ b/lib/png.c +@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr( + unsigned pixel; + unsigned width; + unsigned width_align; ++ unsigned scanline; + unsigned height; + unsigned depth; + int r; +@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr( + goto err_ptr; + } + +- *dat_size = height * (width_align * pixel + 1); ++ /* check for overflow */ ++ if (pixel == 0 || width_align >= UINT_MAX / pixel) { ++ error_set("Invalid image size"); ++ goto err_ptr; ++ } ++ ++ scanline = width_align * pixel + 1; ++ ++ /* check for overflow */ ++ if (scanline == 0 || height >= UINT_MAX / scanline) { ++ error_set("Invalid image size"); ++ goto err_ptr; ++ } ++ ++ *dat_size = height * scanline; + *dat_ptr = malloc(*dat_size); +- *pix_scanline = width_align * pixel + 1; ++ *pix_scanline = scanline; + *pix_ptr = *dat_ptr + 1; + + z.zalloc = 0; +-- +2.11.0 + diff -Nru advancecomp-2.1/debian/patches/series advancecomp-2.1/debian/patches/series --- advancecomp-2.1/debian/patches/series 2019-03-17 22:27:35.000000000 +0100 +++ advancecomp-2.1/debian/patches/series 2019-05-18 22:50:20.000000000 +0200 @@ -1 +1,3 @@ Fix-a-buffer-overflow-with-image-of-invalid-size.patch +Fix-a-buffer-overflow-caused-by-invalid-images.patch +Fix-a-buffer-overflow-caused-by-invalid-chunks.patch
