Bug#945281: dwm: new upstream release
t;-fn",
> dmenufont, "-nb", normbgcolor, "-nf", normfgcolor, "-sb", selbgcolor, "-sf",
> selfgcolor, NULL };
> +static const char *dmenucmd[] = { "dmenu_run", "-m", dmenumon, "-fn",
> dmenufont, "-nb", col_gray1, "-nf", col_gray3, "-sb", col_cyan, "-sf",
> col_gray4, NULL };
> static const char *termcmd[] = { "st", NULL };
>
> static Key keys[] = {
> @@ -95,7 +97,7 @@
> };
>
> /* button definitions */
> -/* click can be ClkLtSymbol, ClkStatusText, ClkWinTitle, ClkClientWin, or
> ClkRootWin */
> +/* click can be ClkTagBar, ClkLtSymbol, ClkStatusText, ClkWinTitle,
> ClkClientWin, or ClkRootWin */
> static Button buttons[] = {
> /* clickevent mask button function
> argument */
> { ClkLtSymbol, 0, Button1,setlayout,
> {0} },
> diff -Nru dwm-6.1/config.mk dwm-6.2/config.mk
> --- dwm-6.1/config.mk 2015-11-08 23:11:48.0 +0100
> +++ dwm-6.2/config.mk 2019-02-02 13:55:28.0 +0100
> @@ -1,5 +1,5 @@
> # dwm version
> -VERSION = 6.1
> +VERSION = 6.2
>
> # Customize below to fit your system
>
> @@ -25,10 +25,10 @@
> LIBS = -L${X11LIB} -lX11 ${XINERAMALIBS} ${FREETYPELIBS}
>
> # flags
> -CPPFLAGS = -D_BSD_SOURCE -D_POSIX_C_SOURCE=2 -DVERSION=\"${VERSION}\"
> ${XINERAMAFLAGS}
> +CPPFLAGS = -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_C_SOURCE=2
> -DVERSION=\"${VERSION}\" ${XINERAMAFLAGS}
> #CFLAGS = -g -std=c99 -pedantic -Wall -O0 ${INCS} ${CPPFLAGS}
> CFLAGS = -std=c99 -pedantic -Wall -Wno-deprecated-declarations -Os ${INCS}
> ${CPPFLAGS}
> -LDFLAGS = -s ${LIBS}
> +LDFLAGS = ${LIBS}
>
> # Solaris
> #CFLAGS = -fast ${INCS} -DVERSION=\"${VERSION}\"
> diff -Nru dwm-6.1/debian/changelog dwm-6.2/debian/changelog
> --- dwm-6.1/debian/changelog 2018-07-21 16:16:54.0 +0200
> +++ dwm-6.2/debian/changelog 2021-12-11 23:46:42.0 +0100
> @@ -1,3 +1,32 @@
> +dwm (6.2-0.1) unstable; urgency=low
> +
> + * Non-maintainer upload.
> + * New upstream release (Closes: #978687, #945281).
> + * debian/compat:
> +- Replace compat file with debhelper-compat virtual package.
> + * debian/control:
> +- Add debhelper-compat (= 13) to build-depends.
> +- Bump Standards-Version to 4.6.0 (no changes needed).
> +- Update homepage URL to HTTPS.
> +- Add Rules-Requires-Root field (binary-targets).
> + * debian/copyright:
> +- Update source URL to HTTPS.
> +- Update copyright for new upstream release.
> +- Update copyright to mention Matteo's work.
> + * debian/desktop/dwm.desktop:
> +- Remove deprecated encoding key.
> +- Correct name entry.
> +- Correct comment entry.
> +- Correct type entry.
> + * debian/local/*:
> +- Refresh config files for new upstream release.
> + * debian/patches/*:
> +- Refresh patches for new upstream release.
> + * debian/source/options:
> +- Remove custom compression.
> +
> + -- Matteo Bini Sat, 11 Dec 2021 23:46:42 +0100
> +
> dwm (6.1-5) unstable; urgency=medium
>
>* debian/control:
> diff -Nru dwm-6.1/debian/compat dwm-6.2/debian/compat
> --- dwm-6.1/debian/compat 2018-07-21 16:16:54.0 +0200
> +++ dwm-6.2/debian/compat 1970-01-01 01:00:00.0 +0100
> @@ -1 +0,0 @@
> -11
> diff -Nru dwm-6.1/debian/control dwm-6.2/debian/control
> --- dwm-6.1/debian/control2018-07-21 16:16:54.0 +0200
> +++ dwm-6.2/debian/control2021-12-11 23:46:42.0 +0100
> @@ -2,16 +2,17 @@
> Section: x11
> Priority: optional
> Maintainer: Hugo Lefeuvre
> -Build-Depends: debhelper (>= 11),
> +Build-Depends: debhelper-compat (= 13),
> libx11-dev,
> libxinerama-dev,
> libxft-dev,
> libfreetype6-dev,
> dpkg-dev (>= 1.16.1.1)
> -Standards-Version: 4.1.5
> -Homepage: http://dwm.suckless.org/
> +Standards-Version: 4.6.0
> +Homepage: https://dwm.suckless.org/
> Vcs-Browser: https://salsa.debian.org/hle/dwm
> Vcs-Git: https://salsa.debian.org/hle/dwm.git
> +Rules-Requires-Root: binary-targets
>
> Package: dwm
> Architecture: any
> diff -Nru dwm-6.1/debian/copyright dwm-6.2/debian/copyright
> --- dwm-6.1/debian/copyright 2018-07-21 16:16:54.0 +0200
> +++ dwm-6.2/debian/copyright 2021-12-10 19:32:02.0 +0100
> @@ -1,28 +1,33 @@
> Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
> Upstream-Name: dwm
> -Source: http://dwm.suckless.org
> +Source: https
Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers
Hi Sebastian,
On Tue, Jun 29, 2021 at 09:57:57PM +0200, Sebastian Andrzej Siewior wrote:
> On 2019-10-07 08:41:51 [+0200], Hugo Lefeuvre wrote:
> > I have discovered this during my regression tests for the jessie update. My
> > main worry was to have broken something, I'm glad it's not the case.
> > Thanks for your time!
>
> What do we do here?
Not sure, my Debian time is extremely reduced at the moment and I don't
think that I'll have time to try and reproduce again. When I reported the
bug it was a reproducible issue. If you have time, the right thing to do
might be to reproduce once more and bring it upstream...
Thanks!
Best,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#945317: xcftools NMU for CVE-2019-5086 and CVE-2019-5087
Hi Salvatore and Markus, On Thu, Feb 11, 2021 at 06:32:42AM +0100, Salvatore Bonaccorso wrote: [...] > On Thu, Feb 11, 2021 at 03:03:19AM +0100, Markus Koschany wrote: > [...] > > Am Mittwoch, den 10.02.2021, 22:03 +0100 schrieb Salvatore Bonaccorso: > > [...] > > > > > > I'm not fully in favor to have all the (build-)rdeps forced out of > > > Debian, that would likely not be a benefit as seems unfair to the > > > castle-game-engine, game-data-packager and neurodebian packages, but > > > still think having out xcftools out of bullseye would be the right > > > thing. > > > > > > > I believe it makes sense to remove xcftools from Debian because there is a > > lack > > of upstream support and development but I wouldn't be too aggressive about > > the > > removal at the moment. My intention is to send a patch to fix the open CVE > > in > > stable to you when we have addressed the remaining 32 bit issues. > > Yes that sounds fine. Admittely it was for us in dsa-needed only > because Hugo initially aimed to adress it across all suites top-down. > It might just be an option to include a fix once it is stable enough > via a point release. But we can look at it once you have a fix as well > for the 32bit issues. > > So thanks for working on it! Thanks from my part too! Unfortunately I am struggling to find time for Debian currently. I makes me feel bad, and I hope that I will be able to come back soon. Do you know if xcftools is only used as a build dependency, or is it used by some end users directly? The popcon is not that low and my fear is that, even after removing it from Debian, users would continue to use it, installing from somewhere else, effectively being at even higher risk than with the Debian archive's (semi-) patched version. Of course if we can't offer any support I guess it's still better to get rid of it than giving a false impression of support/security. Best, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#964627: fractgen: diff for NMU version 2.1.5-1.1
Hi Adrian, On Fri, Feb 05, 2021 at 10:03:43AM +0200, Adrian Bunk wrote: > Control: tags 964627 + patch > Control: tags 964627 + pending > > Dear maintainer, > > I've prepared an NMU for fractgen (versioned as 2.1.5-1.1) and uploaded > it to DELAYED/1. Please feel free to tell me if I should cancel it. Thank you very much for this NMU. I am completely overloaded with work currently and could not find time to handle this. Feel free to upload to unstable right away! Best Regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#964627: fractgen: FTBFS: colorschemeinterface.cc
Hi Lucas, thanks a lot for this bug report. I will do my best to sort this out during the week-end. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Bug#951453: RFS: pysolfc/2.6.4-3 -- collection of more than 1000 solitaire card games
Hi, thanks for your contribution, this should be in unstable by tonight. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#942763: python-reportlab: CVE-2019-17626: remote code execution in colors.py
Hi,
a fix was recently published for this issue. I am concerned that it might
no be fit for a DSA/DLA:
(1) upstream imported a number of snippets from ZPL licensed projects. I
don't think it respected the ZPL terms.
(2) the changes are large and hard to review. Pretending that these changes
address the vulnerability completely would be a little bit presumptuous.
Furthermore, the code imported from Zope provides "safe" evaluation of
Python code. This kind of code is complex, and prone to security
vulnerabilities and bugs. There are definitely regressions in there.
I have asked upstream regarding the licensing issue. For the rest, I think
we should wait for followups, or possibly a better patch.
Any comments/advice?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#947374: cacti: CVE-2019-17357: does not seem to affect stretch
> > rationale: template_id is sanitized at line 1048:
> > input_validate_input_number(get_request_var_request("template_id"));
> […]
> > Chris: you worked on cacti in jessie and triaged it not-affected. Jessie
> > has a similar version, does this match your findings?
>
> Ah yes; well-spotted. :)
Ack, same for stretch in the end. :)
BTW, there is a confusion in the jessie update, the changelog says it fixes
CVE-2019-17357 and the patch is called CVE-2019-17357.patch, but the
actual CVE being fixed is CVE-2019-17358, not CVE-2019-17357.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#947374: cacti: CVE-2019-17357: does not seem to affect stretch
Hi,
after taking a look at the source code, this vulnerability does not seem to
affect cacti 0.8.8h+ds1-10 (stretch).
rationale: template_id is sanitized at line 1048:
input_validate_input_number(get_request_var_request("template_id"));
This check was replaced over time and gradually disappeared, which explains
the security issue in recent versions.
Chris: you worked on cacti in jessie and triaged it not-affected. Jessie
has a similar version, does this match your findings?
Just to make sure, I contacted upstream to get reproduction instructions
before I triage this not-affected in stretch in the tracker.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#945265: new upstream version 0.102.1 to fix CVE-2019-15961
Hi Sebastian, I see that your work migrated to testing, and wondered... are you still intending to prepare updates for stretch and buster? Is there anything I can do to help you? thanks for your work! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#942575: buster-pu: package openjpeg2/2.3.0-2+deb10u1
Hi, On Fri, Nov 08, 2019 at 09:56:53PM +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Fri, 2019-10-18 at 13:23 +0200, Hugo Lefeuvre wrote: > > as discussed in #939553[0], no DSA will be issued by the security > > team for CVE-2018-21010 and this vulnerability can be fixed via -pu. > > The attached debdiff addresses this issue, along with CVE-2018-20847. > > Please go ahead; thanks. for some reason, I completely forgot about this. done. thanks! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10
> Looks like I found the issue: > > 0224-Ensure-token-does-not-overflow.patch corresponds to [0]. This patch > was meant for ImageMagick 7.x, not 6.x. The correct patch is [1] (the one > used in stretch). > > This will be fixed in the next security update. Not completely true. After spending some more time on this issue, I found out that the following three patches are missing in jessie: https://github.com/ImageMagick/ImageMagick6/commit/fc8ccba0f20ca330d959fcbb17a791e5b52ac53e https://github.com/ImageMagick/ImageMagick6/commit/7573b8712697a3d34143eb3e6ea814287cc4c6a7 https://github.com/ImageMagick/ImageMagick6/commit/4cc316818e5b841ff5a9394a0730d5be6e8686ce backporting them is sufficient to fix the issue. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10
> I'm working on imagemagick on behalf of the Debian LTS team and just
> noticed this bug report.
>
> I have reproduced this issue in jessie, and can confirm that this
> regression is still present in 8:6.8.9.9-5+deb8u18. I can also confirm
> that the regression was introduced between patch 0224 and 0227.
>
> I'll try to ship a patch for this along with the next jessie update.
Looks like I found the issue:
0224-Ensure-token-does-not-overflow.patch corresponds to [0]. This patch
was meant for ImageMagick 7.x, not 6.x. The correct patch is [1] (the one
used in stretch).
This will be fixed in the next security update.
cheers,
Hugo
[0]
https://github.com/ImageMagick/ImageMagick/commit/4b85d29608d5bc0ab641f49e80b6cf8965928fb4
[1]
https://github.com/ImageMagick/ImageMagick6/commit/663e70e90257797f4634ea8dd4a31e0947d1f266
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#870273: imagemagick: regression in 8:6.8.9.9-5+deb8u10
Hi, I'm working on imagemagick on behalf of the Debian LTS team and just noticed this bug report. I have reproduced this issue in jessie, and can confirm that this regression is still present in 8:6.8.9.9-5+deb8u18. I can also confirm that the regression was introduced between patch 0224 and 0227. I'll try to ship a patch for this along with the next jessie update. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
> thanks for your valuable work on this bug!
> Yes, I can prepare update on 30-31st of December.
that would be great, thanks! :-)
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
> Sounds like a sensible plan, if we are going to release updates as > well for stretch and buster, so that there is not "regression" (I mean > timewise, in case upstream will not land a new version) for buster -> > bullseye updates. Agree! Anton, do you think you could handle this update in unstable? I'd love to help, but my Debian time is somewhat limited currently... cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
Hi,
> As there will not be a fix for all CVEs in one go, let's split the bug
> for the benefit of tracking the fixes. CVE-2019-12211 and
> CVE-2019-12213 have the same upstream change, so will clone this into
> three.
thanks Salvatore!
regarding CVE-2019-12213 and CVE-2019-12211 in unstable: I have asked
upstream about his plans to release 3.18.1 but did not receive any answer
yet. I suppose that we should cherry pick the patch if we want a quick
fix.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#929597: CVE-2019-12211 CVE-2019-12212 CVE-2019-12213 CVE-2019-12214
Hi, small update: I have updated jessie with the cherry picked patch for CVE-2019-12213 and CVE-2019-12211. I have contacted upstream to know when he is planning to release 3.18.1 so that we can get this fixed in testing without cherry picking. I am currently testing stretch and buster updates with the cherry picked patch. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#945265: new upstream version 0.102.1 to fix CVE-2019-15961
Dear clamav maintainers, are you planning to address this in stretch/buster via -updates? I can provide some help if needed (and make sure this gets backported to jessie-security). thanks! regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#929597: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy
Hi, Upstream seems to have merged my patch along with some more changes regarding CVE-2019-12213[0]. I am planning to take a look at this patch and release a DLA for jessie. The security team is also planning to release a DSA for stretch and buster. I am already working on a jessie upload, so I should also be able to handle stretch and buster. Anton, you know this package better than me, would you be available to test the update? thanks! regards, Hugo [0] https://sourceforge.net/p/freeimage/svn/1825/ -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#942514: CVE-2019-16729 fixed in 1.0.4-1.1+deb8u1
fixed 942514 1.0.4-1.1+deb8u1 thanks Hi Russell, thanks for preparing this update. I just became aware of this and noticed that no DLA was released. In fact, neither the bug tracker nor the security tracker are aware of this issue being fixed. Releasing DLA-2000-1 for this, updating the bug tracker as well. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#929597: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy
Hi Anton,
> Thanks, Hugo, for analyzing the issue in details and proposing the fix.
>
> Do you want to add the patch into the corresponding forum-thread
> in freeimage website?
yes, I have just forwarded my message to the SF thread. Let's hope upstream
will find some time to take a look at it.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#940575: RFS: fortran-language-server/1.10.2-1 [ITP] -- Fortran Language Server for the Language Server Protocol
Hi Denis, I did a few minor changes and uploaded. Upstream published 1.10.3 recently, you might want to package it. No need to open RFSs in the future, just send me an e-mail. Please, don't forget to update upstream and pristine-tar branches/to push them. :) I will close this bug once ftpmasters have accepted the package. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#936214: bleachbit: Python2 removal in sid/bullseye
Hi Matthias, I see that you just raised the severity of this bug to serious, and Bleachbit is now to be removed on 16.11. I don't think this is the way to go. Upstream is actively working on this. We have recently managed the GTK3 migration, meaning that Py3 is now top priority. Loosing Bleachbit would be a significant source of annoyance for many Debian users (popcon 2754 at the moment). May I add the py2keep flag, until the Bleachbit Py3 migration completes? regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#885261: bleachbit: Depends on unmaintained pygtk
Hi,
> It seems that, while a Python 3 version is not yet available, upstream has
> released version 3.0, which brings new features and fixes and transitions to
> GTK3, which would be a step to the right direction, since a version with
> full Python 3 is not yet ready by upstream (but they seem to be working on
> it).
>
> It would be super nice to have this new version packaged from a user's
> perspective and, also, from an archive/distribution/removal perspective
> also.
thanks for the heads up. 3.0 will be in the archive asap, I'm working on it.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#929597: [PATCH] CVE-2019-12211: heap buffer overflow via memcpy
Hi,
The overflow happens during the following call to memcpy:
// convert to strip
if(x + tileWidth > width) {
src_line = imageRowSize - rowSize;
} else {
src_line = tileRowSize;
}
BYTE *src_bits = tileBuffer;
BYTE *dst_bits = bits + rowSize;
for(int k = 0; k < nrows; k++) {
memcpy(dst_bits, src_bits, src_line);
src_bits += tileRowSize;
dst_bits -= dst_pitch;
}
This portion of code copies image data from a libTIFF-provided buffer to an
internal buffer. The overflow happens because src_line is larger than the
size of dst_bits.
This is the result of an inconsistency between libTIFF and freeimage:
In the libTIFF case, tile row size is
= samplesperpixel * bitspersample * tilewidth / 8
= bitsperpixel * tilewidth / 8
= 6 * 32 * 7 / 8 = 168
In the freeimage case, tile row size is
bitsperpixel * tilewidth / 8
= 32 * 7 / 8 = 28
As a result, the two buffers are differently sized.
freeimage has a bpp of 32 because CreateImageType calls
FreeImage_AllocateHeader with MIN(bpp, 32).
This 'MIN(bpp, 32)' looks like a terrible hack to me, but we can't change
it to 'bpp' because FIT_BITMAP images with bpp > 32 does not seem to be
supported by freeimage. Also, in this case, bpp > 32 doesn't even make
sense:
Looking closely at the reproducer, we can notice that it defines a bilevel
image with samplesperpixel and bitspersample parameters, both unexpected in
bilevel images.
Pixels in bilevel images can either be black or white. There is as such
only one sample per pixel, and a single bit per sample is sufficient. The
spec defines bpp = 8. It is unclear whether the specification allows for
arbitrary values of bitspersample or samplesperpixel (extrasamples?) in
this case.
This file gets rejected by most libTIFF tools.
# patch
+ add check to CreateImageType() to reject FIT_BITMAP images with bpp > 32
instead of passing MIN(bpp, 32).
+ change type of dst_pitch to unsigned
+ call memcpy with MIN(dst_pitch, src_line) instead of src_line. this will
help overcome any further (future) discrepancy between libTIFF and
freeimage.
# tests
I have tested for regressions with the following samples, using a modified
version of Examples/Linux/linux-gtk.c:
http://www.simplesystems.org/libtiff/images.html
During these tests, I found other issues with bilevel images, unrelated to
this patch. I will try to take a look at them in the future.
I can provide additional explanations if there is anything unclear.
I'd like to get this patch peer-reviewed/merged upstream before shipping
it in a Debian release.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Description: fix heap buffer overflow when bpp > 32 and fit == FIT_BITMAP
+ add check to CreateImageType() to reject FIT_BITMAP images with bpp > 32
instead of passing MIN(bpp, 32).
+ change type of dst_pitch to unsigned.
+ call memcpy with MIN(dst_pitch, src_line) instead of src_line. this will
help overcome any further (future) discrepancy between libTIFF and
freeimage.
Author: Hugo Lefeuvre
Bug-Debian: https://bugs.debian.org/929597
--- a/Source/FreeImage/PluginTIFF.cpp 2019-10-26 14:21:39.329052757 +0200
+++ b/Source/FreeImage/PluginTIFF.cpp 2019-10-26 15:03:18.597957090 +0200
@@ -461,8 +461,12 @@
}
else {
+ if(bpp > 32) {
+// check for malicious images
+return NULL;
+ }
- dib = FreeImage_AllocateHeader(header_only, width, height, MIN(bpp, 32), FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+ dib = FreeImage_AllocateHeader(header_only, width, height, bpp, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
}
@@ -2041,7 +2045,7 @@
}
// calculate src line and dst pitch
-int dst_pitch = FreeImage_GetPitch(dib);
+unsigned int dst_pitch = FreeImage_GetPitch(dib);
uint32 tileRowSize = (uint32)TIFFTileRowSize(tif);
uint32 imageRowSize = (uint32)TIFFScanlineSize(tif);
@@ -2071,7 +2075,7 @@
BYTE *src_bits = tileBuffer;
BYTE *dst_bits = bits + rowSize;
for(int k = 0; k < nrows; k++) {
- memcpy(dst_bits, src_bits, src_line);
+ memcpy(dst_bits, src_bits, MIN(dst_pitch, src_line));
src_bits += tileRowSize;
dst_bits -= dst_pitch;
}
signature.asc
Description: PGP signature
Bug#942763: python-reportlab: CVE-2019-17626: remote code execution in colors.py
Source: python-reportlab
Version: 3.5.28-1
Severity: important
Tags: security upstream
Forwarded:
https://bitbucket.org/rptlab/reportlab/issues/199/eval-in-colorspy-leads-to-remote-code
Hi,
python-reportlab is affected by the following vulnerability:
CVE-2019-17626[0]: "ReportLab through 3.5.26 allows remote code execution
because of toColor(eval(arg)) in colors.py, as demonstrated by a crafted
XML document with 'https://security-tracker.debian.org/tracker/CVE-2019-17626
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#942578: CVE-2019-17540: heap-based buffer overflow in ReadPSInfo in coders/ps.c
FTR: Dirk Lemstra confirmed that those four commits correspond to the fixes for CVE-2019-17540. -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#942578: imagemagick: CVE-2019-17540: heap-based buffer overflow in ReadPSInfo in coders/ps.c
Source: imagemagick Version: 8:6.9.10.23+dfsg-2.1 Severity: important Hi, imagemagick is affected by CVE-2019-17540, a heap-based buffer overflow in ReadPSInfo in coders/ps.c. There are very few information online regarding this vulnerability. I had a look and found the following four commits: https://github.com/ImageMagick/ImageMagick/commit/668d6a970553a94b0a2e378afda1d37abac94b5c https://github.com/ImageMagick/ImageMagick/commit/9667a9034a5eeedb30dfb18cfd1083ff32fd679b https://github.com/ImageMagick/ImageMagick/commit/73dd03cfb57f8f8c0a732fa062b9966ec7bf2f91 https://github.com/ImageMagick/ImageMagick/commit/e868e227085463932c5db32e5e0f27e306a0eb95 this looks like what we are searching for; a buffer overflow WRITE of size 1 in ReadPSInfo. I will contact Dirk Lemstra and ask for more information. regards, Hugo [0] https://security-tracker.debian.org/tracker/CVE-2019-17540 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#942575: buster-pu: package openjpeg2/2.3.0-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Dear release managers,
as discussed in #939553[0], no DSA will be issued by the security team for
CVE-2018-21010 and this vulnerability can be fixed via -pu. The attached
debdiff addresses this issue, along with CVE-2018-20847.
This is almost the same debdiff as #942024[1] (for stretch-pu).
thanks!
cheers,
Hugo
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=942024
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru openjpeg2-2.3.0/debian/changelog openjpeg2-2.3.0/debian/changelog
--- openjpeg2-2.3.0/debian/changelog2019-03-10 18:34:51.0 +0100
+++ openjpeg2-2.3.0/debian/changelog2019-10-17 14:48:09.0 +0200
@@ -1,3 +1,14 @@
+openjpeg2 (2.3.0-2+deb10u1) buster; urgency=high
+
+ * Backport security fixes:
+ * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile
+(Closes: #939553).
+ * CVE-2018-20847: improper computation of values in the function
+opj_get_encoding_parameters, leading to an integer overflow
+(Closes: #931294).
+
+ -- Hugo Lefeuvre Thu, 17 Oct 2019 14:48:09 +0200
+
openjpeg2 (2.3.0-2) unstable; urgency=high
[ Hugo Lefeuvre ]
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch
openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch 1970-01-01
01:00:00.0 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-20847.patch 2019-10-17
14:43:51.0 +0200
@@ -0,0 +1,40 @@
+Description: fix integer overflow in opj_get_encoding_parameters
+ This bug is known at three places in the source code:
+ opj_get_all_encoding_parameters() and opj_tcd_init_tile() in pi.c and tcd.c
+ (both fixed _before_ the release of 2.1.2), and opj_get_encoding_parameters()
+ in pi.c. This patch addresses the issue in opj_get_encoding_parameters().
+Author: Young_X
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/c58df149900df862
+--- a/src/lib/openjp2/pi.c 2019-10-17 14:41:15.997977749 +0200
b/src/lib/openjp2/pi.c 2019-10-17 14:43:46.276679721 +0200
+@@ -748,6 +748,9 @@
+ /* position in x and y of tile */
+ OPJ_UINT32 p, q;
+
++/* non-corrected (in regard to image offset) tile offset */
++OPJ_UINT32 l_tx0, l_ty0;
++
+ /* preconditions */
+ assert(p_cp != 00);
+ assert(p_image != 00);
+@@ -763,14 +766,12 @@
+ q = p_tileno / p_cp->tw;
+
+ /* find extent of tile */
+-*p_tx0 = opj_int_max((OPJ_INT32)(p_cp->tx0 + p * p_cp->tdx),
+- (OPJ_INT32)p_image->x0);
+-*p_tx1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + (p + 1) * p_cp->tdx),
+- (OPJ_INT32)p_image->x1);
+-*p_ty0 = opj_int_max((OPJ_INT32)(p_cp->ty0 + q * p_cp->tdy),
+- (OPJ_INT32)p_image->y0);
+-*p_ty1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + (q + 1) * p_cp->tdy),
+- (OPJ_INT32)p_image->y1);
++l_tx0 = p_cp->tx0 + p * p_cp->tdx; /* can't be greater than p_image->x1
so won't overflow */
++*p_tx0 = (OPJ_INT32)opj_uint_max(l_tx0, p_image->x0);
++*p_tx1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, p_cp->tdx),
p_image->x1);
++l_ty0 = p_cp->ty0 + q * p_cp->tdy; /* can't be greater than p_image->y1
so won't overflow */
++*p_ty0 = (OPJ_INT32)opj_uint_max(l_ty0, p_image->y0);
++*p_ty1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, p_cp->tdy),
p_image->y1);
+
+ /* max precision is 0 (can only grow) */
+ *p_max_prec = 0;
diff -Nru openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch
openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch
--- openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch 1970-01-01
01:00:00.0 +0100
+++ openjpeg2-2.3.0/debian/patches/CVE-2018-21010.patch 2019-10-17
14:34:45.0 +0200
@@ -0,0 +1,26 @@
+Description: color_apply_icc_profile: avoid potential heap buffer overflow
+ This patch addresses CVE-2018-21010. It differs slightly from upstream's
+ patch in that we avoid whitespace refactoring and complex nested ifs.
+Author: Even Rouault , Hugo Lefeuvre
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c9
+--- a/src/bin/common/color.c 2019-10-17 14:33:21.021771909 +0200
b/src/bin/common/color.c 2019-10-17 14:34:39.397137223 +0200
+@@ -597,6 +597,18 @@
+ }
+
+ if (image->numcomps > 2) { /* RGB, RGBA */
++
++ if (!(image->comps[0].w == image->comps[1].w &&
++image->comps[0].w == image->comps[2].w) ||
++ !(image->comps[0].h == image->comps[1].h &&
++image->comps[0].h == image->comps[2].h))
++
Bug#942514: pam-python: CVE-2019-16729: local root escalation
Source: pam-python
Version: 1.0.6-1.1
Severity: important
Hi,
pam-python is affected by the following security issue:
CVE-2019-16729[0]: "pam-python before 1.0.7-1 has an issue in regard to the
default environment variable handling of Python, which could allow for
local root escalation in certain PAM setups."
Russell: I see that you are also upstream of pam-python. This vulnerability
was fixed in sid via 1.0.7-1 but since this is a local root exploit, we
should probably backport fixes for stable releases. However I am struggling
to find precise information about this issue and can't assess the severity
properly.
Could you provide some more information related to this vulnerability? an
isolated patch would be ideal.
thanks!
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/CVE-2019-16729
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#941036: cacti: CVE-2019-16723
Hi Salvatore, Paul,
I had a look at this issue in jessie, stretch and buster. I concluded that
jessie and stretch are not affected. I have reproduced the issue in buster.
# Quick breakdown:
Graphs are retrieved using rrdtool_function_graph() from lib/rrd.php, this
is true for jessie onwards.
rrdtool_function_graph() has a check for permissions, which is in fact very
similar to the ones introduced in 7a6a17252 and c7cf4a26e.
Before cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326[0] this check in
rrdtool_function_graph() was always executed. After this commit the check
is only executed when $user > 0.
Note: 0 is the default value for $user:
[lib/rrd.php:1179][1]
function rrdtool_function_graph($local_graph_id, $rra_id, $graph_data_array,
$rrdtool_pipe = '', &$xport_meta = array(), $user = 0) {
...
However graph_image.php, graph_json.php and rrdtool_function_xport() call
rrdtool_function_graph() without passing $user:
[graph_image.php:132][2]
$output = rrdtool_function_graph(get_request_var('local_graph_id'),
$rra_id, $graph_data_array);
Hence, permissions are never checked after this commit. I don't think this
is the intended affect.
Now, let's try something: take 1.2.2+ds1-2+deb10u1, the version in buster
which is affected and simply revert cf73ae1a9f65b5a27d7f9d10:
--- a/lib/rrd.php 2019-10-16 13:24:08.590183640 +0200
+++ b/lib/rrd.php 2019-10-16 13:24:34.302046280 +0200
@@ -1171,11 +1171,11 @@
/* before we do anything; make sure the user has permission to view
this graph,
if not then get out */
- if ($user > 0) {
+ //if ($user > 0) {
if (!is_graph_allowed($local_graph_id, $user)) {
return 'GRAPH ACCESS DENIED';
}
- }
+ //}
if (getenv('LANG') == '') {
putenv('LANG=' . str_replace('-', '_', CACTI_LOCALE) .
'.UTF-8');
Try to reproduce: this is sufficient to "fix" the issue and appears to
confirm previous analysis.
Any comments?
cheers,
Hugo
[0]
https://github.com/Cacti/cacti/commit/cf73ae1a9f65b5a27d7f9d10c8e14835c3a76326
[1] https://github.com/Cacti/cacti/blob/develop/lib/rrd.php#L1179
[2] https://github.com/Cacti/cacti/blob/develop/graph_image.php#L132
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4
Hi,
> I think that second occurrence of 2018-21010 might be incorrect. :-)
right, same typo twice. I meant CVE-2016-9112 of course :)
> Please go ahead.
uploaded, thanks!
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.
Hi Filipe, Sebastian,
> I could only test from 0.100.0+dfsg-0+deb8u1 as I couldn't find
> 0.100.3+dfsg-0+deb8u1 anywhere in the archives and I'm out of servers
> running clamav-daemon 0.100.3+dfsg-0+deb8u1; but as /run/clamav/ is root
> owned in 0.100.0+dfsg-0+deb8u1 and clamav-daemon 0.101.4+dfsg-0+deb8u2 got
> started without a problem after the upgrade I'd say it's OK.
thanks for your time. I have done some more tests myself and went ahead
with the upload, I hope everything will be fine now. Sorry for the trouble.
If you see anything suspicious, don't hesitate to open a bug report, I will
take a look at it.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.
Hi Filipe, > I did strike this in three boxes. Straight upgrade but opted not to touch > config when asked. Don't know if it matters. However I did not find any > reference to /etc/systemd/system/clamav-daemon.service.d/extend.conf in the > package scripts as in stretch. > > The chown did make the difference. And the extend.conf prior to the upgrade > on further two boxes got the upgrade working, AFAICT. thanks for your answer. After further investigations, I have found a probable cause for this issue: debian/patches/clamd_dont_depend_on_clamav_demon_socket.patch was mistakenly backported from the stretch upload. This should not have been backported, because the jessie package is still providing the systemd socket, which was removed from the stretch package in 0.99.2+dfsg-3 because of #824042[0]. I did not backport this removal because I considered it too intrusive for a security upload. Looking back, this was maybe a mistake because it increased the complexity of the backport. I have prepared a regression update addressing this issue. It would be a true benefit for the quality of this upload if somebody could give it a try before I go on with uploading. You can find (UNRELEASED) amd64 builds, signed by myself on my Debian webpage: https://people.debian.org/~hle/lts/clamav/ regards, Hugo [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=824042 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#942172: clamav-daemon: After upgrade, clamd cannon create /var/run/clamav/clamd.ctl and stop.
Hi, I did not notice this bug during my tests. I have just tried to reproduce it by upgrading a jessie system from 0.100.3+dfsg-0+deb8u1 to 0.101.4+dfsg-0+deb8u1 and did not experience any issue restarting clamav-daemon. Furthermore, /var/run/clamav/ belonging to root:root or clamav:root does not seem to change anything on my system. My understanding is that /var/run/clamav/clamd.ctl is created by systemd, not by the daemon itself. Also, I don't think chown clamav /var/run/clamav should survive a restart. Filipe: did you also experience this bug? Thanks. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Dear release managers,
as discussed in #939553[0], no DSA will be issued by the security team for
CVE-2018-21010 and this vulnerability can be fixed via -pu. The attached
debdiff addresses this issue, along with CVE-2018-20847 and CVE-2018-21010.
Patches for CVE-2018-20847 and CVE-2018-21010 are straight from upstream.
Concerning CVE-2018-21010, I did a few changes to remove non-security
related refactoring and improve readability.
thanks!
cheers,
Hugo
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.1.2/debian/changelog
--- openjpeg2-2.1.2/debian/changelog2019-03-07 22:41:30.0 +0100
+++ openjpeg2-2.1.2/debian/changelog2019-10-08 15:20:27.0 +0200
@@ -1,3 +1,16 @@
+openjpeg2 (2.1.2-1.1+deb9u4) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile
+(Closes: #939553).
+ * CVE-2018-20847: improper computation of values in the function
+opj_get_encoding_parameters, leading to an integer overflow
+(Closes: #931294).
+ * CVE-2016-9112: floating point exception or divide by zero in the
+function opj_pi_next_cprl (Closes: #844551).
+
+ -- Hugo Lefeuvre Tue, 08 Oct 2019 15:20:27 +0200
+
openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
* Non-maintainer upload by the Security Team.
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch
openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch 1970-01-01
01:00:00.0 +0100
+++ openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch 2019-10-08
15:20:27.0 +0200
@@ -0,0 +1,59 @@
+Subject: fix division by zero and undefined behavior on shift in pi.c
+Author: Even Rouault
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad
+--- a/src/lib/openjp2/pi.c 2019-10-08 15:46:03.364003550 +0200
b/src/lib/openjp2/pi.c 2019-10-09 08:59:02.183880328 +0200
+@@ -360,6 +360,17 @@
+ try1 = opj_int_ceildiv(pi->ty1,
(OPJ_INT32)(comp->dy << levelno));
+ rpx = res->pdx + levelno;
+ rpy = res->pdy + levelno;
++
++ /* To avoid divisions by zero /
undefined behaviour on shift */
++ /* in below tests */
++ /* Fixes reading
id:26,sig:08,src:002419,op:int32,pos:60,val:+32 */
++ /* of
https://github.com/uclouvain/openjpeg/issues/938 */
++ if (rpx >= 31 || ((comp->dx << rpx) >>
rpx) != comp->dx ||
++ rpy >= 31 || ((comp->dy << rpy)
>> rpy) != comp->dy) {
++ continue;
++ }
++
++ /* See ISO-15441. B.12.1.3 Resolution
level-position-component-layer progression */
+ if (!((pi->y % (OPJ_INT32)(comp->dy <<
rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy){
+ continue;
+ }
+@@ -441,6 +452,17 @@
+ try1 = opj_int_ceildiv(pi->ty1,
(OPJ_INT32)(comp->dy << levelno));
+ rpx = res->pdx + levelno;
+ rpy = res->pdy + levelno;
++
++ /* To avoid divisions by zero /
undefined behaviour on shift */
++ /* in below tests */
++ /* Relates to
id:19,sig:08,src:001098,op:flip1,pos:49 */
++ /* of
https://github.com/uclouvain/openjpeg/issues/938 */
++ if (rpx >= 31 || ((comp->dx << rpx) >>
rpx) != comp->dx ||
++ rpy >= 31 || ((comp->dy << rpy)
>> rpy) != comp->dy) {
++ continue;
++ }
++
++ /* See ISO-15441. B.12.1.4
Position-component-resolution level-layer progression */
+ if (!((pi->y % (OPJ_INT32)(comp->dy <<
rpy) == 0) || ((pi->y == p
Bug#939553: openjpeg2: CVE-2018-21010
> s/Matthieu/Mathieu/ Huh, sorry, I take note. > > I'm going to bump unstable to 2.3.1, this should address the four > > currently open issues. > > > > Matthieu, if you want to double check the debdiff before upload, let me > > know. :) > > I was about to upload 2.3.1 this week, so this should be just fine. > Pay attention to 2.3.0-3 in your dch that's all I care really. I'll > import in git after the upload since it is ready. ack, thanks! regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#939553: openjpeg2: CVE-2018-21010
Hi Salvatore, Matthieu, I'm going to bump unstable to 2.3.1, this should address the four currently open issues. Matthieu, if you want to double check the debdiff before upload, let me know. :) I might prepare a small jessie update for CVE-2018-21010. I had a quick look, and so far it seems that this vulnerability would allow significant heap write overflow. Hard to exploit, but this is enough for a DLA, in my opinion. Regarding stretch and buster, I don't think this is worth a DSA, but we could fix this via a point update later on. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers
Hi Sebastian, > > clamdscan returns different results when run different times. The first > > time the file is considered sane, the second time as "infected". > > > > It looks like clamdscan doesn't always hit the OverlappingFiles heuristic. > > > > $ clamdscan /tmp/zbsm.zip > > /tmp/zbsm.zip: OK > > > > --- SCAN SUMMARY --- > > Infected files: 0 > > Time: 120.771 sec (2 m 0 s) > > $ clamdscan /tmp/zbsm.zip > > /tmp/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND > > > > --- SCAN SUMMARY --- > > Infected files: 1 > > Time: 51.885 sec (0 m 51 s) > > I don't understand the difference between the first run vs the second. > Please note that that clamdscan uses the daemon for scanning which *may* > cache the last result. A fresh started daemon: > |$ clamdscan zbsm.zip > |/home/bigeasy/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND > | > |--- SCAN SUMMARY --- > |Infected files: 1 > |Time: 119.048 sec (1 m 59 s) > |$ clamdscan zbsm.zip > |/home/bigeasy/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND > | > |--- SCAN SUMMARY --- > |Infected files: 1 > |Time: 0.367 sec (0 m 0 s) > > So the first scan was *really* performed, the second one used the > previous result. The odd-part is "OK" vs "FOUND" for the daemon and I > can't pin point the 51secs. OK, so this is not reproducible on your system. I have no idea why clamdscan behaves like this on my machine, but my knowledge of this code base is limited. > zbxl.zip is a different story. It says "Data scanned: 0.00 MB" which > means it didn't do anything. My guess is that your file limit is 25MiB > while the file is ~40MiB. That time here is just load the database. > > [...] > > Here it scanned something and you see the time it needed is almost the > same as in the previous example where it did just load its database. Ack, thanks for pointing that out, I forgot about the file size limit. > So far I don't see anything wrong. I have discovered this during my regression tests for the jessie update. My main worry was to have broken something, I'm glad it's not the case. Thanks for your time! regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers
Package: clamav
Version: clamav/0.101.4+dfsg-1
Severity: normal
Hi,
clamdscan returns surprising results for "better zip bomb" reproducers[0]:
* Inconsistent results with zbsm.zip:
clamdscan returns different results when run different times. The first
time the file is considered sane, the second time as "infected".
It looks like clamdscan doesn't always hit the OverlappingFiles heuristic.
$ clamdscan /tmp/zbsm.zip
/tmp/zbsm.zip: OK
--- SCAN SUMMARY ---
Infected files: 0
Time: 120.771 sec (2 m 0 s)
$ clamdscan /tmp/zbsm.zip
/tmp/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND
--- SCAN SUMMARY ---
Infected files: 1
Time: 51.885 sec (0 m 51 s)
* zbxl.zip
clamdscan returns OK for zbxl.zip after 0.000 sec. clamscan needs more than
one minute. This difference is surprising to me.
$ clamdscan /tmp/zbxl.zip
/tmp/zbxl.zip: OK
--- SCAN SUMMARY ---
Infected files: 0
Time: 0.000 sec (0 m 0 s)
$ clamscan /tmp/zbxl.zip
/tmp/zbxl.zip: OK
--- SCAN SUMMARY ---
Known viruses: 6354861
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 43.75 MB (ratio 0.00:1)
Time: 66.032 sec (1 m 6 s)
This is reproducible with 0.101.4 in unstable (not a VM), stretch and
jessie (both VMs).
cheers,
Hugo
[0] https://www.bamsoftware.com/hacks/zipbomb/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#912224: since update 1.3.3.5-4+deb8u5 php ldap authentification failure
Hi, Sorry for the very late answer. For some reason, it looks like the LTS team was not aware of this bug... I am the one who provided these updates. This issue must have slipped through my LDAP tests. I will investigate this as soon as possible and provide a fix consequently. Mike, you did the latest 389-ds-base update. Did you notice anything wrong during your tests? Thanks! regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#938316: qreator: Python2 removal in sid/bullseye [PATCH]
Hi,
I have ported qreator to Python 3, you can find a debdiff in attachment.
I did not test everything, so there might still be some issues around. I did
not forward it to upstream, feel free to do it if you want.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru qreator-16.06.1/debian/changelog qreator-16.06.1/debian/changelog
--- qreator-16.06.1/debian/changelog 2019-03-30 15:35:12.0 -0400
+++ qreator-16.06.1/debian/changelog 2019-08-30 10:37:56.0 -0400
@@ -1,3 +1,10 @@
+qreator (16.06.1-3.2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Port to Python 3 (Closes: #938316).
+
+ -- Hugo Lefeuvre Fri, 30 Aug 2019 10:37:56 -0400
+
qreator (16.06.1-3.1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru qreator-16.06.1/debian/control qreator-16.06.1/debian/control
--- qreator-16.06.1/debian/control 2018-04-14 08:48:31.0 -0400
+++ qreator-16.06.1/debian/control 2019-08-30 10:37:56.0 -0400
@@ -3,8 +3,27 @@
Priority: optional
Maintainer: Chow Loong Jin
Build-Depends: debhelper (>= 8.0.0),
- python-all (>= 2.6.6-3~),
- python-distutils-extra
+ geoclue-2.0,
+ gir1.2-champlain-0.12,
+ gir1.2-clutter-1.0,
+ gir1.2-gdkpixbuf-2.0,
+ gir1.2-geoclue-2.0,
+ gir1.2-glib-2.0,
+ gir1.2-gtk-3.0,
+ gir1.2-gtkchamplain-0.12,
+ gir1.2-gtkclutter-1.0,
+ gir1.2-nm-1.0,
+ python3-all (>= 2.6.6-3~),
+ python3-cairo,
+ python3-dbus,
+ python3-distutils-extra,
+ python3-gi,
+ python3-gi-cairo,
+ python3-pil (>= 2.0.0),
+ python3-qrencode,
+ python3-requests,
+ python3-vobject,
+ python3-xdg
Standards-Version: 4.1.3
Homepage: https://launchpad.net/qreator
Vcs-Git: https://anonscm.debian.org/git/collab-maint/qreator.git
@@ -12,26 +31,27 @@
Package: qreator
Architecture: all
-Depends: ${python:Depends}, ${misc:Depends},
- python-pil (>= 2.0.0),
- python-cairo,
- python-dbus,
- python-gi,
- python-gi-cairo,
+Depends: geoclue-2.0,
gir1.2-champlain-0.12,
gir1.2-clutter-1.0,
+ gir1.2-gdkpixbuf-2.0,
gir1.2-geoclue-2.0,
gir1.2-glib-2.0,
- gir1.2-gdkpixbuf-2.0,
gir1.2-gtk-3.0,
gir1.2-gtkchamplain-0.12,
gir1.2-gtkclutter-1.0,
gir1.2-nm-1.0,
- python-qrencode,
- python-requests,
- python-vobject,
- python-xdg,
- geoclue-2.0
+ python3-cairo,
+ python3-dbus,
+ python3-gi,
+ python3-gi-cairo,
+ python3-pil (>= 2.0.0),
+ python3-qrencode,
+ python3-requests,
+ python3-vobject,
+ python3-xdg,
+ ${misc:Depends},
+ ${python3:Depends}
Description: graphical utility for creating QR codes
Qreator enables you to easily create your own QR codes to encode different
types of information in an efficient, compact and cool way.
diff -Nru qreator-16.06.1/debian/patches/python3-port.patch qreator-16.06.1/debian/patches/python3-port.patch
--- qreator-16.06.1/debian/patches/python3-port.patch 1969-12-31 19:00:00.0 -0500
+++ qreator-16.06.1/debian/patches/python3-port.patch 2019-08-30 10:37:56.0 -0400
@@ -0,0 +1,426 @@
+Subject: Port to python 3
+Author: Hugo Lefeuvre
+Last-Update: 2019-08-30
+--- a/qreator/QRCode.py 2019-08-30 10:53:58.823320698 -0400
b/qreator/QRCode.py 2019-08-30 16:12:48.309437828 -0400
+@@ -18,7 +18,7 @@
+ try:
+ import qrencode
+ except ImportError:
+-print "You need to install the python-qrencode package"
++print("You need to install the python-qrencode package")
+ sys.exit(1)
+ from PIL import Image
+ from PIL import ImageOps
+@@ -143,11 +143,11 @@
+ def _add_border(self, current_color_bg=None):
+ '''Adds a border to the QR code'''
+ if current_color_bg:
+-fill = (current_color_bg[0], current_color_bg[1],
+-current_color_bg[2], 255)
++fill = (int(current_color_bg[0]), int(current_color_bg[1]),
++int(current_color_bg[2]), 255)
+ else:
+ fill = 'white'
+ # Add a border
+-border_size = (self.output_size - self.image.size[0]) / 2
++border_size = int((self.output_size - self.image.size[0]) / 2)
+ self.image = ImageOps.expand(self.image, border=border_size,
+ fill=fill)
+--- a/qreator/qrcodes/QRCodeLocation.py 2019-08-30 10:53:58.823320698 -0400
b/qreator/qrcodes/QRCodeLocation.py 2019-08
Bug#936214: bleachbit: Python2 removal in sid/bullseye
Control: forward -1 https://github.com/bleachbit/bleachbit/issues/163 Hi Matthias, Thanks for your bug report. On Fri, Aug 30, 2019 at 07:11:46AM +, Matthias Klose wrote: > Python2 becomes end-of-live upstream, and Debian aims to remove > Python2 from the distribution, as discussed in > https://lists.debian.org/debian-python/2019/07/msg00080.html > > Your package either build-depends, depends on Python2, or uses Python2 > in the autopkg tests. Please stop using Python2, and fix this issue > by one of the following actions. > > - Convert your Package to Python3. This is the preferred option. In > case you are providing a Python module foo, please consider dropping > the python-foo package, and only build a python3-foo package. Please > don't drop Python2 modules, which still have reverse dependencies, > just document them. > > This is the preferred option. Upstream is currently working on the migration. As far as I am aware, we should not be too far from a final Python 3 release. I have just pinged them. Bleachbit has a fairly high popcon and is active upstream. Bleachbit's removal would be a real loss for many users. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#936051: stretch-pu: package sdl-image1.2/1.2.12-5+deb9u2
Small update: I forgot to close the bug report (#932755) and did not mention
CVE-2019-5058 in debian/changelog. You can find an updated debdiff in
attachment.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog 2018-04-15 11:54:38.0 -0400
+++ sdl-image1.2-1.2.12/debian/changelog 2019-08-29 08:28:17.0 -0400
@@ -1,3 +1,17 @@
+sdl-image1.2 (1.2.12-5+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2018-3977, CVE-2019-5058: buffer overflow in do_layer_surface
+(IMG_xcf.c) (Closes: #932755).
+ * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+ * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+ * CVE-2019-12216, CVE-2019-12217,
+CVE-2019-12218, CVE-2019-12219,
+CVE-2019-12220, CVE-2019-12221,
+CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Thu, 29 Aug 2019 08:28:17 -0400
+
sdl-image1.2 (1.2.12-5+deb9u1) stretch-security; urgency=high
* Backport various security fixes:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,19 @@
+Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file.
+ This patch bundles two fixes, the original one for CVE-2018-3977
+ (TALOS-2018-0645) which is actually broken, and the followup patch
+ (TALOS-2019-0842).
+Author: Ryan C. Gordon
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
+ https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
+--- a/IMG_xcf.c 2019-07-23 11:56:35.733259428 -0300
b/IMG_xcf.c 2019-07-23 11:57:55.036947079 -0300
+@@ -634,6 +634,9 @@
+ p16 = (Uint16 *) p8;
+ p = (Uint32 *) p8;
+ for (y=ty; y < ty+oy; y++) {
++ if ((y >= surface->h) || ((tx+ox) > surface->w)) {
++ break;
++ }
+ row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
+ switch (hierarchy->bpp) {
+ case 4:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-23 11:28:25.847897628 -0300
b/IMG_pcx.c 2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++ int count = 0;
++ Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++ goto done;
+ }
+- buf = calloc(SDL_max(bpl, surface->pitch), 1);
++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+- int i, count = 0;
+- Uint8 ch;
+- Uint8 *dst = (src_bits == 8) ? row : buf;
++ int i;
++ Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ error = "file truncated";
+ goto done;
+ }
+- if( (ch & 0xc0) == 0xc0) {
+- count = ch & 0x3f;
++ if( ch < 0xc0) {
++ count = 1;
++ } else {
++ count = ch - 0xc0;
+ if(!SDL_RWread(src, , 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+- } else
+- count = 1;
++ }
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++ if ( dst >= row+surface->pitch ) {
++ error = "decoding out of bounds (corrupt?)";
++ goto done;
++ }
+ *dst = *src++;
+ dst += pcxh.NPlanes;
+ }
+ }
++ } else {
++ SDL_memcpy(row, buf, bpl);
+ }
+
+ row += surface->pitch;
+@@ -227,8 +236,9 @@
+ /* look for a 256-colour palette */
+ do {
+ if ( !SDL_RWread(src, , 1, 1)) {
+- error = "file truncated";
+- goto done;
++ /* Couldn't find the palette, try the end o
Bug#930363: faad2: fix build with gcc-9 [patch]
Hi Fabian,
> Am Donnerstag, den 29.08.2019, 08:04 -0400 schrieb Hugo Lefeuvre:
> > Fabian (faad2 maintainer and upstream), do you want to handle this?
> > Otherwise I can NMU a second time with this patch.
>
> please go ahead with a second NMU. I am a bit short on time currently
> (home alone with the 10mo baby...).
Ack, I'll NMU then. Good luck with the baby :)
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#936056: buster-pu: package sdl-image1.2/1.2.12-10+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-CC: t...@security.debian.org
Hi,
sdl-image1.2 is affected by a number of security issues in buster. Impact is
quite minor, but it would still be nice to get them fixed.
Attached is a debdiff addressing most of them for buster.
libsdl2-image 2.0.4+dfsg1+deb10u1 and 2.0.1+dfsg-2+deb9u2 have already been
accepted in stretch-pu and buster-pu, those are the same issues and the same
patches.
(I initially intended to submit -pu requests for both sdl-image1.2 and libsdl2
at the same time, but for a number of reasons sdl-image1.2 was delayed)
This is essentially the same update as 1.2.12-5+deb9u2, see #936051.
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog 2018-11-04 18:58:30.0 -0500
+++ sdl-image1.2-1.2.12/debian/changelog 2019-08-29 08:51:05.0 -0400
@@ -1,3 +1,17 @@
+sdl-image1.2 (1.2.12-10+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2019-5058: Fix CVE-2018-3977.patch from previous upload: check should
+be done for y, not ty (Closes: #932755).
+ * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+ * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+ * CVE-2019-12216, CVE-2019-12217,
+CVE-2019-12218, CVE-2019-12219,
+CVE-2019-12220, CVE-2019-12221,
+CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Thu, 29 Aug 2019 08:51:05 -0400
+
sdl-image1.2 (1.2.12-10) unstable; urgency=medium
* Non-maintainer upload with permission of maintainers.
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 2018-11-04 18:58:30.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 2019-08-29 08:51:05.0 -0400
@@ -9,15 +9,13 @@
IMG_xcf.c | 3 +++
1 file changed, 3 insertions(+)
-diff --git a/IMG_xcf.c b/IMG_xcf.c
-index 064e641..93b6929 100644
a/IMG_xcf.c
-+++ b/IMG_xcf.c
-@@ -634,6 +634,9 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header
+--- a/IMG_xcf.c 2019-08-29 09:34:10.888355386 -0400
b/IMG_xcf.c 2019-08-29 09:34:37.702747635 -0400
+@@ -634,6 +634,9 @@
p16 = (Uint16 *) p8;
p = (Uint32 *) p8;
for (y=ty; y < ty+oy; y++) {
-+ if ((ty >= surface->h) || ((tx+ox) > surface->w)) {
++ if ((y >= surface->h) || ((tx+ox) > surface->w)) {
+ break;
+ }
row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 2019-08-29 08:49:56.0 -0400
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-23 11:28:25.847897628 -0300
b/IMG_pcx.c 2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++ int count = 0;
++ Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++ goto done;
+ }
+- buf = calloc(SDL_max(bpl, surface->pitch), 1);
++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+- int i, count = 0;
+- Uint8 ch;
+- Uint8 *dst = (src_bits == 8) ? row : buf;
++ int i;
++ Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ error = "file truncated";
+ goto done;
+ }
+- if( (ch & 0xc0) == 0xc0) {
+- count = ch & 0x3f;
++ if( ch < 0xc0) {
++ count = 1;
++ } else {
++ count = ch - 0xc0;
+ if(!SDL_RWread(src, , 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+- } else
+- count = 1;
++ }
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++ if
Bug#936051: stretch-pu: package sdl-image1.2/1.2.12-5+deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi,
sdl-image1.2 is affected by a number of security issues in stretch. Impact is
quite minor, but it would still be nice to get them fixed.
Attached is a debdiff addressing most of them for stretch.
libsdl2-image 2.0.4+dfsg1+deb10u1 and 2.0.1+dfsg-2+deb9u2 have already been
accepted in stretch-pu and buster-pu, those are the same issues and the same
patches.
(I initially intended to submit -pu requests for both sdl-image1.2 and libsdl2
at the same time, but for a number of reasons sdl-image1.2 was delayed)
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog 2018-04-15 11:54:38.0 -0400
+++ sdl-image1.2-1.2.12/debian/changelog 2019-08-29 08:28:17.0 -0400
@@ -1,3 +1,16 @@
+sdl-image1.2 (1.2.12-5+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2018-3977: buffer overflow in do_layer_surface (IMG_xcf.c).
+ * CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+ * CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+ * CVE-2019-12216, CVE-2019-12217,
+CVE-2019-12218, CVE-2019-12219,
+CVE-2019-12220, CVE-2019-12221,
+CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Thu, 29 Aug 2019 08:28:17 -0400
+
sdl-image1.2 (1.2.12-5+deb9u1) stretch-security; urgency=high
* Backport various security fixes:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2018-3977.patch 2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,19 @@
+Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file.
+ This patch bundles two fixes, the original one for CVE-2018-3977
+ (TALOS-2018-0645) which is actually broken, and the followup patch
+ (TALOS-2019-0842).
+Author: Ryan C. Gordon
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
+ https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
+--- a/IMG_xcf.c 2019-07-23 11:56:35.733259428 -0300
b/IMG_xcf.c 2019-07-23 11:57:55.036947079 -0300
+@@ -634,6 +634,9 @@
+ p16 = (Uint16 *) p8;
+ p = (Uint32 *) p8;
+ for (y=ty; y < ty+oy; y++) {
++ if ((y >= surface->h) || ((tx+ox) > surface->w)) {
++ break;
++ }
+ row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
+ switch (hierarchy->bpp) {
+ case 4:
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 1969-12-31 19:00:00.0 -0500
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 2019-08-29 08:26:26.0 -0400
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-23 11:28:25.847897628 -0300
b/IMG_pcx.c 2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++ int count = 0;
++ Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++ goto done;
+ }
+- buf = calloc(SDL_max(bpl, surface->pitch), 1);
++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+- int i, count = 0;
+- Uint8 ch;
+- Uint8 *dst = (src_bits == 8) ? row : buf;
++ int i;
++ Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ error = "file truncated";
+ goto done;
+ }
+- if( (ch & 0xc0) == 0xc0) {
+- count = ch & 0x3f;
++ if( ch < 0xc0) {
++ count = 1;
++ } else {
++ count = ch - 0xc0;
+ if(!SDL_RWread(src, , 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+- } else
+- count = 1;
++ }
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++ if ( dst >= row+surface->pitch ) {
++ error
Bug#930363: faad2: fix build with gcc-9 [patch]
Hi Gianfranco, On Thu, Aug 29, 2019 at 07:43:15AM +0200, Gianfranco Costamagna wrote: > control: severity -1 serious > On Tue, 11 Jun 2019 15:06:01 +0200 Gianfranco Costamagna > wrote: > > Source: faad2 > > Version: 2.8.8-3 > > Severity: normal > > tags: patch > > > > Hello, looks like gcc-9 is adding wl,asneeded flag in compilation, so libs > > passed as CFLAGS are not correctly used by gcc anymore, because only LIBS > > is added at the end of the compilation line. > > > > The following patch fixes the issue, and starts then using again the glib > > implementation of the library. (without the patch, the bundled version is > > used everywhere, and the build fails only on i386 because of an > > implementation mismatch of a long/int data type) > > > > I reported the patch already upstream > > https://sourceforge.net/p/faac/bugs/242/ > > patch: > > http://launchpadlibrarian.net/427773869/faad2_2.8.8-3_2.8.8-3ubuntu1.diff.gz > > Now this bug is RC, and preventing CVE fixes from Migration. > Hugo, can you please reupload with the Ubuntu patch? > https://launchpad.net/ubuntu/+source/faad2/2.8.8-3.1ubuntu1 > I rebased it with the upstream version Fabian (faad2 maintainer and upstream), do you want to handle this? Otherwise I can NMU a second time with this patch. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#914641: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956
Hi Fabian, > > Please let me know if you want me to change anything, otherwise I am > > waiting for your ack to upload. > > Please go ahead! OK, uploaded. > Is the list of closed CVEs complete? Yes, everything fixed in sid! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#914641: faad2: CVE-2018-19502 CVE-2018-19503 CVE-2018-19504 CVE-2019-6956
Hi,
Following a discussion with Fabian on GitHub[0], here is a NMU for faad2 in
unstable. This NMU addresses the last few open security issues via targeted
patches, until they are integrated in the next upstream release.
Please let me know if you want me to change anything, otherwise I am waiting
for your ack to upload.
regards,
Hugo
[0] https://github.com/knik0/faad2/pull/38
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru faad2-2.8.8/debian/changelog faad2-2.8.8/debian/changelog
--- faad2-2.8.8/debian/changelog 2019-06-07 14:07:34.0 -0400
+++ faad2-2.8.8/debian/changelog 2019-08-27 13:29:39.0 -0400
@@ -1,3 +1,15 @@
+faad2 (2.8.8-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload with maintainer's permission.
+ * CVE-2019-6956: Buffer over read in the function ps_mix_phase()
+(libfaad/ps_dec.c) (Closes: #914641).
+ * CVE-2018-20196: Stack buffer overflow in the function calculate_gain
+(libfaad/sbr_hfadj.c).
+ * CVE-2018-20199, CVE-2018-20360: NULL pointer dereference in the function
+ifilter_bank (libfaad/filtbank.c).
+
+ -- Hugo Lefeuvre Tue, 27 Aug 2019 13:29:39 -0400
+
faad2 (2.8.8-3) unstable; urgency=high
* Team upload.
diff -Nru faad2-2.8.8/debian/patches/CVE-2018-20196.patch faad2-2.8.8/debian/patches/CVE-2018-20196.patch
--- faad2-2.8.8/debian/patches/CVE-2018-20196.patch 1969-12-31 19:00:00.0 -0500
+++ faad2-2.8.8/debian/patches/CVE-2018-20196.patch 2019-08-27 13:29:39.0 -0400
@@ -0,0 +1,48 @@
+Description: fix stack based buffer overflow in calculate_gain (libfaad/sbr_hfadj.c)
+ sbr_fbt: sbr->M should not exceed MAX_M
+ .
+ sbr->M is set by derived_frequency_table() from user-passed input
+ without checking for > MAX_M.
+ .
+ This leads to out-of-bounds accesses later, crashes and potential
+ security relevant issues. It should be considered a fatal error for
+ the SBR block.
+ .
+ return error code if sbr->M > MAX_M.
+ .
+ also, in some cases sbr_extension_data() ignores the return value of
+ calc_sbr_tables, probably assuming that sbr is always valid. It should
+ almost certainly not do that.
+Author: Hugo Lefeuvre
+Origin: upstream, https://github.com/knik0/faad2/commit/6aeeaa1af0caf986daf22
+--- a/libfaad/sbr_fbt.c 2009-05-31 03:02:54.0 -0400
b/libfaad/sbr_fbt.c 2019-08-26 09:14:35.368320494 -0400
+@@ -526,6 +526,8 @@
+ }
+
+ sbr->M = sbr->f_table_res[HI_RES][sbr->N_high] - sbr->f_table_res[HI_RES][0];
++if (sbr->M > MAX_M)
++return 1;
+ sbr->kx = sbr->f_table_res[HI_RES][0];
+ if (sbr->kx > 32)
+ return 1;
+--- a/libfaad/sbr_syntax.c 2009-05-31 03:02:54.0 -0400
b/libfaad/sbr_syntax.c 2019-08-26 09:15:14.108163215 -0400
+@@ -196,7 +196,7 @@
+ /* if an error occured with the new header values revert to the old ones */
+ if (rt > 0)
+ {
+-calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
++result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+ saved_samplerate_mode, saved_freq_scale,
+ saved_alter_scale, saved_xover_band);
+ }
+@@ -215,7 +215,7 @@
+ if ((result > 0) &&
+ (sbr->Reset || (sbr->bs_header_flag && sbr->just_seeked)))
+ {
+-calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
++result += calc_sbr_tables(sbr, saved_start_freq, saved_stop_freq,
+ saved_samplerate_mode, saved_freq_scale,
+ saved_alter_scale, saved_xover_band);
+ }
diff -Nru faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch
--- faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch 1969-12-31 19:00:00.0 -0500
+++ faad2-2.8.8/debian/patches/CVE-2018-20360-20199.patch 2019-08-27 13:29:39.0 -0400
@@ -0,0 +1,49 @@
+Description: fix NULL pointer dereference in ifilter_bank (libfaad/filtbank.c)
+ specrec: better handle unexpected PS
+ .
+ Parametric Stereo (PS) can arrive at any moment in input files. PS
+ changes the number of output channels and therefore requires more
+ allocated memory in various structures from hDecoder.
+ .
+ The current faad2 code attempts to perform allocation surgery in
+ hDecoder to recover from this. This works well when there is only one
+ frame channel, else it creates large number of memory corruption
+ issues.
+ .
+ If there is more than one input channel, return cleanly with error
+ code. It would be nice to handle this, but this is likely to be a lot
+ of work and is beyond the scope of a security fix.
+ .
+ This patch addresses CVE-2018-20360 and CVE-2018-20199.
+Author: Hugo Lefeuvre
+Ori
Bug#934359: clamav: ZIP bomb causes extreme CPU spikes
Hi, > > The zip bomb vulnerability mitigated in 0.101.3 has been assigned the > > CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip- > > bomb mitigation was immediately identified. To remediate the zip-bomb > > scan time issue, a scan time limit has been introduced in 0.101.4. This > > limit now resolves ClamAV's vulnerability to CVE-2019-12625. > > > > The default scan time limit is 2 minutes (12 milliseconds). > > > > To customize the time limit: > > - use the clamscan --max-scantime option > > - use the clamd MaxScanTime config option > > > > Libclamav users may customize the time limit using the cl_engine_set_num > > function. For example: > > > > C > > cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, > > time_limit_milliseconds) > > > > Thanks to David Fifield for reviewing the zip-bomb mitigation in > > 0.101.3 and reporting the issue. > > https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html Great! Is anybody working on 0.101.4 updates for stretch/buster? I plan to backport the update to jessie after that. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#934359: clamav: ZIP bomb causes extreme CPU spikes
Hi Sebastian, > > Even though this issue is marked as fixed in unstable, the current patch is > > incomplete (see upstream bug report). Upstream is actively working on a > > more advanced patch. > > I am aware of the situation. I uploaded to unstable what upstream > released as 0.101.3 (the latest one) and prepared an update for stable. > _After_ that, the bugtracker got updated claiming that the fix is not > perfect and other zip bomb was added to the backtracker. I'm sorry if this sounded insistent, it was not intended like that. thanks for your work! cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#934359: clamav: ZIP bomb causes extreme CPU spikes
Source: clamav Version: 0.101.2+dfsg-3 Severity: important Tags: security upstream Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356 Hi, clamav is affected by a DoS vulnerability caused by crafted, extremely compressed ZIP files. Even though this issue is marked as fixed in unstable, the current patch is incomplete (see upstream bug report). Upstream is actively working on a more advanced patch. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#931449: imagemagick: CVE-2019-13305/CVE-2019-13306
Hi, These issues are similar, both fixed by [0]. Upstream claims to have fixed CVE-2019-13306 via [1] but this is wrong, [1] is reverted by [0]. I took some time to investigate this vulnerability. Unless I am mistaken, this allows for arbitrary stack buffer overflow up to 10 bytes via pixel luma values. My exploitation skills are limited, but this could be an exploitable vulnerability. I think this should be fixed, at least via point release? regards, Hugo [0] https://github.com/ImageMagick/ImageMagick6/commit/5c7fbf9a14fb83c9685ad69d48899f490a37609d [1] https://github.com/ImageMagick/ImageMagick6/commit/cb5ec7d98195aa74d5ed299b38eff2a68122f3fa -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Salvatore,
> > Done! You can find an updated debdiff for buster in attachement. The new
> > debdiff ships CVE-2019-5058.patch which addresses the remaining issue in
> > IMG_xcf.c.
>
> Is the attachment missing?
Right, attachment is missing! Better now :)
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog
--- libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-02-03 11:59:26.0 +0100
+++ libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-07-26 22:01:14.0 +0200
@@ -1,3 +1,18 @@
+libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Multiple security issues (Closes: #932754):
+- CVE-2019-5058: buffer overflow in do_layer_surface (IMG_xcf.c).
+- CVE-2019-5052: integer overflow and subsequent buffer overflow in
+ IMG_pcx.c.
+- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+- CVE-2019-12216, CVE-2019-12217,
+ CVE-2019-12218, CVE-2019-12219,
+ CVE-2019-12220, CVE-2019-12221,
+ CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Fri, 26 Jul 2019 17:01:14 -0300
+
libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium
* New upstream version.
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch
--- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 1970-01-01 01:00:00.0 +0100
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 2019-07-26 22:01:14.0 +0200
@@ -0,0 +1,84 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-26 17:35:40.331470589 -0300
b/IMG_pcx.c 2019-07-26 17:48:45.760965290 -0300
+@@ -98,6 +98,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++int count = 0;
++Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -146,14 +148,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++goto done;
+ }
+-buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
++buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = (Uint8 *)surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+-int i, count = 0;
+-Uint8 ch;
+-Uint8 *dst = (src_bits == 8) ? row : buf;
++int i;
++Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -166,14 +168,15 @@
+ error = "file truncated";
+ goto done;
+ }
+-if( (ch & 0xc0) == 0xc0) {
+-count = ch & 0x3f;
+-if(!SDL_RWread(src, , 1, 1)) {
++if ( ch < 0xc0 ) {
++count = 1;
++} else {
++count = ch - 0xc0;
++if( !SDL_RWread(src, , 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+-} else
+-count = 1;
++}
+ }
+ dst[i] = ch;
+ count--;
+@@ -205,10 +208,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++if ( dst >= row+surface->pitch ) {
++error = "decoding out of bounds (corrupt?)";
++goto done;
++}
+ *dst = *innerSrc++;
+ dst += pcxh.NPlanes;
+ }
+ }
++} else {
++SDL_memcpy(row, buf, bpl);
+ }
+
+ row += surface->pitch;
+@@ -225,8 +234,9 @@
+ /* look for a 256-colour palette */
+ do {
+ if ( !SDL_RWread(src, , 1, 1)) {
+-error = "file truncated";
+-goto done;
++/* Couldn't find the palette, try the end of the file */
++SDL_RWseek(src, -768, RW_SEEK_END);
++break;
+ }
+ } while ( ch != 12 );
+
diff -Nru libsdl2-image-2.0.4+dfsg1/deb
Bug#931740: CVE-2019-12977 analysis
Hi, I had a look at CVE-2019-12977: This allows attackers to manipulate the JP2 compression arguments passed by imagemagick to openjpeg. As long as openjpeg sanitizes its arguments, this issue does not have any security impact. Any useful exploit of this issue requires to chain it with another vulnerability in openjpeg. Also: I suspect that these compression arguments can actually be arbitrarily set by the user, without exploiting any kind of vulnerability. In other words, this issue might be completely irrelevant from a security standpoint because it does not allow the user to do more than what he can already do. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932755: sdl-image1.2: multiple security issues
Hi Felix,
> > Concerning testing: can I upload the NMU?
>
> Sure, please go ahead!
thanks! I have uploaded the NMU, with some very small changes: I have added
a patch for CVE-2019-5058, which addresses issues in a previously uploaded
patch for CVE-2018-3977 (via 1.2.12-10).
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi, > > Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware > > that the initial patch was broken (see stretch patch descriptions), I > > failed to handle this properly in the buster version. > > > > As far as I remember, I did not upload this diff yet. I'll just provide an > > updated version asap. I will also update the testing NMU[2], which I > > fortunately did not upload yet. > > Perfect, thank you for that! Done! You can find an updated debdiff for buster in attachement. The new debdiff ships CVE-2019-5058.patch which addresses the remaining issue in IMG_xcf.c. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932755: sdl-image1.2: multiple security issues
Hi Salvatore,
> FTR, there are new CVEs which appeared for TALOS-2019-0841
> TALOS-2019-0842, TALOS-2019-0843 and TALOS-2019-0844.
>
> It is unfortunate that Cisco Talos project is a bit intransparent on
> referencing the respecitve upstream fixes after disclosure :(
Thanks for the information. I will update the testing NMU to address these
issues as well and perform some triage in the tracker (CVE-2019-5058 is the
same as CVE-2018-3977 and CVE-2019-5057 looks familiar as well).
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Hi Salvatore,
> Maybe I'm missing something but but please double check. Can it be
> that the stretch-pu upload contains the fix
> https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10 for TALOS-2019-0842
> but the buster-pu one missed it? (Note this has a new CVE assigned
> CVE-2019-5058, the change afaics is included in your stretch-pu
> debdiff, is this right? but not in the buster-pu one?)
Thanks for catching this. The situation is quite messy, so I will try to
summarize it in a few words.
CVE-2018-3977 is the actual buffer overflow in IMG_pcx.c. This
vulnerabilitity was "fixed" via [0], however the fix is broken (the check
should be done for y, not ty). Talos decided to report the remaining issue
as a separate vulnerability, TALOS-2019-0842, which was recently assigned
CVE-2019-5058. It was fixed via [1].
CVE-2019-5058/TALOS-2019-0842 is not a new vulnerability, it's just
CVE-2018-3977 which wasn't fixed properly.
Buster received [0] per 2.0.4+dfsg1-1, but not [1]. Even if I was aware
that the initial patch was broken (see stretch patch descriptions), I
failed to handle this properly in the buster version.
As far as I remember, I did not upload this diff yet. I'll just provide an
updated version asap. I will also update the testing NMU[2], which I
fortunately did not upload yet.
Thanks again!
regards,
Hugo
[0] https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
[1] https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932755
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#885681: gummi: Depends on unmaintained gtksourceview2
Hi Jeremy, I have ping-ed upstream about this. I have somehow overlooked this until now, and would really like to avoid Gummi's removal. There's a good user base on Debian, popcon is fairly high. I hope that we will be able to manage a proper transition in the next months. Thanks for your work. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#933242: python-slugify: text-unicode still required dependency
Source: python-slugify Version: 3.0.2-2 Severity: grave Hi, 3.0.2-2 fixed the missing unidecode binary dependency. However text-unidecode is still registered as a required dependency. This breaks reverse dependencies if text-unidecode is not installed on the system. I'm working on it. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932755: sdl-image1.2: multiple security issues
Dear SDL packages maintainers, I have uploaded the jessie LTS update. I will coordinate with the security team for stretch and buster fixes via point release. Concerning testing: can I upload the NMU? cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#933218: stretch-pu: package libsdl2-image/2.0.1+dfsg-2+deb9u2
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
Hi,
libsdl2-image is currently affected by the following security issues in
stretch:
* CVE-2018-3977: Heap buffer overflow.
* CVE-2019-5052: integer overflow and subsequent buffer overflow in
IMG_pcx.c.
* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.
* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
* CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-1: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
(for more information, see #932754)
Attached is a debdiff addressing all of them for stretch.
All of these patches are from upstream, I have removed whitespace changes
and non security related refactoring.
This is the same patch as #933147.
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.1+dfsg/debian/changelog libsdl2-image-2.0.1+dfsg/debian/changelog
--- libsdl2-image-2.0.1+dfsg/debian/changelog 2018-04-15 12:26:34.0 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/changelog 2019-07-27 13:19:47.0 -0300
@@ -1,3 +1,18 @@
+libsdl2-image (2.0.1+dfsg-2+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Multiple security issues (Closes: #932754):
+- CVE-2018-3977: buffer overflow in do_layer_surface (IMG_xcf.c).
+- CVE-2019-5052: integer overflow and subsequent buffer overflow in
+ IMG_pcx.c.
+- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+- CVE-2019-12216, CVE-2019-12217,
+ CVE-2019-12218, CVE-2019-12219,
+ CVE-2019-12220, CVE-2019-12221,
+ CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Sat, 27 Jul 2019 13:19:47 -0300
+
libsdl2-image (2.0.1+dfsg-2+deb9u1) stretch-security; urgency=high
* Backport various security fixes:
diff -Nru libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch
--- libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch 1969-12-31 21:00:00.0 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2018-3977.patch 2019-07-27 13:19:47.0 -0300
@@ -0,0 +1,19 @@
+Description: Fix potential buffer overflow on corrupt or maliciously-crafted XCF file.
+ This patch bundles two fixes, the original one for CVE-2018-3977
+ (TALOS-2018-0645) which is actually broken, and the followup patch
+ (TALOS-2019-0842).
+Author: Ryan C. Gordon
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/170d7d32e4a8
+ https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
+--- a/IMG_xcf.c 2019-07-27 13:21:45.402211011 -0300
b/IMG_xcf.c 2019-07-27 13:21:45.398211049 -0300
+@@ -637,6 +637,9 @@
+ p16 = (Uint16 *) p8;
+ p = (Uint32 *) p8;
+ for (y=ty; y < ty+oy; y++) {
++if ((y >= surface->h) || ((tx+ox) > surface->w)) {
++break;
++}
+ row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
+ switch (hierarchy->bpp) {
+ case 4:
diff -Nru libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch
--- libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch 1969-12-31 21:00:00.0 -0300
+++ libsdl2-image-2.0.1+dfsg/debian/patches/CVE-2019-12218.patch 2019-07-27 13:19:47.0 -0300
@@ -0,0 +1,84 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-27 13:21:30.158367768 -0300
b/IMG_pcx.c 2019-07-27 13:21:30.154367811 -0300
+@@ -100,6 +100,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++int count = 0;
++Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++goto done;
+ }
+-buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
++buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = (Uint8 *)surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+-int i, count = 0;
+-Uint8 ch;
+-Uint8 *dst = (src_bits == 8) ? row : buf;
++int i;
++Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ er
Bug#933147: buster-pu: package libsdl2-image/2.0.4+dfsg1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
Hi,
libsdl2-image is currently affected by the following security issues:
* CVE-2019-5052: integer overflow and subsequent buffer overflow in
IMG_pcx.c.
* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.
* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
* CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-1: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
(for more information, see #932754)
Attached is a debdiff addressing all of them for buster.
All of these patches are from upstream, I have removed whitespace changes
and non security related refactoring.
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/changelog libsdl2-image-2.0.4+dfsg1/debian/changelog
--- libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-02-03 08:59:26.0 -0200
+++ libsdl2-image-2.0.4+dfsg1/debian/changelog 2019-07-26 17:01:14.0 -0300
@@ -1,3 +1,17 @@
+libsdl2-image (2.0.4+dfsg1-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Multiple security issues (Closes: #932754):
+- CVE-2019-5052: integer overflow and subsequent buffer overflow in
+ IMG_pcx.c.
+- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+- CVE-2019-12216, CVE-2019-12217,
+ CVE-2019-12218, CVE-2019-12219,
+ CVE-2019-12220, CVE-2019-12221,
+ CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Fri, 26 Jul 2019 17:01:14 -0300
+
libsdl2-image (2.0.4+dfsg1-1) unstable; urgency=medium
* New upstream version.
diff -Nru libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch
--- libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 1969-12-31 21:00:00.0 -0300
+++ libsdl2-image-2.0.4+dfsg1/debian/patches/CVE-2019-12218.patch 2019-07-26 17:01:14.0 -0300
@@ -0,0 +1,84 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-26 17:35:40.331470589 -0300
b/IMG_pcx.c 2019-07-26 17:48:45.760965290 -0300
+@@ -98,6 +98,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++int count = 0;
++Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -146,14 +148,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++goto done;
+ }
+-buf = (Uint8 *)SDL_calloc(SDL_max(bpl, surface->pitch), 1);
++buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = (Uint8 *)surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+-int i, count = 0;
+-Uint8 ch;
+-Uint8 *dst = (src_bits == 8) ? row : buf;
++int i;
++Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -166,14 +168,15 @@
+ error = "file truncated";
+ goto done;
+ }
+-if( (ch & 0xc0) == 0xc0) {
+-count = ch & 0x3f;
+-if(!SDL_RWread(src, , 1, 1)) {
++if ( ch < 0xc0 ) {
++count = 1;
++} else {
++count = ch - 0xc0;
++if( !SDL_RWread(src, , 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+-} else
+-count = 1;
++}
+ }
+ dst[i] = ch;
+ count--;
+@@ -205,10 +208,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++if ( dst >= row+surface->pitch ) {
++error = "decoding out of bounds (corrupt?)";
++goto done;
++}
+ *dst = *innerSrc++;
+ dst += pcxh.NPlanes;
+ }
+ }
++} else {
++SDL_memcpy(row, buf, bpl);
+ }
+
+ row += surface->pitch;
+@@ -225,8 +234,9 @@
+ /* look for a
Bug#922466: whitelist not working on python3 (buster version)
Hi, Sorry for overlooking this issue. This should be fixed in the next pyzor upload, in the next few days. Thanks for reporting this. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932755: libsdl2-image security issues in testing
> However in the sdl-image1.2 case upstream did not provide a new release
> addressing these issues, so I guess we'll have to go for targeted fixes. I
> will provide a debdiff shortly. Would you be available to review it? I can
> handle the upload if necessary, or NMU.
as promised, the debdiff for unstable (in attachment).
I did very quick smoke tests. However it would be surprising that this
patch would break anything since it was tested extensively in jessie and
upstream versions are identical.
(just in case, I smoke test using [0] with valgrind)
cheers,
Hugo
[0] /usr/share/doc/libsdl-image1.2-dev/examples/showimage.c
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru sdl-image1.2-1.2.12/debian/changelog sdl-image1.2-1.2.12/debian/changelog
--- sdl-image1.2-1.2.12/debian/changelog 2018-11-04 21:58:30.0 -0200
+++ sdl-image1.2-1.2.12/debian/changelog 2019-07-24 20:30:03.0 -0300
@@ -1,3 +1,16 @@
+sdl-image1.2 (1.2.12-11) unstable; urgency=medium
+
+ * Non-maintainer upload with permission of maintainers.
+ * Multiple security fixes (Closes: #932755):
+- CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
+- CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
+- CVE-2019-12216, CVE-2019-12217,
+ CVE-2019-12218, CVE-2019-12219,
+ CVE-2019-12220, CVE-2019-12221,
+ CVE-2019-1, CVE-2019-5051: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
+
+ -- Hugo Lefeuvre Wed, 24 Jul 2019 20:30:03 -0300
+
sdl-image1.2 (1.2.12-10) unstable; urgency=medium
* Non-maintainer upload with permission of maintainers.
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 1969-12-31 21:00:00.0 -0300
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-12218.patch 2019-07-24 20:27:21.0 -0300
@@ -0,0 +1,83 @@
+Description: fix heap buffer overflow issue in IMG_pcx.c
+ Issue known as TALOS-2019-0841, CVE-2019-12218.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
+--- a/IMG_pcx.c 2019-07-23 11:28:25.847897628 -0300
b/IMG_pcx.c 2019-07-23 11:43:07.748441381 -0300
+@@ -100,6 +100,8 @@
+ Uint8 *row, *buf = NULL;
+ char *error = NULL;
+ int bits, src_bits;
++ int count = 0;
++ Uint8 ch;
+
+ if ( !src ) {
+ /* The error message has been set in SDL_RWFromFile */
+@@ -148,14 +150,14 @@
+ bpl = pcxh.NPlanes * pcxh.BytesPerLine;
+ if (bpl > surface->pitch) {
+ error = "bytes per line is too large (corrupt?)";
++ goto done;
+ }
+- buf = calloc(SDL_max(bpl, surface->pitch), 1);
++ buf = (Uint8 *)SDL_calloc(surface->pitch, 1);
+ row = surface->pixels;
+ for ( y=0; yh; ++y ) {
+ /* decode a scan line to a temporary buffer first */
+- int i, count = 0;
+- Uint8 ch;
+- Uint8 *dst = (src_bits == 8) ? row : buf;
++ int i;
++ Uint8 *dst = buf;
+ if ( pcxh.Encoding == 0 ) {
+ if(!SDL_RWread(src, dst, bpl, 1)) {
+ error = "file truncated";
+@@ -168,14 +170,15 @@
+ error = "file truncated";
+ goto done;
+ }
+- if( (ch & 0xc0) == 0xc0) {
+- count = ch & 0x3f;
++ if( ch < 0xc0) {
++ count = 1;
++ } else {
++ count = ch - 0xc0;
+ if(!SDL_RWread(src, , 1, 1)) {
+ error = "file truncated";
+ goto done;
+ }
+- } else
+- count = 1;
++ }
+ }
+ dst[i] = ch;
+ count--;
+@@ -207,10 +210,16 @@
+ int x;
+ dst = row + plane;
+ for(x = 0; x < width; x++) {
++ if ( dst >= row+surface->pitch ) {
++ error = "decoding out of bounds (corrupt?)";
++ goto done;
++ }
+ *dst = *src++;
+ dst += pcxh.NPlanes;
+ }
+ }
++ } else {
++ SDL_memcpy(row, buf, bpl);
+ }
+
+ row += surface->pitch;
+@@ -227,8 +236,9 @@
+ /* look for a 256-colour palette */
+ do {
+ if ( !SDL_RWread(src, , 1, 1)) {
+- error = "file truncated";
+- goto done;
++ /* Couldn't find the palette, try the end of the file */
++ SDL_RWseek(src, -768, RW_SEEK_END);
++ break;
+ }
+ } while ( ch != 12 );
+
diff -Nru sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch
--- sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch 1969-12-31 21:00:00.0 -0300
+++ sdl-image1.2-1.2.12/debian/patches/CVE-2019-5052.patch 2019-07-24 20:27:21.0 -0300
@@ -0,0 +1,15 @@
+Description: fix invalid data read on bpl == -1
+ Issue known as TALOS-2019-0821, or CVE-2019-5052.
+Author: Sam Lantinga
+Origin: upstream, https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6
+--- a/IMG_pcx.c 2019-07-23 11:55:37.921487131 -0300
b/IMG_pcx.c 2019-0
Bug#932755: libsdl2-image security issues in testing
Hi Felix,
> Thanks for your work!
>
> I'm preparing a 2.0.5 upload right now.
> As far as I can tell all CVEs in the tracker are fixed with 2.0.5.
> Do you agree?
Thanks for the libsdl2-image upload!
Concerning sdl-image1.2:
I have a jessie LTS fix pending, patches are very similar to libsdl2-image.
However in the sdl-image1.2 case upstream did not provide a new release
addressing these issues, so I guess we'll have to go for targeted fixes. I
will provide a debdiff shortly. Would you be available to review it? I can
handle the upload if necessary, or NMU.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#932754: libsdl2-image security issues in testing
Hi Felix, (CC-ing #932754 which tracks this issue) > > I have prepared a jessie (LTS) update addressing libsdl2-image's current > > security issues. I will coordinate with the security team to possibly fix > > them in a future stretch/buster point update. > > > > Are you planning to address these issues in testing? Packaging upstream's > > latest 2.0.5 release should be sufficient, but they can also be addressed > > with more targeted fixes. > > > > I can provide some help if needed. > > Thanks for your work! > > I'm preparing a 2.0.5 upload right now. Great, thanks! > As far as I can tell all CVEs in the tracker are fixed with 2.0.5. > Do you agree? Exactly. By the way, I had a second look and it appears that CVE-2019-5051 was also fixed by the jessie LTS upload. CVE-2019-5051 is also a member of the CVE-2019-12221 family, and is therefore fixed by [0]. cheers, Hugo [0] https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932754: libsdl2-image: multiple security issues
Source: libsdl2-image
Version: 2.0.4+dfsg1-1
Severity: important
Tags: security upstream
Hi,
the following security issues[0] were published for libsdl2-image:
* CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.
* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
* CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-1: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
Fixing these issues:
Patches are quite straightforward and I believe that some of these
issues are worth fixing (reporter claims that they are "exploitable").
I have prepared and uploaded a jessie LTS update addressing most of these
issues (all of them apart from CVE-2019-5051) via targeted fixes.
If the security team agrees, I will provide targeted fixes for buster and
stretch.
For testing, I suggest to package the latest upstream release. If needed, I
can provide an update with targeted fixes.
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/libsdl2-image
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#932755: sdl-image1.2: multiple security issues
Source: sdl-image1.2
Version: 1.2.12-10
Severity: important
Tags: security upstream
Hi,
the following security issues[0] were published for sdl-image1.2:
* CVE-2019-5052: integer overflow and subsequent buffer overflow in IMG_pcx.c.
* CVE-2019-5051: heap-based buffer overflow in IMG_pcx.c.
* CVE-2019-7635: heap buffer overflow in Blit1to4 (IMG_bmp.c).
* CVE-2019-12216, CVE-2019-12217,
CVE-2019-12218, CVE-2019-12219,
CVE-2019-12220, CVE-2019-12221,
CVE-2019-1: OOB R/W in IMG_LoadPCX_RW (IMG_pcx.c).
Fixing these issues:
Patches are quite straightforward and I believe that some of these
issues are worth fixing (reporter claims that they are "exploitable").
I have prepared and uploaded a jessie LTS update addressing most of these
issues (all of them apart from CVE-2019-5051) via targeted fixes.
If the security team agrees, I will provide targeted fixes for buster and
stretch.
For testing, I suggest to package the latest upstream release. If needed, I
can provide an update with targeted fixes.
regards,
Hugo
[0] https://security-tracker.debian.org/tracker/source-package/sdl-image1.2
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#932732: python-slugify: autopkgtest failing since 3.0.2-1 update
Source: python-slugify Version: 3.0.2-1 Severity: grave Hi, autopkgtests are failing since 3.0.2-1. This is related to the text-unidecode dependency not being satisfied (instead we use unidecode) and might break other packages. I'm working on it. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932730: bleachbit: autopkgtest failing since 2.2-1 update
Source: bleachbit Version: 2.2-1 Severity: normal Hi, autopkgtests are failing since 2.2-1. Will be fixed in the next upload asap. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932148: Built & uploaded
Hi Juhani, > > I had a look at the changes, everything fine. Manual smoke tests fine as > > well. I'm pretty sure there are still bugs in there, pysolfc breaks very > > easily (that's the main reason why I kept delaying this update for such a > > long time). > > I see. BTW, regarding breakage, here's a small TODO for the next pysolfc > version... > - revert changes of commit 27444536 in debian/rules (upstreamed) > - remove debian/patches/configobj (upstreamed) > - package https://github.com/shlomif/pysol_cards (upstream separated it out) >- based on the rpm, it seems straight-forward > > https://src.fedoraproject.org/rpms/python-pysol-cards/blob/master/f/python-pysol-cards.spec > - new dependency python3-attr Great, thanks. > > Anyways, we can't delay this forever, so I went along and uploaded it. > > There's one more delay though: since the release of Buster, only > source-only uploads migrate to testing. Unfortunately your upload did > include the binary packages. > I believe you'll have to bump the version and upload again. > https://lists.debian.org/debian-devel-announce/2019/07/msg2.html Seems like I overlooked this. I'll prepare a small source only upload this week so we get these changes into testing. If you want to add some more changes from your side, just commit them on Salsa, I'll take a look at them. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932148: Built & uploaded
Hi Juhani, I had a look at the changes, everything fine. Manual smoke tests fine as well. I'm pretty sure there are still bugs in there, pysolfc breaks very easily (that's the main reason why I kept delaying this update for such a long time). Anyways, we can't delay this forever, so I went along and uploaded it. I'm not using it myself, so if you could test it a bit more in the next days, that would be great. If there are other issues to fix I will have time to take care of it during DebConf. Thanks for your work. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#932148: RFS: pysolfc/2.6.4-1 [RC]
Hi Juhani, Thanks for working on this. I'll review your changes and upload asap. cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#928909: bleachbit: new upstream 2.2
Hi Jonatan, thanks for the reminder. 2.2 will be available on experimental soon. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#929116: fixed in systemd 241-4
Hi, 241-5 reverted the patch for this issue, so I guess this bug report should be reopened. Salvatore: tracker should be updated as well, right? regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#928306: unblock: liblivemedia/2018.11.26-1.1
Control: tags -1 - moreinfo
> Either way, the diff you attached to this bug look fine, so you can go ahead
> with the upload to unstable and remove the moreinfo tag from this bug once the
> package is in unstable. If you want to add targeted fixes for the two other
> CVEs, you don't need to ask pre-approval for them, you can include them in the
> upload to unstable and send an updated debdiff.
Diff just landed in unstable.
thanks!
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#928306: unblock: liblivemedia/2018.11.26-1.1
Hi,
> According to the security tracker, liblivemedia in buster/sid is also affected
> by CVE-2019-7732 and CVE-2019-7733. Maybe you should consider fixing these as
> well (if there is a fix available that's easy to apply to the version in sid).
liblivemedia's upstream does not seem to be aware of these vulnerabilities,
so there are no known fixes at the moment. I have contacted them recently
but did not receive any answer yet.
> Either way, the diff you attached to this bug look fine, so you can go ahead
> with the upload to unstable and remove the moreinfo tag from this bug once the
> package is in unstable. If you want to add targeted fixes for the two other
> CVEs, you don't need to ask pre-approval for them, you can include them in the
> upload to unstable and send an updated debdiff.
Great, will do!
Thanks for your work.
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#928306: unblock: liblivemedia/2018.11.26-1.1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package liblivemedia
Dear Release team,
liblivemedia 2018.11.26-1 from Buster is affected by CVE-2019-9215[1] and
CVE-2019-7314[2], two security issues in the server part of the library.
The impact is at least DoS, which is trivial to manage using a publicly
available script. In fact theses issues might allow any script kiddie to
make any live555 server fully unusable.
These issues have been fixed in oldstable and stable. Not fixing them in
Buster would be a security regression.
Sebastian Ramacher (Debian maintainer) did not want to take time for this
NMU, but did not oppose either[3]. He meant that these CVEs are only
affecting the server part of the library, which is not used by reverse
dependencies.
debdiff with targeted fixes in attachment.
[0] https://security-tracker.debian.org/tracker/CVE-2019-9215
[1] https://security-tracker.debian.org/tracker/CVE-2019-7314
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924655
unblock liblivemedia/2018.11.26-1.1
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
diff -Nru liblivemedia-2018.11.26/debian/changelog liblivemedia-2018.11.26/debian/changelog
--- liblivemedia-2018.11.26/debian/changelog 2018-11-28 21:08:09.0 +0100
+++ liblivemedia-2018.11.26/debian/changelog 2019-05-01 17:56:46.0 +0200
@@ -1,3 +1,12 @@
+liblivemedia (2018.11.26-1.1) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * CVE-2019-7314: use-after-free during RTSP stream termination.
+ * CVE-2019-9215: malformed headers lead to invalid memory access
+in the parseAuthorizationHeader function.
+
+ -- Hugo Lefeuvre Wed, 01 May 2019 17:54:20 +0100
+
liblivemedia (2018.11.26-1) unstable; urgency=medium
* New upstream release.
diff -Nru liblivemedia-2018.11.26/debian/patches/CVE-2019-7314.patch liblivemedia-2018.11.26/debian/patches/CVE-2019-7314.patch
--- liblivemedia-2018.11.26/debian/patches/CVE-2019-7314.patch 1970-01-01 01:00:00.0 +0100
+++ liblivemedia-2018.11.26/debian/patches/CVE-2019-7314.patch 2019-05-01 17:52:25.0 +0200
@@ -0,0 +1,17 @@
+Description: fix use-after-free in the RTSP server implementation
+ Whenever a stream ends (via StreamState::endPlaying), the stream socket
+ is removed but the request alternative byte handler of this same stream
+ socket is not updated to reflect the stream deletion. Remote attackers
+ might leverage this vulnerability to trigger a use-after-free and
+ subsequent server crash.
+Origin: upstream
+--- a/liveMedia/OnDemandServerMediaSubsession.cpp 2016-11-28 22:42:18.0 +0100
b/liveMedia/OnDemandServerMediaSubsession.cpp 2019-03-12 16:37:46.040247175 +0100
+@@ -582,6 +582,7 @@
+
+ if (dests->isTCP) {
+ if (fRTPSink != NULL) {
++ RTPInterface::clearServerRequestAlternativeByteHandler(fRTPSink->envir(), dests->tcpSocketNum);
+ fRTPSink->removeStreamSocket(dests->tcpSocketNum, dests->rtpChannelId);
+ }
+ if (fRTCPInstance != NULL) {
diff -Nru liblivemedia-2018.11.26/debian/patches/CVE-2019-9215.patch liblivemedia-2018.11.26/debian/patches/CVE-2019-9215.patch
--- liblivemedia-2018.11.26/debian/patches/CVE-2019-9215.patch 1970-01-01 01:00:00.0 +0100
+++ liblivemedia-2018.11.26/debian/patches/CVE-2019-9215.patch 2019-05-01 17:52:25.0 +0200
@@ -0,0 +1,80 @@
+Description: fix invalid memory access in parseAuthorizationHeader
+ sscanf(fields, "%[^=]=\"\"", parameter) returns 1 even if the entry is
+ incorrectly formatted (e.g. fields = "p="), leading to excessive
+ incrementation of fields pointer later:
+ fields += strlen(parameter) + 2 /*="*/ + strlen(value) + 1 /*"*/;
+ .
+ This might allow attackers to perform invalid memory accesses.
+ .
+ This patch implements manual parsing of the keywords, allowing for better
+ error resilience.
+ .
+ Patch source: diff v2019.02.03 -> v2019.02.27
+Origin: upstream
+--- a/liveMedia/RTSPServer.cpp 2019-03-12 18:36:07.618027268 +0100
b/liveMedia/RTSPServer.cpp 2019-03-12 18:36:07.614027288 +0100
+@@ -894,6 +894,8 @@
+ }
+ }
+
++#define SKIP_WHITESPACE while (*fields != '\0' && (*fields == ' ' || *fields == '\t')) ++fields
++
+ static Boolean parseAuthorizationHeader(char const* buf,
+ char const*& username,
+ char const*& realm,
+@@ -911,15 +913,28 @@
+
+ // Then, run through each of the fields, looking for ones we handle:
+ char const* fields = buf + 22;
+- while (*fields == ' ') ++fields;
+ char* parameter = strDupSize(fields);
+ char* value = strDupSize(fields);
+- while (1) {
+-value[0] = '\0';
+-if (sscanf(fields, "%[^=]=\"%[^\"]\"", parameter, value) != 2 &&
+- sscanf(fields, "%[^=]=\"\&q
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
Hi Salvatore,
> CVE-2016-10745 was assigned for this issue.
Thanks for the information.
I just noticed you added CVE-2016-10745 to the tracker. I am fairly
confused, do you know why this CVE was not referenced in the tracker?
Or did you just request it?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
> This should help confirming vulnerability in other suites.
2.7.3-1 and all later releases affected. In addition, both 2.7.3-1 and
2.8-1 are affected by the previous str.format issue[0].
[0] https://palletsprojects.com/blog/jinja-281-released/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#926602: CVE-2019-10906 - jinja sandbox escape poc
Hi,
I'm working on a potential jinja2 Debian LTS security update. Here is a
proof of concept which allows to easily reproduce the issue. This should
help confirming vulnerability in other suites.
>>> from jinja2.sandbox import SandboxedEnvironment
>>> env = SandboxedEnvironment()
>>> config = {'SECRET_KEY': '12345'}
>>> class User(object):
... def __init__(self, name):
... self.name = name
...
>>> t = env.from_string('{{
>>> "{x.__class__.__init__.__globals__[config]}".format_map(dic) }}')
>>> t.render(dic={"x": User('joe')})
"{'SECRET_KEY': '12345'}"
Expected behaviour would be jinja2.exceptions.SecurityError.
Adapted from[0].
regards,
Hugo
[0] https://palletsprojects.com/blog/jinja-281-released/
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader
> liblivemedia provides an implementation of the server and client side of
> RTSP. So, unless a CVE affects the code path used by the RTSP client (as
> for example used by vlc), I won't spend any time on it.
Ok, I thought live555 was also known as one of the main free rtsp
server implementations. Is this actually wrong ?
> Before you start cherry-picking the patches from experimental, I'd
> suggest to get in contact with the release team to do a proper
> transition to the new upstream version (maybe even to the 2019.03.xx
> release that's not yet packaged). Those new release effectively only
> consists of the fixes for the recent CVEs. (Yes, I know that the freeze
> already started.)
Agree. I will look into it if I manage to find time for this.
thanks
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader
Hi,
> Unless a CVE affects the client part of the library, I don't think it's
> worth it. The client part is the only part used by reverse dependencies.
What do you mean exactly with client part? The affected code is located
in liveMedia/RTSPServer.cpp.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#924656: liblivemedia: CVE-2019-7314: mishandling of RTSP stream termination causes use-after-free and crash
Source: liblivemedia Version: 2018.11.26-1 Severity: normal Tags: security upstream Hi, The following vulnerability was published for liblivemedia. CVE-2019-7314[0]: liblivemedia in Live555 before 2019.02.03 mishandles the termination of an RTSP stream after RTP/RTCP-over-RTSP has been set up, which could lead to a Use-After-Free error that causes the RTSP server to crash (Segmentation fault) or possibly have unspecified other impact. We might want to fix this in Buster, the patch is straightforward. I can provide a debdiff if needed, already uploaded fixes for stretch and jessie. regards, Hugo [0] https://security-tracker.debian.org/tracker/CVE-2019-7314 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#924655: liblivemedia: CVE-2019-9215: invalid memory access in parseAuthorizationHeader
Source: liblivemedia Version: 2018.11.26-1 Severity: normal Tags: security upstream Hi, The following vulnerability was published for liblivemedia. CVE-2019-9215[0]: malformed headers lead to invalid memory access in the parseAuthorizationHeader function. I see this vulnerability was fixed in experimental via new upstream release 2019.02.27-1. This is a fairly severe issue so we should probably backport the patch to Buster as well. regards, Hugo [0] https://security-tracker.debian.org/tracker/CVE-2019-9215 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#921006: ITP: python-random2: backport of Python 2.7's `random` module
Package: wnpp Severity: wishlist * Package name: pyrandom2 Version : 1.0.1 Upstream Author : Stephan Richter * URL : https://github.com/strichter/random2 * License : PSF Programming Lang: Python 3 Description : backport of Python 2.7's `random` module Dependency of pysolfc. -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Bug#920337: python3-igraph: ships header in /usr/include/python3.7
Hi,
I had a look into this issue. It does _not_ look like a bug in the
python-igraph packaging to me.
Nicolas suggested to patch debian/patches/3.7/distutils-install-layout.diff
from python3-stdlib-extensions.
It does in fact look like the actual issue:
+'unix_local': {
+'purelib': '$base/local/lib/python$py_version_short/dist-packages',
+'platlib': '$platbase/local/lib/python$py_version_short/dist-packages',
+'headers': '$base/local/include/python$py_version_short/$dist_name',
+'scripts': '$base/local/bin',
+'data' : '$base/local',
+},
+'deb_system': {
+'purelib': '$base/lib/python3/dist-packages',
+'platlib': '$platbase/lib/python3/dist-packages',
+'headers': '$base/include/python$py_version_short/$dist_name',
+'scripts': '$base/bin',
+'data' : '$base',
+},
These headers entries seem wrong to me, $abiflags is missing.
should be respectively
'$base/local/include/python$py_version_short$abiflags/$dist_name'
and
'$base/include/python$py_version_short$abiflags/$dist_name'
Matthias: should we open a python3-stdlib-extensions bug ? Do you think
this issue can be fixed in time for Buster or should we upload a temporary
fix for python-igraph ?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#916278: qemu - CVE-2018-19665: bt subsystem mishandles negative length variables
> Anyways, given that the patch is quite large (though straightforward), that
> the subsystem doesn't seem to be very actively maintained and that the user
> base is quite small, it is maybe better to mark this no-dsa in stretch and
> jessie.
... but if we manage to trim down upstream's patch to just a few lines,
it could still be worth it.
I have taken upstream's patch and got rid of all type related changes
which don't have any security related impact. In fact they don't solve
the 'negative len' issue, these changes are just equivalent to moving the
size_t cast a few instructions earlier.
These changes might make sense in a refactoring perspective but this is
just noise in our case.
The resulting patch is tiny:
diff --git a/bt-host.c b/bt-host.c
index 2f8f631c25..b73a44d07d 100644
--- a/bt-host.c
+++ b/bt-host.c
@@ -113,6 +113,7 @@ static void vhci_host_send(void *opaque,
static uint8_t buf[4096];
buf[0] = type;
+assert((size_t) len < sizeof(buf));
memcpy(buf + 1, data, len);
while (write(s->fd, buf, len + 1) < 0)
diff --git a/hw/bt/hci-csr.c b/hw/bt/hci-csr.c
index 0341ded50c..26bd516d31 100644
--- a/hw/bt/hci-csr.c
+++ b/hw/bt/hci-csr.c
@@ -320,18 +320,18 @@ static int csrhci_write(struct Chardev *chr,
struct csrhci_s *s = (struct csrhci_s *)chr;
int total = 0;
-if (!s->enable)
+if (!s->enable || len <= 0)
return 0;
for (;;) {
int cnt = MIN(len, s->in_needed - s->in_len);
-if (cnt) {
-memcpy(s->inpkt + s->in_len, buf, cnt);
-s->in_len += cnt;
-buf += cnt;
-len -= cnt;
-total += cnt;
-}
+assert(cnt > 0);
+
+memcpy(s->inpkt + s->in_len, buf, cnt);
+s->in_len += cnt;
+buf += cnt;
+len -= cnt;
+total += cnt;
if (s->in_len < s->in_needed) {
break;
3 lines changed, omitting indentation related diff. Given that this
issue might allow host side DoS/memory corruption I don't think this is
exaggerated.
The only think which is still unclear to me is why the patch is checking
using assert(). If these assert() calls are standard ansi ones, then their
failure would stop the whole qemu process which is not exactly what we
want right?
cheers,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#912324: BleachBit causing error since updating Firefox to Firefox Quantum 60.0 ESR
severity 912324 important thanks Hi, Personal issues took me away from Debian these last weeks, I could not take care of this issue sooner. This is bad. I have lowered the severity to important, but unless the release team agrees to make an exception bleachbit will not be available in Buster (we did not get it back in time for the soft freeze). There is definitely no reason why bleachbit wouldn't be included in Buster: this issue appears to affect the stretch version, not the one from unstable. regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#918567: Maintaining dlib in Debian Science team (Was: dlib: FTBFS when built with dpkg-buildpackage -A)
Hi Andreas,
> since #918567 is RC critical there is some urgency to get this fixed.
> If I do not hear from you until Saturday I will assume you are fine
> with dlib in Debian Science team maintenance.
Sorry for missing your previous e-mail. Personal life is taking me away
from Debian right now. Not good during the freeze. :/
Of course I would be glad to maintain this package under the Debian Science
Team umbrella. Feel free to upload.
Thanks a lot for taking care of this issue.
Best Regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
signature.asc
Description: PGP signature
Bug#916278: qemu - CVE-2018-19665: bt subsystem mishandles negative length variables
Hi, I had a look at CVE-2018-19665 regarding qemu in oldstable/stable. summary: the bluetooth subsystem uses signed length variables at multiple places. These length variables are used, among others, in memcpy calls. A malicious guest VM could attempt to crash the host by passing negative len values (in fact, huge len values interpreted as negative numbers) to these functions. The suggested patch[0] changes the type of these length variables to size_t (unsigned) and adds a few assert calls to make sure the code is also resilient again large values of len. First, it is not completely clear to me to what extent this length variable is under the control of guest VM users. say, if guest kernel drivers process calls first, then these large/negative values are likely to be rejected before they have even reached the affected qemu code. Under this hypothesis, guest VM users would need to have full control over the guest kernel to exploit this vulnerability (making exploit more difficult in real envs ?). I might be wrong on this point due to my limited knowledge of this code-base. Anyways, given that the patch is quite large (though straightforward), that the subsystem doesn't seem to be very actively maintained and that the user base is quite small, it is maybe better to mark this no-dsa in stretch and jessie. Cheers, Hugo [0] https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#916721: graphicsmagick: CVE-2018-20184
Hi, upstream patch contains unrelated code refactoring (deduplication of the _TargaInfo structure). I have trimmed it down so it contains only necessary changes, you can find the modified patch in attachement (it's only a few lines long). cheers, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C Subject: WriteTGAImage(): reject image rows/columns larger than 65535 Author: Bob Friesenhahn , Hugo Lefeuvre Origin: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/15d1b5fd003b Bug: https://sourceforge.net/p/graphicsmagick/bugs/583/ --- a/coders/tga.c 2018-12-26 14:54:50.250695800 +0100 +++ b/coders/tga.c 2018-12-26 14:54:50.250695800 +0100 @@ -949,6 +949,10 @@ targa_info.colormap_length=(unsigned short) image->colors; targa_info.colormap_size=24; } + + if ((image->columns > 65535) || (image->rows > 65535)) +ThrowWriterException(CoderError,ImageColumnOrRowSizeIsNotSupported, image); + /* Write TGA header. */ signature.asc Description: PGP signature
Bug#905313: ITP: libodpi-c: Oracle Database Programming Interface for Drivers and Applications
Package: wnpp Severity: wishlist * Package name: libodpi-c Version : 2.4.2 Upstream Author : Oracle * URL : https://github.com/oracle/odpi/ * License : UPL + Apache Programming Lang: C Dependency of python-cx-oracle. signature.asc Description: PGP signature
Bug#904498: ring: unneeded libboost-* Build-Dependencies
Package: ring Version: 20180712.2.f3b87a6~ds1-1 Severity: minor Hi, ring currently build-depends on various libboost packages. AFAIK these dependencies are not needed anymore[0] and can be safely removed. Thanks for your work ! cheers, Hugo [0] https://git.ring.cx/savoirfairelinux/ring-daemon/commit/37507752fba785364b292c31e09293a33db1c983 -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#902760: #902760 (python-igraph) duplicate of #902945 (igraph)
forwarded 902760 https://github.com/igraph/igraph/issues/1107 reassign 902760 igraph merge 902760 902945 thanks Hi Adrian, Andreas, The testsuite is failing because of a bug in igraph, the underlying C library. This is a duplicate of #902945. Reassigning. Thanks ! Regards, Hugo -- Hugo Lefeuvre (hle)|www.owl.eu.com RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C signature.asc Description: PGP signature
Bug#902774: jetty/jetty8/jetty9 not affected by CVE-2018-12538
Hi,
FYI, none of the jetty releases present in Debian are affected by
CVE-2018-12538.
CVE-2018-12538 affects FileSessionDataStore and more specifically its
function getFile(). This class was introduced in 9.4, this
vulnerability thus affects 9.4.x releases only (and jetty package has
version < 9.0, jetty9 has <= 9.2.24).
FTR FileSessionDataStore was introduced in
fa8232d3c81608c25d9e8c66cdfe8ab7a66c892b and the vulnerable code in
54a56314627f0a2c33ca67d813e3396f6bc03274.
regards,
Hugo
--
Hugo Lefeuvre (hle)|www.owl.eu.com
4096/ 9C4F C8BF A4B0 8FC5 48EB 56B8 1962 765B B9A8 BACA
