Bug#1034190: More security bugs in game loading

2023-04-20 Thread Ben Hutchings 
On Thu, 2023-04-20 at 10:01 +0200, Paul Gevers wrote:
> Hi Ben,
> 
> On Mon, 10 Apr 2023 22:01:04 +0200 Ben Hutchings  
> wrote:
> > Package: sgt-puzzles
> > Severity: serious
> 
> The fix for this bug will not automatically migrate to testing because 
> the package doesn't have autopkgtests and we're in the freeze. The 
> changes are massive,

They're actually not that massive, but split into a lot of small
patches.

> so I'd like to confirm in an unblock bug that all 
> changes are indeed targeted fixes before unblocking. Can you file such 
> an unblock request if you don't want the package to be autoremoved (or 
> add a non-superficial autopkgtest if that makes sense)?

Yes, I will file an unblock request.

Ben.

-- 
Ben Hutchings
Editing code like this is akin to sticking plasters on the bleeding
stump of a severed limb. - me, 29 June 1999


signature.asc
Description: This is a digitally signed message part

Bug#1034190: More security bugs in game loading

2023-04-20 Thread Paul Gevers 

Hi Ben,

On Mon, 10 Apr 2023 22:01:04 +0200 Ben Hutchings  
wrote:

Package: sgt-puzzles
Severity: serious


The fix for this bug will not automatically migrate to testing because 
the package doesn't have autopkgtests and we're in the freeze. The 
changes are massive, so I'd like to confirm in an unblock bug that all 
changes are indeed targeted fixes before unblocking. Can you file such 
an unblock request if you don't want the package to be autoremoved (or 
add a non-superficial autopkgtest if that makes sense)?


Paul


OpenPGP_signature
Description: OpenPGP digital signature

Bug#1034190: More security bugs in game loading

2023-04-10 Thread Ben Hutchings 
Package: sgt-puzzles
Version: 20230122.806ae71-1
Severity: serious
Tags: security upstream fixed-upstream
X-Debbugs-Cc: Debian Security Team 

Ben Harris found multiple issues in sgt-puzzles where a malformed game
description or save file can lead to a buffer overflow, buffer
overread, use of an uniniitialised pointer, integer overflow, null
pointer dereference, division by zero, assertion failure, or memory
leak.  These were fixed upstream over the past few months.

The Debian package doesn't register any media type handler for save
files, so I think this can only be exploited by social-engineering a
user into loading such a file or description.

For most of these bugs, the impact is limited to a crash of the
application.  However, the various memory safety errors may be more
serious.  On some architectures, division by zero does not cause an
exception and this might also be exploitable.

Ben.

-- System Information:
Debian Release: 12.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'stable-security'), (500, 'oldstable-updates'), (500, 'unstable'), (500, 
'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-7-amd64 (SMP w/12 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sgt-puzzles depends on:
ii  libc62.36-8
ii  libcairo21.16.0-7
ii  libgdk-pixbuf-2.0-0  2.42.10+dfsg-1+b1
ii  libglib2.0-0 2.74.6-1
ii  libgtk-3-0   3.24.37-2
ii  libpango-1.0-0   1.50.12+ds-1
ii  libpangocairo-1.0-0  1.50.12+ds-1

Versions of packages sgt-puzzles recommends:
ii  chromium [www-browser]  111.0.5563.64-1
ii  firefox [www-browser]   111.0-3
ii  lynx [www-browser]  2.9.0dev.12-1
ii  xdg-utils   1.1.3-4.1

sgt-puzzles suggests no packages.

-- debconf-show failed