--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: jab@debian.org
[ Reason ]
CVE-2022-38266 is a low impact vulnerability where leptonlib would crash
with arithmetic exceptions on certain JPEG files. Since this is only
DoS, it does not go via bullseye-security.
[ Impact ]
It no longer crashes on relevant inputs.
[ Tests ]
Included test suite passes. The reproducer from
https://github.com/tesseract-ocr/tesseract/issues/3498 does not trigger
as the image is rejected at an earlier stage.
[ Risks ]
This affects corner case parameters. The chance of encountering them
accidentally is fairly low.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Various convolution functions are updated to return a copy of the
original image when kernel sizes are implausible.
[ Other info ]
I've Cced the maintainer for his input. I'm happy to defer the actual
upload to him, if he agrees. This update is a by-product of LTS work.
Helmut
diff --minimal -Nru leptonlib-1.79.0/debian/changelog leptonlib-1.79.0/debian/changelog
--- leptonlib-1.79.0/debian/changelog 2021-04-18 10:03:02.000000000 +0200
+++ leptonlib-1.79.0/debian/changelog 2022-12-06 15:59:12.000000000 +0100
@@ -1,3 +1,10 @@
+leptonlib (1.79.0-1.1+deb11u1) bullseye-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * Fix CVE-2022-38266
+
+ -- Helmut Grohne <helmut@subdivi.de> Tue, 06 Dec 2022 15:59:12 +0100
+
leptonlib (1.79.0-1.1) unstable; urgency=medium
* Non-maintainer upload by the LTS Team.
diff --minimal -Nru leptonlib-1.79.0/debian/patches/CVE-2022-38266.patch leptonlib-1.79.0/debian/patches/CVE-2022-38266.patch
--- leptonlib-1.79.0/debian/patches/CVE-2022-38266.patch 1970-01-01 01:00:00.000000000 +0100
+++ leptonlib-1.79.0/debian/patches/CVE-2022-38266.patch 2022-12-06 15:59:12.000000000 +0100
@@ -0,0 +1,202 @@
+From f062b42c0ea8dddebdc6a152fd16152de215d614 Mon Sep 17 00:00:00 2001
+From: Dan Bloomberg <dan.bloomberg@gmail.com>
+Date: Wed, 28 Oct 2020 17:37:30 -0700
+Subject: [PATCH] Issue 26393: morphapp_fuzzer: Divide-by-zero in blockconvLow
+ * Removed the code that allowed divide by zero for tiny pix * Ditto for 4
+ other block convolution functions.
+
+---
+ src/convolve.c | 90 ++++++++++++++++++++++----------------------------
+ 1 file changed, 40 insertions(+), 50 deletions(-)
+
+diff --git a/src/convolve.c b/src/convolve.c
+index 72afa9415..fda032ba6 100644
+--- a/src/convolve.c
++++ b/src/convolve.c
+@@ -114,7 +114,7 @@ static void blocksumLow(l_uint32 *datad, l_int32 w, l_int32 h, l_int32 wpl,
+ /*!
+ * \brief pixBlockconv()
+ *
+- * \param[in] pix 8 or 32 bpp; or 2, 4 or 8 bpp with colormap
++ * \param[in] pix 8 or 32 bpp; or 2, 4 or 8 bpp with colormap
+ * \param[in] wc, hc half width/height of convolution kernel
+ * \return pixd, or NULL on error
+ *
+@@ -122,9 +122,10 @@ static void blocksumLow(l_uint32 *datad, l_int32 w, l_int32 h, l_int32 wpl,
+ * Notes:
+ * (1) The full width and height of the convolution kernel
+ * are (2 * wc + 1) and (2 * hc + 1)
+- * (2) Returns a copy if both wc and hc are 0
++ * (2) Returns a copy if either wc or hc are 0
+ * (3) Require that w >= 2 * wc + 1 and h >= 2 * hc + 1,
+- * where (w,h) are the dimensions of pixs.
++ * where (w,h) are the dimensions of pixs. Otherwise,
++ * return a copy.
+ * </pre>
+ */
+ PIX *
+@@ -139,17 +140,14 @@ PIX *pixs, *pixd, *pixr, *pixrc, *pixg, *pixgc, *pixb, *pixbc;
+
+ if (!pix)
+ return (PIX *)ERROR_PTR("pix not defined", procName, NULL);
+- if (wc < 0) wc = 0;
+- if (hc < 0) hc = 0;
++ if (wc <= 0 || hc <= 0)
++ return pixCopy(NULL, pix);
+ pixGetDimensions(pix, &w, &h, &d);
+ if (w < 2 * wc + 1 || h < 2 * hc + 1) {
+- wc = L_MIN(wc, (w - 1) / 2);
+- hc = L_MIN(hc, (h - 1) / 2);
+- L_WARNING("kernel too large; reducing!\n", procName);
+- L_INFO("wc = %d, hc = %d\n", procName, wc, hc);
++ L_ERROR("kernel is too large: w = %d, wc = %d, h = %d, hc = %d\n",
++ procName, w, wc, h, hc);
++ return pixCopy(NULL, pix); /* no-op */
+ }
+- if (wc == 0 && hc == 0) /* no-op */
+- return pixCopy(NULL, pix);
+
+ /* Remove colormap if necessary */
+ if ((d == 2 || d == 4 || d == 8) && pixGetColormap(pix)) {
+@@ -205,9 +203,10 @@ PIX *pixs, *pixd, *pixr, *pixrc, *pixg, *pixgc, *pixb, *pixbc;
+ * returning; otherwise, just use the input accum pix.
+ * (2) The full width and height of the convolution kernel
+ * are (2 * wc + 1) and (2 * hc + 1).
+- * (3) Returns a copy if both wc and hc are 0.
++ * (3) Returns a copy if either wc or hc are 0
+ * (4) Require that w >= 2 * wc + 1 and h >= 2 * hc + 1,
+- * where (w,h) are the dimensions of pixs.
++ * where (w,h) are the dimensions of pixs. Otherwise,
++ * return a copy.
+ * </pre>
+ */
+ PIX *
+@@ -227,16 +226,13 @@ PIX *pixd, *pixt;
+ pixGetDimensions(pixs, &w, &h, &d);
+ if (d != 8)
+ return (PIX *)ERROR_PTR("pixs not 8 bpp", procName, NULL);
+- if (wc < 0) wc = 0;
+- if (hc < 0) hc = 0;
++ if (wc <= 0 || hc <= 0) /* no-op */
++ return pixCopy(NULL, pixs);
+ if (w < 2 * wc + 1 || h < 2 * hc + 1) {
+- wc = L_MIN(wc, (w - 1) / 2);
+- hc = L_MIN(hc, (h - 1) / 2);
+- L_WARNING("kernel too large; reducing!\n", procName);
+- L_INFO("wc = %d, hc = %d\n", procName, wc, hc);
++ L_ERROR("kernel is too large: w = %d, wc = %d, h = %d, hc = %d\n",
++ procName, w, wc, h, hc);
++ return pixCopy(NULL, pixs);
+ }
+- if (wc == 0 && hc == 0) /* no-op */
+- return pixCopy(NULL, pixs);
+
+ if (pixacc) {
+ if (pixGetDepth(pixacc) == 32) {
+@@ -612,7 +609,7 @@ l_uint32 *lines, *lined, *linedp;
+ * are (2 * wc + 1) and (2 * hc + 1).
+ * (2) Require that w >= 2 * wc + 1 and h >= 2 * hc + 1,
+ * where (w,h) are the dimensions of pixs.
+- * (3) Returns a copy if both wc and hc are 0.
++ * (3) Returns a copy if either wc or hc are 0.
+ * (3) Adds mirrored border to avoid treating the boundary pixels
+ * specially. Note that we add wc + 1 pixels to the left
+ * and wc to the right. The added width is 2 * wc + 1 pixels,
+@@ -650,16 +647,13 @@ PIX *pixsb, *pixacc, *pixd;
+ pixGetDimensions(pixs, &w, &h, &d);
+ if (d != 8)
+ return (PIX *)ERROR_PTR("pixs not 8 bpp", procName, NULL);
+- if (wc < 0) wc = 0;
+- if (hc < 0) hc = 0;
++ if (wc <= 0 || hc <= 0) /* no-op */
++ return pixCopy(NULL, pixs);
+ if (w < 2 * wc + 1 || h < 2 * hc + 1) {
+- wc = L_MIN(wc, (w - 1) / 2);
+- hc = L_MIN(hc, (h - 1) / 2);
+- L_WARNING("kernel too large; reducing!\n", procName);
+- L_INFO("wc = %d, hc = %d\n", procName, wc, hc);
+- }
+- if (wc == 0 && hc == 0) /* no-op */
++ L_ERROR("kernel is too large: w = %d, wc = %d, h = %d, hc = %d\n",
++ procName, w, wc, h, hc);
+ return pixCopy(NULL, pixs);
++ }
+
+ if ((pixsb = pixAddMirroredBorder(pixs, wc + 1, wc, hc + 1, hc)) == NULL)
+ return (PIX *)ERROR_PTR("pixsb not made", procName, NULL);
+@@ -707,9 +701,10 @@ PIX *pixsb, *pixacc, *pixd;
+ * Notes:
+ * (1) The full width and height of the convolution kernel
+ * are (2 * wc + 1) and (2 * hc + 1)
+- * (2) Returns a copy if both wc and hc are 0
++ * (2) Returns a copy if either wc or hc are 0.
+ * (3) Require that w >= 2 * wc + 1 and h >= 2 * hc + 1,
+- * where (w,h) are the dimensions of pixs.
++ * where (w,h) are the dimensions of pixs. Otherwise,
++ * return a copy.
+ * (4) For nx == ny == 1, this defaults to pixBlockconv(), which
+ * is typically about twice as fast, and gives nearly
+ * identical results as pixBlockconvGrayTile().
+@@ -741,19 +736,16 @@ PIXTILING *pt;
+
+ if (!pix)
+ return (PIX *)ERROR_PTR("pix not defined", procName, NULL);
+- if (wc < 0) wc = 0;
+- if (hc < 0) hc = 0;
+- pixGetDimensions(pix, &w, &h, &d);
+- if (w < 2 * wc + 3 || h < 2 * hc + 3) {
+- wc = L_MAX(0, L_MIN(wc, (w - 3) / 2));
+- hc = L_MAX(0, L_MIN(hc, (h - 3) / 2));
+- L_WARNING("kernel too large; reducing!\n", procName);
+- L_INFO("wc = %d, hc = %d\n", procName, wc, hc);
+- }
+- if (wc == 0 && hc == 0) /* no-op */
++ if (wc <= 0 || hc <= 0) /* no-op */
+ return pixCopy(NULL, pix);
+ if (nx <= 1 && ny <= 1)
+ return pixBlockconv(pix, wc, hc);
++ pixGetDimensions(pix, &w, &h, &d);
++ if (w < 2 * wc + 3 || h < 2 * hc + 3) {
++ L_ERROR("kernel is too large: w = %d, wc = %d, h = %d, hc = %d\n",
++ procName, w, wc, h, hc);
++ return pixCopy(NULL, pix);
++ }
+
+ /* Test to see if the tiles are too small. The required
+ * condition is that the tile dimensions must be at least
+@@ -846,9 +838,10 @@ PIXTILING *pt;
+ * left and right, and with (hc + 1) pixels on top and bottom.
+ * The returned pix has these stripped off; they are only used
+ * for computation.
+- * (3) Returns a copy if both wc and hc are 0
+- * (4) Require that w > 2 * wc + 1 and h > 2 * hc + 1,
+- * where (w,h) are the dimensions of pixs.
++ * (3) Returns a copy if either wc or hc are 0.
++ * (4) Require that w > 2 * wc + 3 and h > 2 * hc + 3,
++ * where (w,h) are the dimensions of pixs. Otherwise,
++ * return a copy.
+ * </pre>
+ */
+ PIX *
+@@ -870,16 +863,13 @@ PIX *pixt, *pixd;
+ pixGetDimensions(pixs, &w, &h, &d);
+ if (d != 8)
+ return (PIX *)ERROR_PTR("pixs not 8 bpp", procName, NULL);
+- if (wc < 0) wc = 0;
+- if (hc < 0) hc = 0;
++ if (wc <= 0 || hc <= 0) /* no-op */
++ return pixCopy(NULL, pixs);
+ if (w < 2 * wc + 3 || h < 2 * hc + 3) {
+- wc = L_MAX(0, L_MIN(wc, (w - 3) / 2));
+- hc = L_MAX(0, L_MIN(hc, (h - 3) / 2));
+- L_WARNING("kernel too large; reducing!\n", procName);
+- L_INFO("wc = %d, hc = %d\n", procName, wc, hc);
+- }
+- if (wc == 0 && hc == 0)
++ L_ERROR("kernel is too large: w = %d, wc = %d, h = %d, hc = %d\n",
++ procName, w, wc, h, hc);
+ return pixCopy(NULL, pixs);
++ }
+ wd = w - 2 * wc;
+ hd = h - 2 * hc;
+
diff --minimal -Nru leptonlib-1.79.0/debian/patches/series leptonlib-1.79.0/debian/patches/series
--- leptonlib-1.79.0/debian/patches/series 2021-04-18 10:03:02.000000000 +0200
+++ leptonlib-1.79.0/debian/patches/series 2022-12-06 15:59:12.000000000 +0100
@@ -8,3 +8,4 @@
CVE-2020-36280.patch
CVE-2020-36281.patch
+CVE-2022-38266.patch
--- End Message ---