Bug#892031: marked as done (stretch-pu: package wayland/1.12.0-1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#892031: marked as done (stretch-pu: package wayland/1.12.0-1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 09 Mar 2019 16:33:12 +0000
Message-id: <[🔎] handler.892031.D892031.155214903210045.ackdone@bugs.debian.org>
Reply-to: 892031@bugs.debian.org
References: <1552149029.11727.40.camel@adam-barratt.org.uk> <152016377988.5808.10165200259783000124.reportbug@polynomio.collabora.co.uk>

Your message dated Sat, 09 Mar 2019 16:30:29 +0000
with message-id <1552149029.11727.40.camel@adam-barratt.org.uk>
and subject line Re: Bug#892031: marked as done (stretch-pu: package wayland/1.12.0-1)
has caused the Debian Bug report #892031,
regarding stretch-pu: package wayland/1.12.0-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
892031: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892031
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: stretch-pu: package wayland/1.12.0-1
From: Héctor Orón Martínez <zumbi@debian.org>
Date: Sun, 04 Mar 2018 12:42:59 +0100
Message-id: <152016377988.5808.10165200259783000124.reportbug@polynomio.collabora.co.uk>

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

  I would like to apply fix in stable for #889681.
  I have asked security team if they want the fix via security queue or stable
  update, however I have gotten no reply yet. I am attaching the patch I intend
  to upload to stable if you acknowledge it.

Regards

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 4.15.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=ca_AD.utf8, LC_CTYPE=ca_AD.utf8 (charmap=UTF-8), LANGUAGE=ca_AD:ca (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

From 2471b0463e9395bd981f8b875e3280f1fc6b995f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Or=C3=B3n=20Mart=C3=ADnez?= <zumbi@debian.org>
Date: Sun, 4 Mar 2018 11:54:40 +0100
Subject: [PATCH] debian/patches/CVE-2017-16612.patch: fix cursor integer
 overflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Héctor Orón Martínez <zumbi@debian.org>
---
 debian/changelog                    | 11 +++++++++
 debian/patches/CVE-2017-16612.patch | 47 +++++++++++++++++++++++++++++++++++++
 debian/patches/series               |  1 +
 3 files changed, 59 insertions(+)
 create mode 100644 debian/patches/CVE-2017-16612.patch
 create mode 100644 debian/patches/series

diff --git a/debian/changelog b/debian/changelog
index 2f84b50..7495ef3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+wayland (1.12.0-1+deb9u1) stretch; urgency=medium
+
+  * debian/patches/CVE-2017-16612.patch: (Closes: #889681)
+    - libXcursor before 1.1.15 has various integer overflows that could lead
+      to heap buffer overflows when processing malicious cursors, e.g., with
+      programs like GIMP. It is also possible that an attack vector exists
+      against the related code in cursor/xcursor.c in Wayland through
+      1.14.0.
+
+ -- Héctor Orón Martínez <zumbi@debian.org>  Sun, 04 Mar 2018 11:43:29 +0100
+
 wayland (1.12.0-1) unstable; urgency=medium
 
   * New upstream release. Closes: #840752.
diff --git a/debian/patches/CVE-2017-16612.patch b/debian/patches/CVE-2017-16612.patch
new file mode 100644
index 0000000..9d91f70
--- /dev/null
+++ b/debian/patches/CVE-2017-16612.patch
@@ -0,0 +1,47 @@
+commit 5d201df72f3d4f4cb8b8f75f980169b03507da38
+Author: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date:   Tue Nov 28 21:38:07 2017 +0100
+
+    cursor: Fix heap overflows when parsing malicious files.
+    
+    It is possible to trigger heap overflows due to an integer overflow
+    while parsing images.
+    
+    The integer overflow occurs because the chosen limit 0x10000 for
+    dimensions is too large for 32 bit systems, because each pixel takes
+    4 bytes. Properly chosen values allow an overflow which in turn will
+    lead to less allocated memory than needed for subsequent reads.
+    
+    See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+    
+    Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+    [Pekka: add link to the corresponding libXcursor commit]
+    Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4a..689c702 100644
+--- a/cursor/xcursor.c
++++ b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+     XcursorImage    *image;
+ 
++    if (width < 0 || height < 0)
++       return NULL;
++    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
++       return NULL;
++
+     image = malloc (sizeof (XcursorImage) +
+ 		    width * height * sizeof (XcursorPixel));
+     if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile		*file,
+     if (!_XcursorReadUInt (file, &head.delay))
+ 	return NULL;
+     /* sanity check data */
+-    if (head.width >= 0x10000 || head.height > 0x10000)
++    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
++	head.height > XCURSOR_IMAGE_MAX_SIZE)
+ 	return NULL;
+     if (head.width == 0 || head.height == 0)
+ 	return NULL;
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..4c42ec7
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-16612.patch
-- 
2.16.2

--- End Message ---

--- Begin Message ---

To: 892031-done@bugs.debian.org

Cc: Héctor Orón Martínez <zumbi@debian.org>

Subject: Re: Bug#892031: marked as done (stretch-pu: package wayland/1.12.0-1)

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 09 Mar 2019 16:30:29 +0000

Message-id: <1552149029.11727.40.camel@adam-barratt.org.uk>

In-reply-to: <1545170373.3506.63.camel@adam-barratt.org.uk>

References: <E1gZMBL-000Fet-Ro@fasolo.debian.org> <152016377988.5808.10165200259783000124.reportbug@polynomio.collabora.co.uk> <handler.892031.D892031.154516569714179.ackdone@bugs.debian.org> <152016377988.5808.10165200259783000124.reportbug@polynomio.collabora.co.uk> <1545170373.3506.63.camel@adam-barratt.org.uk>
Version: 9.8

On Tue, 2018-12-18 at 21:59 +0000, Adam D. Barratt wrote:
> Control: reopen -1
> 
> On Tue, 2018-12-18 at 20:42 +0000, Debian Bug Tracking System wrote:
> > Your message dated Tue, 18 Dec 2018 20:41:35 +0000
> > with message-id <E1gZMBL-000Fet-Ro@fasolo.debian.org>
> > and subject line Bug#892031: fixed in wayland 1.12.0-1+deb9u1
> > has caused the Debian Bug report #892031,
> > regarding stretch-pu: package wayland/1.12.0-1
> > to be marked as done.
> 
>    * debian/patches/CVE-2017-16612.patch: (Closes: #889681, #892031)
> 
> Please don't do that. The release.d.o bug will be closed once the
> updated package is in stable, not before - and certainly not simply
> because the upload reached p-u.

This fix was actually included in 9.8, but we missed closing the bug
because the above removed the "pending" tag...

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Processed: tagging 924089
Next by Date: Bug#922300: marked as done (unblock: chef/13.8.7-3, ohai/13.8.0-1)
Previous by thread: Processed: tagging 924089
Next by thread: Bug#922300: marked as done (unblock: chef/13.8.7-3, ohai/13.8.0-1)
Index(es):
- Date
- Thread