[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#939907: marked as done (stretch-pu: package libsixel/1.5.2-2+deb9u1)

Your message dated Sat, 08 Feb 2020 14:23:35 +0000
with message-id <a894a0233c2d264936953d7a69507573c4a5742a.camel@adam-barratt.org.uk>
and subject line Closing bugs included in 9.12
has caused the Debian Bug report #939907,
regarding stretch-pu: package libsixel/1.5.2-2+deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
939907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939907
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: reportbugrelease.debian.org
Severity: important
Tags: patch security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

This patch fixes:
CVE-2018-14072
CVE-2018-14073
CVE-2018-19756
CVE-2018-19757
CVE-2018-19759
CVE-2018-19762
CVE-2018-19763
CVE-2019-3573
CVE-2019-3574

CVE-2018-19761 is not affected the version.

diff --git a/debian/changelog b/debian/changelog
index 67fe373..22edc45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+libsixel (1.5.2-2+deb9u1) stretch-security; urgency=medium
+
+  * d/patches/0001-Add-malloc-size-check.patch: fix CVE-2018-19756
+  * d/patches/0002-assign-default-error-message.patch: fix CVE-2018-19757
+  * d/patches/0003-add-limitation-to-width-and-height.patch: fix CVE-2018-19759
+  * CVE-2018-19761 is not security issue
+  * d/patches/0004-size-check.patch: fix CVE-2018-19762
+  * CVE-2018-19763 is fixed by 0001-Add-malloc-size-check.patch
+  * d/patches/0005-check-error-for-jpeg_read_scanlines.patch: fix CVE-2019-3573
+  * d/patches/0006-check-number-of-repeat_count.patch: fix CVE-2019-3574
+  * d/patches/0007-fix-memory-leak.patch: fix CVE-2018-14072, CVE-2018-14073
+
+ -- NOKUBI Takatsugu <knok@daionet.gr.jp>  Fri, 06 Sep 2019 16:11:01 +0900
+
 libsixel (1.5.2-2) unstable; urgency=medium
 
   * Disable python.
diff --git a/debian/patches/0001-Add-malloc-size-check.patch b/debian/patches/0001-Add-malloc-size-check.patch
new file mode 100644
index 0000000..2943ff2
--- /dev/null
+++ b/debian/patches/0001-Add-malloc-size-check.patch
@@ -0,0 +1,25 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Wed, 7 Aug 2019 16:23:53 +0900
+Subject: Add malloc size check
+
+---
+ src/allocator.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/allocator.c b/src/allocator.c
+index 216fa34..c33c74b 100644
+--- a/src/allocator.c
++++ b/src/allocator.c
+@@ -147,6 +147,12 @@ sixel_allocator_malloc(
+     assert(allocator);
+     assert(allocator->fn_malloc);
+ 
++    if (n == 0) {
++        sixel_helper_set_additional_message(
++            "sixel_allocator_malloc: called with n == 0");
++        return NULL;
++    }
++
+     return allocator->fn_malloc(n);
+ }
+ 
diff --git a/debian/patches/0002-assign-default-error-message.patch b/debian/patches/0002-assign-default-error-message.patch
new file mode 100644
index 0000000..89f0686
--- /dev/null
+++ b/debian/patches/0002-assign-default-error-message.patch
@@ -0,0 +1,21 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Fri, 9 Aug 2019 16:47:29 +0900
+Subject: assign default error message
+
+---
+ src/stb_image.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/stb_image.h b/src/stb_image.h
+index d0fa9c2..5f8f96d 100644
+--- a/src/stb_image.h
++++ b/src/stb_image.h
+@@ -875,6 +875,8 @@ static const char *stbi__g_failure_reason;
+ 
+ STBIDEF const char *stbi_failure_reason(void)
+ {
++   if (stbi__g_failure_reason == NULL)
++      stbi__g_failure_reason = "unknwon error, refer error message before assignment";
+    return stbi__g_failure_reason;
+ }
+ 
diff --git a/debian/patches/0003-add-limitation-to-width-and-height.patch b/debian/patches/0003-add-limitation-to-width-and-height.patch
new file mode 100644
index 0000000..6f57a54
--- /dev/null
+++ b/debian/patches/0003-add-limitation-to-width-and-height.patch
@@ -0,0 +1,39 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Tue, 20 Aug 2019 15:20:55 +0900
+Subject: add limitation to width and height
+
+---
+ include/sixel.h.in | 3 +++
+ src/decoder.c      | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/include/sixel.h.in b/include/sixel.h.in
+index 397974f..8552c23 100644
+--- a/include/sixel.h.in
++++ b/include/sixel.h.in
+@@ -355,6 +355,9 @@ typedef int SIXELSTATUS;
+ #define SIXEL_OPTFLAG_VERSION          ('V')  /* -V, --version: show version and license info */
+ #define SIXEL_OPTFLAG_HELP             ('H')  /* -H, --help: show this help */
+ 
++#define SIXEL_WIDTH_LIMIT               1000000
++#define SIXEL_HEIGHT_LIMIT              1000000
++
+ #if SIXEL_USE_DEPRECATED_SYMBOLS
+ /* output character size */
+ enum characterSize {
+diff --git a/src/decoder.c b/src/decoder.c
+index 98b5c30..e3fbd0d 100644
+--- a/src/decoder.c
++++ b/src/decoder.c
+@@ -303,6 +303,11 @@ sixel_decoder_decode(
+         goto end;
+     }
+ 
++    if (sx > SIXEL_WIDTH_LIMIT || sy > SIXEL_HEIGHT_LIMIT) {
++        status = SIXEL_BAD_INPUT;
++        goto end;
++    }
++
+     status = sixel_helper_write_image_file(indexed_pixels, sx, sy, palette,
+                                            SIXEL_PIXELFORMAT_PAL8,
+                                            decoder->output,
diff --git a/debian/patches/0004-malloc-size-check.patch b/debian/patches/0004-malloc-size-check.patch
new file mode 100644
index 0000000..8345c0d
--- /dev/null
+++ b/debian/patches/0004-malloc-size-check.patch
@@ -0,0 +1,21 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Thu, 22 Aug 2019 15:30:36 +0900
+Subject: malloc size check
+
+---
+ src/fromsixel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index a60b4bc..648095a 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -475,7 +475,7 @@ sixel_decode_raw(
+                 dmsx = nx;
+                 dmsy = ny;
+                 dmbuf = (unsigned char *)sixel_allocator_malloc(allocator, dmsx * dmsy);
+-                if (dmbuf == NULL) {
++                if (dmbuf == NULL || dmsx * dmsy == 0) {
+                     sixel_allocator_free(allocator, imbuf);
+                     goto end;
+                 }
diff --git a/debian/patches/0005-check-error-for-jpeg_read_scanlines.patch b/debian/patches/0005-check-error-for-jpeg_read_scanlines.patch
new file mode 100644
index 0000000..7438805
--- /dev/null
+++ b/debian/patches/0005-check-error-for-jpeg_read_scanlines.patch
@@ -0,0 +1,25 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Mon, 9 Sep 2019 15:06:50 +0900
+Subject: check error for jpeg_read_scanlines
+
+---
+ src/loader.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/loader.c b/src/loader.c
+index 5e0bcf3..8f5765a 100644
+--- a/src/loader.c
++++ b/src/loader.c
+@@ -153,6 +153,12 @@ load_jpeg(unsigned char **result,
+ 
+     while (cinfo.output_scanline < cinfo.output_height) {
+         jpeg_read_scanlines(&cinfo, buffer, 1);
++        if (cinfo.err->num_warnings > 0) {
++            sixel_helper_set_additional_message(
++                "jpeg_read_scanlines: error/warining occuered.");
++            status = SIXEL_BAD_INPUT;
++            goto end;
++        }
+         memcpy(*result + (cinfo.output_scanline - 1) * row_stride, buffer[0], row_stride);
+     }
+ 
diff --git a/debian/patches/0006-check-number-of-repeat_count.patch b/debian/patches/0006-check-number-of-repeat_count.patch
new file mode 100644
index 0000000..005b450
--- /dev/null
+++ b/debian/patches/0006-check-number-of-repeat_count.patch
@@ -0,0 +1,23 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Mon, 9 Sep 2019 15:12:02 +0900
+Subject: check number of repeat_count
+
+---
+ src/fromsixel.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 648095a..388ff7b 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -422,6 +422,10 @@ sixel_decode_raw(
+             if (n > 0) {
+                 repeat_count = param[0];
+             }
++            if (repeat_count > 0x7fff) { /* check too huge number */
++                status = SIXEL_BAD_INPUT;
++                goto end;
++            }
+ 
+         } else if (*p == '#') {
+             /* DECGCI Graphics Color Introducer # Pc; Pu; Px; Py; Pz */
diff --git a/debian/patches/0007-fix-memory-leak.patch b/debian/patches/0007-fix-memory-leak.patch
new file mode 100644
index 0000000..4b63589
--- /dev/null
+++ b/debian/patches/0007-fix-memory-leak.patch
@@ -0,0 +1,41 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Mon, 9 Sep 2019 15:27:38 +0900
+Subject: fix memory leak
+
+---
+ src/decoder.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/decoder.c b/src/decoder.c
+index e3fbd0d..908e115 100644
+--- a/src/decoder.c
++++ b/src/decoder.c
+@@ -224,15 +224,15 @@ sixel_decoder_decode(
+     sixel_decoder_t /* in */ *decoder)
+ {
+     SIXELSTATUS status = SIXEL_FALSE;
+-    unsigned char *raw_data;
++    unsigned char *raw_data = NULL;
+     int sx;
+     int sy;
+     int raw_len;
+     int max;
+     int n;
+     FILE *input_fp = NULL;
+-    unsigned char *indexed_pixels;
+-    unsigned char *palette;
++    unsigned char *indexed_pixels = NULL;
++    unsigned char *palette = NULL;
+     int ncolors;
+     unsigned char *pixels = NULL;
+ 
+@@ -320,6 +320,9 @@ sixel_decoder_decode(
+ 
+ end:
+     sixel_allocator_free(decoder->allocator, pixels);
++    sixel_allocator_free(decoder->allocator, raw_data);
++    sixel_allocator_free(decoder->allocator, indexed_pixels);
++    sixel_allocator_free(decoder->allocator, palette);
+     sixel_decoder_ref(decoder);
+ 
+     return status;
diff --git a/debian/patches/series b/debian/patches/series
index e69de29..f749714 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1,7 @@
+0001-Add-malloc-size-check.patch
+0002-assign-default-error-message.patch
+0003-add-limitation-to-width-and-height.patch
+0004-malloc-size-check.patch
+0005-check-error-for-jpeg_read_scanlines.patch
+0006-check-number-of-repeat_count.patch
+0007-fix-memory-leak.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.12

Hi,

Each of the uploads referred to by these bugs was included in today's
oldstable point release.

Regards,

Adam

--- End Message ---
Reply to: