--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: stretch-pu: package libsixel/1.5.2-2+deb9u1
- From: NOKUBI Takatsugu <knok@daionet.gr.jp>
- Date: Tue, 10 Sep 2019 09:18:42 +0900
- Message-id: <20190910091842.a135c056c78029d5f3723d19@daionet.gr.jp>
Package: reportbugrelease.debian.org
Severity: important
Tags: patch security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org
This patch fixes:
CVE-2018-14072
CVE-2018-14073
CVE-2018-19756
CVE-2018-19757
CVE-2018-19759
CVE-2018-19762
CVE-2018-19763
CVE-2019-3573
CVE-2019-3574
CVE-2018-19761 is not affected the version.
diff --git a/debian/changelog b/debian/changelog
index 67fe373..22edc45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+libsixel (1.5.2-2+deb9u1) stretch-security; urgency=medium
+
+ * d/patches/0001-Add-malloc-size-check.patch: fix CVE-2018-19756
+ * d/patches/0002-assign-default-error-message.patch: fix CVE-2018-19757
+ * d/patches/0003-add-limitation-to-width-and-height.patch: fix CVE-2018-19759
+ * CVE-2018-19761 is not security issue
+ * d/patches/0004-size-check.patch: fix CVE-2018-19762
+ * CVE-2018-19763 is fixed by 0001-Add-malloc-size-check.patch
+ * d/patches/0005-check-error-for-jpeg_read_scanlines.patch: fix CVE-2019-3573
+ * d/patches/0006-check-number-of-repeat_count.patch: fix CVE-2019-3574
+ * d/patches/0007-fix-memory-leak.patch: fix CVE-2018-14072, CVE-2018-14073
+
+ -- NOKUBI Takatsugu <knok@daionet.gr.jp> Fri, 06 Sep 2019 16:11:01 +0900
+
libsixel (1.5.2-2) unstable; urgency=medium
* Disable python.
diff --git a/debian/patches/0001-Add-malloc-size-check.patch b/debian/patches/0001-Add-malloc-size-check.patch
new file mode 100644
index 0000000..2943ff2
--- /dev/null
+++ b/debian/patches/0001-Add-malloc-size-check.patch
@@ -0,0 +1,25 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Wed, 7 Aug 2019 16:23:53 +0900
+Subject: Add malloc size check
+
+---
+ src/allocator.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/allocator.c b/src/allocator.c
+index 216fa34..c33c74b 100644
+--- a/src/allocator.c
++++ b/src/allocator.c
+@@ -147,6 +147,12 @@ sixel_allocator_malloc(
+ assert(allocator);
+ assert(allocator->fn_malloc);
+
++ if (n == 0) {
++ sixel_helper_set_additional_message(
++ "sixel_allocator_malloc: called with n == 0");
++ return NULL;
++ }
++
+ return allocator->fn_malloc(n);
+ }
+
diff --git a/debian/patches/0002-assign-default-error-message.patch b/debian/patches/0002-assign-default-error-message.patch
new file mode 100644
index 0000000..89f0686
--- /dev/null
+++ b/debian/patches/0002-assign-default-error-message.patch
@@ -0,0 +1,21 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Fri, 9 Aug 2019 16:47:29 +0900
+Subject: assign default error message
+
+---
+ src/stb_image.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/stb_image.h b/src/stb_image.h
+index d0fa9c2..5f8f96d 100644
+--- a/src/stb_image.h
++++ b/src/stb_image.h
+@@ -875,6 +875,8 @@ static const char *stbi__g_failure_reason;
+
+ STBIDEF const char *stbi_failure_reason(void)
+ {
++ if (stbi__g_failure_reason == NULL)
++ stbi__g_failure_reason = "unknwon error, refer error message before assignment";
+ return stbi__g_failure_reason;
+ }
+
diff --git a/debian/patches/0003-add-limitation-to-width-and-height.patch b/debian/patches/0003-add-limitation-to-width-and-height.patch
new file mode 100644
index 0000000..6f57a54
--- /dev/null
+++ b/debian/patches/0003-add-limitation-to-width-and-height.patch
@@ -0,0 +1,39 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Tue, 20 Aug 2019 15:20:55 +0900
+Subject: add limitation to width and height
+
+---
+ include/sixel.h.in | 3 +++
+ src/decoder.c | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/include/sixel.h.in b/include/sixel.h.in
+index 397974f..8552c23 100644
+--- a/include/sixel.h.in
++++ b/include/sixel.h.in
+@@ -355,6 +355,9 @@ typedef int SIXELSTATUS;
+ #define SIXEL_OPTFLAG_VERSION ('V') /* -V, --version: show version and license info */
+ #define SIXEL_OPTFLAG_HELP ('H') /* -H, --help: show this help */
+
++#define SIXEL_WIDTH_LIMIT 1000000
++#define SIXEL_HEIGHT_LIMIT 1000000
++
+ #if SIXEL_USE_DEPRECATED_SYMBOLS
+ /* output character size */
+ enum characterSize {
+diff --git a/src/decoder.c b/src/decoder.c
+index 98b5c30..e3fbd0d 100644
+--- a/src/decoder.c
++++ b/src/decoder.c
+@@ -303,6 +303,11 @@ sixel_decoder_decode(
+ goto end;
+ }
+
++ if (sx > SIXEL_WIDTH_LIMIT || sy > SIXEL_HEIGHT_LIMIT) {
++ status = SIXEL_BAD_INPUT;
++ goto end;
++ }
++
+ status = sixel_helper_write_image_file(indexed_pixels, sx, sy, palette,
+ SIXEL_PIXELFORMAT_PAL8,
+ decoder->output,
diff --git a/debian/patches/0004-malloc-size-check.patch b/debian/patches/0004-malloc-size-check.patch
new file mode 100644
index 0000000..8345c0d
--- /dev/null
+++ b/debian/patches/0004-malloc-size-check.patch
@@ -0,0 +1,21 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Thu, 22 Aug 2019 15:30:36 +0900
+Subject: malloc size check
+
+---
+ src/fromsixel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index a60b4bc..648095a 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -475,7 +475,7 @@ sixel_decode_raw(
+ dmsx = nx;
+ dmsy = ny;
+ dmbuf = (unsigned char *)sixel_allocator_malloc(allocator, dmsx * dmsy);
+- if (dmbuf == NULL) {
++ if (dmbuf == NULL || dmsx * dmsy == 0) {
+ sixel_allocator_free(allocator, imbuf);
+ goto end;
+ }
diff --git a/debian/patches/0005-check-error-for-jpeg_read_scanlines.patch b/debian/patches/0005-check-error-for-jpeg_read_scanlines.patch
new file mode 100644
index 0000000..7438805
--- /dev/null
+++ b/debian/patches/0005-check-error-for-jpeg_read_scanlines.patch
@@ -0,0 +1,25 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Mon, 9 Sep 2019 15:06:50 +0900
+Subject: check error for jpeg_read_scanlines
+
+---
+ src/loader.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/loader.c b/src/loader.c
+index 5e0bcf3..8f5765a 100644
+--- a/src/loader.c
++++ b/src/loader.c
+@@ -153,6 +153,12 @@ load_jpeg(unsigned char **result,
+
+ while (cinfo.output_scanline < cinfo.output_height) {
+ jpeg_read_scanlines(&cinfo, buffer, 1);
++ if (cinfo.err->num_warnings > 0) {
++ sixel_helper_set_additional_message(
++ "jpeg_read_scanlines: error/warining occuered.");
++ status = SIXEL_BAD_INPUT;
++ goto end;
++ }
+ memcpy(*result + (cinfo.output_scanline - 1) * row_stride, buffer[0], row_stride);
+ }
+
diff --git a/debian/patches/0006-check-number-of-repeat_count.patch b/debian/patches/0006-check-number-of-repeat_count.patch
new file mode 100644
index 0000000..005b450
--- /dev/null
+++ b/debian/patches/0006-check-number-of-repeat_count.patch
@@ -0,0 +1,23 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Mon, 9 Sep 2019 15:12:02 +0900
+Subject: check number of repeat_count
+
+---
+ src/fromsixel.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 648095a..388ff7b 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -422,6 +422,10 @@ sixel_decode_raw(
+ if (n > 0) {
+ repeat_count = param[0];
+ }
++ if (repeat_count > 0x7fff) { /* check too huge number */
++ status = SIXEL_BAD_INPUT;
++ goto end;
++ }
+
+ } else if (*p == '#') {
+ /* DECGCI Graphics Color Introducer # Pc; Pu; Px; Py; Pz */
diff --git a/debian/patches/0007-fix-memory-leak.patch b/debian/patches/0007-fix-memory-leak.patch
new file mode 100644
index 0000000..4b63589
--- /dev/null
+++ b/debian/patches/0007-fix-memory-leak.patch
@@ -0,0 +1,41 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Mon, 9 Sep 2019 15:27:38 +0900
+Subject: fix memory leak
+
+---
+ src/decoder.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/src/decoder.c b/src/decoder.c
+index e3fbd0d..908e115 100644
+--- a/src/decoder.c
++++ b/src/decoder.c
+@@ -224,15 +224,15 @@ sixel_decoder_decode(
+ sixel_decoder_t /* in */ *decoder)
+ {
+ SIXELSTATUS status = SIXEL_FALSE;
+- unsigned char *raw_data;
++ unsigned char *raw_data = NULL;
+ int sx;
+ int sy;
+ int raw_len;
+ int max;
+ int n;
+ FILE *input_fp = NULL;
+- unsigned char *indexed_pixels;
+- unsigned char *palette;
++ unsigned char *indexed_pixels = NULL;
++ unsigned char *palette = NULL;
+ int ncolors;
+ unsigned char *pixels = NULL;
+
+@@ -320,6 +320,9 @@ sixel_decoder_decode(
+
+ end:
+ sixel_allocator_free(decoder->allocator, pixels);
++ sixel_allocator_free(decoder->allocator, raw_data);
++ sixel_allocator_free(decoder->allocator, indexed_pixels);
++ sixel_allocator_free(decoder->allocator, palette);
+ sixel_decoder_ref(decoder);
+
+ return status;
diff --git a/debian/patches/series b/debian/patches/series
index e69de29..f749714 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1,7 @@
+0001-Add-malloc-size-check.patch
+0002-assign-default-error-message.patch
+0003-add-limitation-to-width-and-height.patch
+0004-malloc-size-check.patch
+0005-check-error-for-jpeg_read_scanlines.patch
+0006-check-number-of-repeat_count.patch
+0007-fix-memory-leak.patch
--- End Message ---