Bug#1051552: bookworm-pu: package timg/1.4.5-1+deb12u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1051552: bookworm-pu: package timg/1.4.5-1+deb12u1
From: Tobias Frost <tobi@debian.org>
Date: Sat, 09 Sep 2023 19:20:18 +0200
Message-id: <[🔎] 169428001843.96313.14777229218719804280.reportbug@isildor2.loewenhoehle.ip>
Reply-to: Tobias Frost <tobi@debian.org>, 1051552@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: timg@packages.debian.org
Control: affects -1 + src:timg


[ Reason ]

Fixing CVE-2023-40968 (buffer overflow vulnerability)


[ Risks ]
Patch is trivial, taken from uptream; local testing done.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

diff -Nru timg-1.4.5/debian/changelog timg-1.4.5/debian/changelog
--- timg-1.4.5/debian/changelog	2022-11-30 20:09:18.000000000 +0100
+++ timg-1.4.5/debian/changelog	2023-09-09 19:07:01.000000000 +0200
@@ -1,3 +1,9 @@
+timg (1.4.5-1+deb12u1) bookworm; urgency=medium
+
+  * Cherry-pick upstream fix for CVE-2023-40968 (Closes: #1051231)
+
+ -- Tobias Frost <tobi@debian.org>  Sat, 09 Sep 2023 19:07:01 +0200
+
 timg (1.4.5-1) unstable; urgency=medium
 
   [ Tobias Frost ]
diff -Nru timg-1.4.5/debian/patches/CVE-2023-40968.patch timg-1.4.5/debian/patches/CVE-2023-40968.patch
--- timg-1.4.5/debian/patches/CVE-2023-40968.patch	1970-01-01 01:00:00.000000000 +0100
+++ timg-1.4.5/debian/patches/CVE-2023-40968.patch	2023-09-09 19:07:01.000000000 +0200
@@ -0,0 +1,23 @@
+Description: CVE-2023-40968 buffer overflow vulnerability
+Origin: https://github.com/hzeller/timg/commit/2e9414e668144bbe0afc074dac17b74ef4acfdcf 
+Bug: https://github.com/hzeller/timg/issues/115
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051231
+--- a/src/unicode-block-canvas.cc
++++ b/src/unicode-block-canvas.cc
+@@ -417,13 +417,14 @@
+                                + SCREEN_END_OF_LINE_LEN);  // Finishing a line.
+ 
+     // Depending on even/odd situation, we might need one extra row.
+-    const size_t new_backing = width * (height + 1) * sizeof(rgba_t);
++    // For quarter, we have one extra possible pixel wider.
++    const size_t new_backing = (width + 1) * (height + 1) * sizeof(rgba_t);
+     if (new_backing > backing_buffer_size_) {
+         backing_buffer_      = (rgba_t *)realloc(backing_buffer_, new_backing);
+         backing_buffer_size_ = new_backing;
+     }
+ 
+-    const size_t new_empty = width * sizeof(rgba_t);
++    const size_t new_empty = (width + 1) * sizeof(rgba_t);
+     if (new_empty > empty_line_size_) {
+         empty_line_      = (rgba_t *)realloc(empty_line_, new_empty);
+         empty_line_size_ = new_empty;
diff -Nru timg-1.4.5/debian/patches/series timg-1.4.5/debian/patches/series
--- timg-1.4.5/debian/patches/series	2022-11-30 19:52:10.000000000 +0100
+++ timg-1.4.5/debian/patches/series	2023-09-09 19:07:01.000000000 +0200
@@ -1 +1,2 @@
 use-system-qui.patch
+CVE-2023-40968.patch

Reply to:

Follow-Ups:
- Processed: bookworm-pu: package timg/1.4.5-1+deb12u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1051552: timg 1.4.5-1+deb12u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Processed: bookworm-pu: package timg/1.4.5-1+deb12u1
Next by Date: Processed: bookworm-pu: package brltty/6.5-7+deb12u1
Previous by thread: Processed: vte2.91 0.70.6-2~deb12u1 flagged for acceptance
Next by thread: Processed: bookworm-pu: package timg/1.4.5-1+deb12u1
Index(es):
- Date
- Thread