Emilio Pozuelo Monfort pushed to branch debian-unstable at X Strike Force / lib / pixman
Commits:
-
e71a54d0
by Emilio Pozuelo Monfort at 2022-11-08T13:03:18+01:00
3 changed files:
- debian/changelog
- + debian/patches/Avoid-integer-overflow-leading-to-out-of-bounds-writ.diff
- debian/patches/series
Changes:
1 | +pixman (0.40.0-1.1) unstable; urgency=medium
|
|
2 | + |
|
3 | + * Non-maintainer upload.
|
|
4 | + * Avoid integer overflow leading to out-of-bounds write (CVE-2022-44638)
|
|
5 | + (Closes: #1023427)
|
|
6 | + |
|
7 | + -- Salvatore Bonaccorso <carnil@debian.org> Thu, 03 Nov 2022 23:07:46 +0100
|
|
8 | + |
|
1 | 9 | pixman (0.40.0-1) unstable; urgency=medium
|
2 | 10 | |
3 | 11 | * New upstream release. (Closes: #958298, #832579, #838650)
|
1 | +From: Matt Turner <mattst88@gmail.com>
|
|
2 | +Date: Wed, 2 Nov 2022 12:07:32 -0400
|
|
3 | +Subject: Avoid integer overflow leading to out-of-bounds write
|
|
4 | +Origin: https://gitlab.freedesktop.org/pixman/pixman/-/commit/a1f88e842e0216a5b4df1ab023caebe33c101395
|
|
5 | +Bug: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
|
|
6 | +Bug-Debian: https://bugs.debian.org/1023427
|
|
7 | +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-44638
|
|
8 | + |
|
9 | +Thanks to Maddie Stone and Google's Project Zero for discovering this
|
|
10 | +issue, providing a proof-of-concept, and a great analysis.
|
|
11 | + |
|
12 | +Closes: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
|
|
13 | +---
|
|
14 | + pixman/pixman-trap.c | 2 +-
|
|
15 | + 1 file changed, 1 insertion(+), 1 deletion(-)
|
|
16 | + |
|
17 | +diff --git a/pixman/pixman-trap.c b/pixman/pixman-trap.c
|
|
18 | +index 91766fdbfca0..7560405ee2e4 100644
|
|
19 | +--- a/pixman/pixman-trap.c
|
|
20 | ++++ b/pixman/pixman-trap.c
|
|
21 | +@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y,
|
|
22 | +
|
|
23 | + if (f < Y_FRAC_FIRST (n))
|
|
24 | + {
|
|
25 | +- if (pixman_fixed_to_int (i) == 0x8000)
|
|
26 | ++ if (pixman_fixed_to_int (i) == 0xffff8000)
|
|
27 | + {
|
|
28 | + f = 0; /* saturate */
|
|
29 | + }
|
|
30 | +--
|
|
31 | +2.37.2
|
|
32 | + |
1 | 1 | test-increase-timeout.diff
|
2 | +Avoid-integer-overflow-leading-to-out-of-bounds-writ.diff |