Hi, Please, find attached the debdiffs that fix CVE-2015-7557 in wheezy and jessie. Since this is a no-dsa issue, it could address a next point release. Cheers, Santiago
diff -Nru librsvg-2.36.1/debian/changelog librsvg-2.36.1/debian/changelog
--- librsvg-2.36.1/debian/changelog 2013-12-04 21:16:12.000000000 +0100
+++ librsvg-2.36.1/debian/changelog 2016-03-24 10:53:07.000000000 +0100
@@ -1,3 +1,10 @@
+librsvg (2.36.1-2+deb7u1) wheezy; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file.
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Thu, 24 Mar 2016 09:18:51 +0100
+
librsvg (2.36.1-2) stable; urgency=low
[ Raphaël Geissert ]
diff -Nru librsvg-2.36.1/debian/patches/CVE-2015-7557.patch librsvg-2.36.1/debian/patches/CVE-2015-7557.patch
--- librsvg-2.36.1/debian/patches/CVE-2015-7557.patch 1970-01-01 01:00:00.000000000 +0100
+++ librsvg-2.36.1/debian/patches/CVE-2015-7557.patch 2016-03-24 09:18:37.000000000 +0100
@@ -0,0 +1,50 @@
+From 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Mon Sep 17 00:00:00 2001
+From: Federico Mena Quintero <federico@gnome.org>
+Date: Thu, 5 Feb 2015 18:08:25 -0600
+Subject: bgo#738050 - Handle the case where a list of coordinate pairs has an
+ odd number of elements
+
+Lists of points come in coordinate pairs, but we didn't have any checking for that.
+It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate
+of an x,y pair, that was in fact missing, leading to an out-of-bounds array read.
+
+In that case, we now reuse the last-known y coordinate.
+
+Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050
+
+Signed-off-by: Federico Mena Quintero <federico@gnome.org>
+---
+ rsvg-shapes.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/rsvg-shapes.c b/rsvg-shapes.c
+index c13b90c..e4a705d 100644
+--- a/rsvg-shapes.c
++++ b/rsvg-shapes.c
+@@ -169,10 +169,22 @@ _rsvg_node_poly_build_path (const char *value,
+
+ /* "L %f %f " */
+ for (i = 2; i < pointlist_len; i += 2) {
++ double p;
++
+ g_string_append (d, " L ");
+ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i]));
+ g_string_append_c (d, ' ');
+- g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i + 1]));
++
++ /* We expect points to come in coordinate pairs. But if there is a
++ * missing part of one pair in a corrupt SVG, we'll have an incomplete
++ * list. In that case, we reuse the last-known Y coordinate.
++ */
++ if (i + 1 < pointlist_len)
++ p = pointlist[i + 1];
++ else
++ p = pointlist[i - 1];
++
++ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), p));
+ }
+
+ if (close_path)
+--
+cgit v0.11.2
+
diff -Nru librsvg-2.36.1/debian/patches/series librsvg-2.36.1/debian/patches/series
--- librsvg-2.36.1/debian/patches/series 2013-12-04 15:09:40.000000000 +0100
+++ librsvg-2.36.1/debian/patches/series 2016-03-24 09:18:37.000000000 +0100
@@ -3,3 +3,4 @@
10_rsvg-gz.patch
20_rsvg_compat.patch
99_ltmain_as-needed.patch
+CVE-2015-7557.patch
diff -Nru librsvg-2.40.5/debian/changelog librsvg-2.40.5/debian/changelog
--- librsvg-2.40.5/debian/changelog 2014-10-14 16:48:24.000000000 +0200
+++ librsvg-2.40.5/debian/changelog 2016-03-24 11:04:24.000000000 +0100
@@ -1,3 +1,10 @@
+librsvg (2.40.5-1+deb8u1) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2015-7557: Out-of-bounds heap read when parsing SVG file.
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Thu, 24 Mar 2016 11:02:20 +0100
+
librsvg (2.40.5-1) unstable; urgency=medium
* New upstream release.
diff -Nru librsvg-2.40.5/debian/patches/CVE-2015-7557.patch librsvg-2.40.5/debian/patches/CVE-2015-7557.patch
--- librsvg-2.40.5/debian/patches/CVE-2015-7557.patch 1970-01-01 01:00:00.000000000 +0100
+++ librsvg-2.40.5/debian/patches/CVE-2015-7557.patch 2016-03-24 11:05:21.000000000 +0100
@@ -0,0 +1,50 @@
+From 40af93e6eb1c94b90c3b9a0b87e0840e126bb8df Mon Sep 17 00:00:00 2001
+From: Federico Mena Quintero <federico@gnome.org>
+Date: Thu, 5 Feb 2015 18:08:25 -0600
+Subject: bgo#738050 - Handle the case where a list of coordinate pairs has an
+ odd number of elements
+
+Lists of points come in coordinate pairs, but we didn't have any checking for that.
+It was possible to try to fetch the 'last' coordinate in a list, i.e. the y coordinate
+of an x,y pair, that was in fact missing, leading to an out-of-bounds array read.
+
+In that case, we now reuse the last-known y coordinate.
+
+Fixes https://bugzilla.gnome.org/show_bug.cgi?id=738050
+
+Signed-off-by: Federico Mena Quintero <federico@gnome.org>
+---
+ rsvg-shapes.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/rsvg-shapes.c b/rsvg-shapes.c
+index c13b90c..e4a705d 100644
+--- a/rsvg-shapes.c
++++ b/rsvg-shapes.c
+@@ -169,10 +169,22 @@ _rsvg_node_poly_build_path (const char *value,
+
+ /* "L %f %f " */
+ for (i = 2; i < pointlist_len; i += 2) {
++ double p;
++
+ g_string_append (d, " L ");
+ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i]));
+ g_string_append_c (d, ' ');
+- g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), pointlist[i + 1]));
++
++ /* We expect points to come in coordinate pairs. But if there is a
++ * missing part of one pair in a corrupt SVG, we'll have an incomplete
++ * list. In that case, we reuse the last-known Y coordinate.
++ */
++ if (i + 1 < pointlist_len)
++ p = pointlist[i + 1];
++ else
++ p = pointlist[i - 1];
++
++ g_string_append (d, g_ascii_dtostr (buf, sizeof (buf), p));
+ }
+
+ if (close_path)
+--
+cgit v0.11.2
+
diff -Nru librsvg-2.40.5/debian/patches/series librsvg-2.40.5/debian/patches/series
--- librsvg-2.40.5/debian/patches/series 2014-09-15 00:58:58.000000000 +0200
+++ librsvg-2.40.5/debian/patches/series 2016-03-24 11:05:21.000000000 +0100
@@ -1,2 +1,3 @@
10_rsvg-gz.patch
20_rsvg_compat.patch
+CVE-2015-7557.patch
Attachment:
signature.asc
Description: PGP signature