On 09.10.2016 23:36, Hugo Lefeuvre wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of libass: > https://security-tracker.debian.org/tracker/source-package/libass > > Would you like to take care of this yourself? [...] Hello, I have prepared a security update for libass in Wheezy but I think the patches can be reused for Jessie as well. I have also marked CVE-2016-7970 as fixed in Wheezy and it looks to me this also applies to Jessie. I'd be glad if you could take a look at the debdiff (attached) and tell me what you think about CVE-2016-7970 and CVE-2016-7971 which appears to be unfixed, even disputed upstream. Regards, Markus
diff -Nru libass-0.10.0/debian/changelog libass-0.10.0/debian/changelog --- libass-0.10.0/debian/changelog 2012-02-14 02:03:45.000000000 +0100 +++ libass-0.10.0/debian/changelog 2016-10-11 22:16:43.000000000 +0200 @@ -1,3 +1,15 @@ +libass (0.10.0-3+deb7u1) wheezy-security; urgency=high + + * Non-maintainer upload by the LTS team. + * Fix the following security vulnerabilities: + - CVE-2016-7972: + Fix memory reallocation in the shaper. + - CVE-2016-7969: + Fix mode 0/3 line wrapping equalization in specific cases which could + result in illegal reads while laying out and shaping text. + + -- Markus Koschany <apo@debian.org> Tue, 11 Oct 2016 22:16:43 +0200 + libass (0.10.0-3) unstable; urgency=low * Team upload. diff -Nru libass-0.10.0/debian/patches/CVE-2016-7969.patch libass-0.10.0/debian/patches/CVE-2016-7969.patch --- libass-0.10.0/debian/patches/CVE-2016-7969.patch 1970-01-01 01:00:00.000000000 +0100 +++ libass-0.10.0/debian/patches/CVE-2016-7969.patch 2016-10-11 22:16:43.000000000 +0200 @@ -0,0 +1,25 @@ +From: Markus Koschany <apo@debian.org> +Date: Tue, 11 Oct 2016 18:23:49 +0200 +Subject: CVE-2016-7969 + +Origin: https://github.com/libass/libass/pull/240/commits/b72b283b936a600c730e00875d7d067bded3fc26 +--- + libass/ass_render.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libass/ass_render.c b/libass/ass_render.c +index b2bc194..d16e2d4 100644 +--- a/libass/ass_render.c ++++ b/libass/ass_render.c +@@ -1542,7 +1542,10 @@ wrap_lines_smart(ASS_Renderer *render_priv, double max_text_width) + (w->bbox.xMin + w->pos.x)); + + if (DIFF(l1_new, l2_new) < DIFF(l1, l2)) { +- w->linebreak = 1; ++ if (w->linebreak || w == text_info->glyphs) ++ text_info->n_lines--; ++ if (w != text_info->glyphs) ++ w->linebreak = 1; + s2->linebreak = 0; + exit = 0; + } diff -Nru libass-0.10.0/debian/patches/CVE-2016-7972.patch libass-0.10.0/debian/patches/CVE-2016-7972.patch --- libass-0.10.0/debian/patches/CVE-2016-7972.patch 1970-01-01 01:00:00.000000000 +0100 +++ libass-0.10.0/debian/patches/CVE-2016-7972.patch 2016-10-11 22:16:43.000000000 +0200 @@ -0,0 +1,21 @@ +From: Markus Koschany <apo@debian.org> +Date: Tue, 11 Oct 2016 18:39:07 +0200 +Subject: CVE-2016-7972 + +Origin: https://github.com/libass/libass/pull/240/commits/aa54e0b59200a994d50a346b5d7ac818ebcf2d4b +--- + libass/ass_shaper.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/libass/ass_shaper.c b/libass/ass_shaper.c +index cf563ad..274f84a 100644 +--- a/libass/ass_shaper.c ++++ b/libass/ass_shaper.c +@@ -98,6 +98,7 @@ static void check_allocations(ASS_Shaper *shaper, size_t new_size) + shaper->ctypes = realloc(shaper->ctypes, sizeof(FriBidiCharType) * new_size); + shaper->emblevels = realloc(shaper->emblevels, sizeof(FriBidiLevel) * new_size); + shaper->cmap = realloc(shaper->cmap, sizeof(FriBidiStrIndex) * new_size); ++ shaper->n_glyphs = new_size; + } + } + diff -Nru libass-0.10.0/debian/patches/series libass-0.10.0/debian/patches/series --- libass-0.10.0/debian/patches/series 2012-02-14 02:00:26.000000000 +0100 +++ libass-0.10.0/debian/patches/series 2016-10-11 22:16:43.000000000 +0200 @@ -1,2 +1,4 @@ # Patch series for quilt 052_as-needed.diff +CVE-2016-7969.patch +CVE-2016-7972.patch
Attachment:
signature.asc
Description: OpenPGP digital signature