On 09.10.2016 23:36, Hugo Lefeuvre wrote: > Hello dear maintainer(s), > > the Debian LTS team would like to fix the security issues which are > currently open in the Wheezy version of libass: > https://security-tracker.debian.org/tracker/source-package/libass > > Would you like to take care of this yourself? [...] Hello, I have prepared a security update for libass in Wheezy but I think the patches can be reused for Jessie as well. I have also marked CVE-2016-7970 as fixed in Wheezy and it looks to me this also applies to Jessie. I'd be glad if you could take a look at the debdiff (attached) and tell me what you think about CVE-2016-7970 and CVE-2016-7971 which appears to be unfixed, even disputed upstream. Regards, Markus
diff -Nru libass-0.10.0/debian/changelog libass-0.10.0/debian/changelog
--- libass-0.10.0/debian/changelog 2012-02-14 02:03:45.000000000 +0100
+++ libass-0.10.0/debian/changelog 2016-10-11 22:16:43.000000000 +0200
@@ -1,3 +1,15 @@
+libass (0.10.0-3+deb7u1) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix the following security vulnerabilities:
+ - CVE-2016-7972:
+ Fix memory reallocation in the shaper.
+ - CVE-2016-7969:
+ Fix mode 0/3 line wrapping equalization in specific cases which could
+ result in illegal reads while laying out and shaping text.
+
+ -- Markus Koschany <apo@debian.org> Tue, 11 Oct 2016 22:16:43 +0200
+
libass (0.10.0-3) unstable; urgency=low
* Team upload.
diff -Nru libass-0.10.0/debian/patches/CVE-2016-7969.patch libass-0.10.0/debian/patches/CVE-2016-7969.patch
--- libass-0.10.0/debian/patches/CVE-2016-7969.patch 1970-01-01 01:00:00.000000000 +0100
+++ libass-0.10.0/debian/patches/CVE-2016-7969.patch 2016-10-11 22:16:43.000000000 +0200
@@ -0,0 +1,25 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 11 Oct 2016 18:23:49 +0200
+Subject: CVE-2016-7969
+
+Origin: https://github.com/libass/libass/pull/240/commits/b72b283b936a600c730e00875d7d067bded3fc26
+---
+ libass/ass_render.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/libass/ass_render.c b/libass/ass_render.c
+index b2bc194..d16e2d4 100644
+--- a/libass/ass_render.c
++++ b/libass/ass_render.c
+@@ -1542,7 +1542,10 @@ wrap_lines_smart(ASS_Renderer *render_priv, double max_text_width)
+ (w->bbox.xMin + w->pos.x));
+
+ if (DIFF(l1_new, l2_new) < DIFF(l1, l2)) {
+- w->linebreak = 1;
++ if (w->linebreak || w == text_info->glyphs)
++ text_info->n_lines--;
++ if (w != text_info->glyphs)
++ w->linebreak = 1;
+ s2->linebreak = 0;
+ exit = 0;
+ }
diff -Nru libass-0.10.0/debian/patches/CVE-2016-7972.patch libass-0.10.0/debian/patches/CVE-2016-7972.patch
--- libass-0.10.0/debian/patches/CVE-2016-7972.patch 1970-01-01 01:00:00.000000000 +0100
+++ libass-0.10.0/debian/patches/CVE-2016-7972.patch 2016-10-11 22:16:43.000000000 +0200
@@ -0,0 +1,21 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 11 Oct 2016 18:39:07 +0200
+Subject: CVE-2016-7972
+
+Origin: https://github.com/libass/libass/pull/240/commits/aa54e0b59200a994d50a346b5d7ac818ebcf2d4b
+---
+ libass/ass_shaper.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/libass/ass_shaper.c b/libass/ass_shaper.c
+index cf563ad..274f84a 100644
+--- a/libass/ass_shaper.c
++++ b/libass/ass_shaper.c
+@@ -98,6 +98,7 @@ static void check_allocations(ASS_Shaper *shaper, size_t new_size)
+ shaper->ctypes = realloc(shaper->ctypes, sizeof(FriBidiCharType) * new_size);
+ shaper->emblevels = realloc(shaper->emblevels, sizeof(FriBidiLevel) * new_size);
+ shaper->cmap = realloc(shaper->cmap, sizeof(FriBidiStrIndex) * new_size);
++ shaper->n_glyphs = new_size;
+ }
+ }
+
diff -Nru libass-0.10.0/debian/patches/series libass-0.10.0/debian/patches/series
--- libass-0.10.0/debian/patches/series 2012-02-14 02:00:26.000000000 +0100
+++ libass-0.10.0/debian/patches/series 2016-10-11 22:16:43.000000000 +0200
@@ -1,2 +1,4 @@
# Patch series for quilt
052_as-needed.diff
+CVE-2016-7969.patch
+CVE-2016-7972.patch
Attachment:
signature.asc
Description: OpenPGP digital signature