[Ubuntu transition to 3.11.1] Specific changes on camlimages

To: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Cc: Andrea Gasparini <gaspa@yattaweb.it>
Subject: [Ubuntu transition to 3.11.1] Specific changes on camlimages
From: David MENTRE <dmentre@linux-france.org>
Date: Fri, 24 Jul 2009 12:20:32 +0200
Message-id: <[🔎] 3d13dcfc0907240320i3b7e566fq1539ea7400206e71@mail.gmail.com>

Hello,

Same issue as my previous emails. camlimage is modified in Ubuntu. I
think the security issue is fixed in latest Debian package.
(confirmation?) What about the coma added to Build: header?

https://patches.ubuntu.com/c/camlimages/camlimages_1:3.0.1-1ubuntu1.patch

diff -pruN 1:3.0.1-1/debian/changelog 1:3.0.1-1ubuntu1/debian/changelog
--- 1:3.0.1-1/debian/changelog	2009-07-07 18:20:29.000000000 +0100
+++ 1:3.0.1-1ubuntu1/debian/changelog	2009-07-07 18:17:32.000000000 +0100
@@ -1,3 +1,12 @@
+camlimages (1:3.0.1-1ubuntu1) karmic; urgency=low
+
+  * debian/patches/fix_integer_overflows.dpatch:
+    Add patch from ocamlimages 1:3.0.1-2 to fix CVE-2009-2295 as we don't want
+    to transition to OCaml 3.11.1 yet.
+  * debian/control: Add missing comma in Build-Depends (lp: #391546).
+
+ -- Michael Bienia <geser@ubuntu.com>  Tue, 07 Jul 2009 16:54:47 +0200
+
 camlimages (1:3.0.1-1) unstable; urgency=low

   [ Ralf Treinen ]
diff -pruN 1:3.0.1-1/debian/control 1:3.0.1-1ubuntu1/debian/control
--- 1:3.0.1-1/debian/control	2009-07-07 18:20:29.000000000 +0100
+++ 1:3.0.1-1ubuntu1/debian/control	2009-07-07 18:17:32.000000000 +0100
@@ -1,7 +1,8 @@
 Source: camlimages
 Section: devel
 Priority: optional
-Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian OCaml Maintainers
<debian-ocaml-maint@lists.debian.org>
 Uploaders:  Ralf Treinen <treinen@debian.org>,
  Stefano Zacchiroli <zack@debian.org>,
  Sylvain Le Gall <gildor@debian.org>
@@ -20,7 +21,7 @@ Build-Depends: cdbs (>= 0.4.23),
  liblablgtk2-ocaml-dev (>= 2.12.0-2),
  chrpath,
  ghostscript,
- dh-ocaml (>= 0.4.1)
+ dh-ocaml (>= 0.4.1),
  automake1.9
 Standards-Version: 3.8.0
 Vcs-Git: git://git.debian.org/git/pkg-ocaml-maint/packages/camlimages.git
diff -pruN 1:3.0.1-1/debian/patches/00list
1:3.0.1-1ubuntu1/debian/patches/00list
--- 1:3.0.1-1/debian/patches/00list	2009-07-07 18:20:29.000000000 +0100
+++ 1:3.0.1-1ubuntu1/debian/patches/00list	2009-07-07 18:17:32.000000000 +0100
@@ -1 +1,2 @@
 fix_3_0_1_release
+fix_integer_overflows
diff -pruN 1:3.0.1-1/debian/patches/fix_integer_overflows.dpatch
1:3.0.1-1ubuntu1/debian/patches/fix_integer_overflows.dpatch
--- 1:3.0.1-1/debian/patches/fix_integer_overflows.dpatch	1970-01-01
01:00:00.000000000 +0100
+++ 1:3.0.1-1ubuntu1/debian/patches/fix_integer_overflows.dpatch	2009-07-07
18:17:32.000000000 +0100
@@ -0,0 +1,89 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## fix_integer_overflows.dpatch by Mehdi Dogguy <dogguy@pps.jussieu.fr>
+##
+## DP: Fix multiple integer overflows.
+## DP: http://www.ocert.org/advisories/ocert-2009-009.html
+
+@DPATCH@
+diff -urNad camlimages~/src/pngread.c camlimages/src/pngread.c
+--- camlimages~/src/pngread.c	2009-06-23 11:22:20.000000000 +0200
++++ camlimages/src/pngread.c	2009-07-03 17:51:31.000000000 +0200
+@@ -15,6 +15,8 @@
+ #include "config.h"
+ #endif
+
++#include <limits.h>
++
+ #include <png.h>
+
+ #include <caml/mlvalues.h>
+@@ -26,6 +28,12 @@
+ #define PNG_TAG_INDEX16 2
+ #define PNG_TAG_INDEX4 3
+
++/* Test if x or y are negative, or if multiplying x * y would cause an
++ * arithmetic overflow.
++ */
++#define oversized(x, y)						\
++  ((x) < 0 || (y) < 0 || ((y) != 0 && (x) > INT_MAX / (y)))
++
+ value read_png_file_as_rgb24( name )
+      value name;
+ {
+@@ -81,6 +89,9 @@
+   png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 	       &interlace_type, NULL, NULL);
+
++  if (oversized (width, height))
++    failwith ("png error: image contains oversized or bogus width
and height");
++
+   if ( color_type == PNG_COLOR_TYPE_GRAY ||
+        color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
+     png_set_gray_to_rgb(png_ptr);
+@@ -102,10 +113,16 @@
+
+   rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+
++  if (oversized (rowbytes, height))
++    failwith ("png error: image contains oversized or bogus rowbytes
and height");
++
+   {
+     int i;
+     png_bytep *row_pointers;
+
++    if (oversized (sizeof (png_bytep), height))
++      failwith ("png error: image contains oversized or bogus height");
++
+     row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
+
+     res = alloc_tuple(3);
+@@ -235,6 +252,9 @@
+   png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
+ 	       &interlace_type, NULL, NULL);
+
++  if (oversized (width, height))
++    failwith ("png error: image contains oversized or bogus width
and height");
++
+   if ( color_type == PNG_COLOR_TYPE_GRAY ||
+        color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
+     png_set_gray_to_rgb(png_ptr);
+@@ -251,6 +271,9 @@
+
+   rowbytes = png_get_rowbytes(png_ptr, info_ptr);
+
++  if (oversized (rowbytes, height))
++    failwith ("png error: image contains oversized or bogus rowbytes
and height");
++
+ /*
+ fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
+ */
+@@ -259,6 +282,9 @@
+     png_bytep *row_pointers;
+     char mesg[256];
+
++    if (oversized (sizeof (png_bytep), height))
++      failwith ("png error: image contains oversized or bogus height");
++
+     row_pointers = (png_bytep*)stat_alloc(sizeof(png_bytep) * height);
+     res = alloc_tuple(3);
+

Reply to:

Follow-Ups:
- Re: [Ubuntu transition to 3.11.1] Specific changes on camlimages
  - From: Mehdi Dogguy <mehdi@dogguy.org>

Prev by Date: [Ubuntu transition to 3.11.1] Specific changes on ocaml-bjack
Next by Date: Ubuntu transition to OCaml 3.11.1
Previous by thread: Re: [Ubuntu transition to 3.11.1] Specific changes on ocaml-bjack
Next by thread: Re: [Ubuntu transition to 3.11.1] Specific changes on camlimages
Index(es):
- Date
- Thread