xmms security update for testing
Hi,
May I upload xmms 20061101-2 to testing, debdiff attached.
Regards,
Daniel
--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@panthera-systems.net
Internet: http://people.panthera-systems.net/~daniel-baumann/
diff -u xmms-1.2.10+20061101/debian/patches/00list xmms-1.2.10+20061101/debian/patches/00list
--- xmms-1.2.10+20061101/debian/patches/00list
+++ xmms-1.2.10+20061101/debian/patches/00list
@@ -4,0 +5 @@
+05-bmp-loader
diff -u xmms-1.2.10+20061101/debian/changelog xmms-1.2.10+20061101/debian/changelog
--- xmms-1.2.10+20061101/debian/changelog
+++ xmms-1.2.10+20061101/debian/changelog
@@ -1,3 +1,10 @@
+xmms (1:1.2.10+20061101-2) testing; urgency=high
+
+ * Added patch from Kees Cook <kees@ubuntu.com> to address integer underflow
+ CVE-2007-0654 and overflow CVE-2007-0653 in BMP loader (Closes: #416423).
+
+ -- Daniel Baumann <dnaiel@debian.org> Wed, 28 Mar 2007 09:03:00 +0200
+
xmms (1:1.2.10+20061101-1) unstable; urgency=medium
* New upstream snapshot.
--- xmms-1.2.10+20061101.orig/debian/patches/05-bmp-loader.dpatch
+++ xmms-1.2.10+20061101/debian/patches/05-bmp-loader.dpatch
@@ -0,0 +1,51 @@
+#!/bin/sh /usr/share/dpatch/dpatch-run
+## 06-bmp-overflows.dpatch by Kees Cook <kees@ubuntu.com>
+##
+## DP: Patch to address integer underflow (CVE-2007-0654) and overflow
+## DP: (CVE-2007-0653) in BMP loader.
+
+@DPATCH@
+
+diff -Naur xmms-1.2.10+20070301.orig/xmms/bmp.c xmms-1.2.10+20070301/xmms/bmp.c
+--- xmms-1.2.10+20070301.orig/xmms/bmp.c 2006-07-10 14:59:36.000000000 +0000
++++ xmms-1.2.10+20070301/xmms/bmp.c 2007-03-28 07:06:46.000000000 +0000
+@@ -19,6 +19,12 @@
+ */
+ #include "xmms.h"
+
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ struct rgb_quad
+ {
+ guchar rgbBlue;
+@@ -183,7 +189,7 @@
+ }
+ else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
+ {
+- gint ncols, i;
++ guint32 ncols, i;
+
+ ncols = offset - headSize - 14;
+ if (headSize == 12)
+@@ -201,9 +207,16 @@
+ }
+ }
+ fseek(file, offset, SEEK_SET);
++ /* verify buffer size */
++ if (!h || !w ||
++ w > (((UINT32_MAX - 3) / 3) / h) ||
++ h > (((UINT32_MAX - 3) / 3) / w)) {
++ g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
++ goto failure;
++ }
++ data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */
+ buffer = g_malloc(imgsize);
+ fread(buffer, imgsize, 1, file);
+- data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */
+
+ if (bitcount == 1)
+ read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);
Reply to: