[SRM] Proposed NMU, gif2png to oldstable/stable (PRSC)

[Jonathan Wiltshire <jmw@debian.org>]

Hi,

The attached diffs are for a proposed NMU of gif2png to fix CVE-2010-4694
and CVE-2010-4695 in the stable suites.

In stable, the existing patch is extended based on the maintainer's upload
in sid. In oldstable, the entire patch is backported because it hadn't yet
been applied at all. The patch itself is also attached for clarity.

If you're happy with the changes, I will announce the NMU and upload them
to DELAYED/2 to give the maintainer time to react. He has had a PRSC
'please fix' request already and failed to respond, and I'd like to get it
into 6.0.1 if possible.

jona@lupin:/tmp$ diffstat gif2png-prsc-lenny.diff
 debian/patches/10_fix_gif2png_c.dpatch |   61 +++++++++++++++++++++++++++++++++
 gif2png-2.5.1/debian/changelog         |    8 ++++
 gif2png-2.5.1/debian/patches/00list    |    1
 3 files changed, 70 insertions(+)

jona@lupin:/tmp$ diffstat gif2png-prsc-squeeze.diff
 changelog                       |    8 ++++++++
 patches/10_fix_gif2png_c.dpatch |   36 ++++++++++++++++++++++++++++--------
 2 files changed, 36 insertions(+), 8 deletions(-)

Thanks,

-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

diff -u gif2png-2.5.1/debian/changelog gif2png-2.5.1/debian/changelog
--- gif2png-2.5.1/debian/changelog
+++ gif2png-2.5.1/debian/changelog
@@ -1,3 +1,11 @@
+gif2png (2.5.1-3.1) oldstable; urgency=low
+
+  * Non-maintainer upload as part of the Point Release Security effort
+  * CVE-2010-4694, CVE-2010-4695: Backport 10_fix_gif2png_c.dpatch from
+    the package in unstable (closes: #610479)
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Fri, 25 Feb 2011 09:50:27 +0000
+
 gif2png (2.5.1-3) unstable; urgency=low
 
   * Fixed debian/watch file
diff -u gif2png-2.5.1/debian/patches/00list gif2png-2.5.1/debian/patches/00list
--- gif2png-2.5.1/debian/patches/00list
+++ gif2png-2.5.1/debian/patches/00list
@@ -1,2 +1,3 @@
 10_write_text_comment
+10_fix_gif2png_c.dpatch
 20_manpage_fixes
only in patch2:
unchanged:
--- gif2png-2.5.1.orig/debian/patches/10_fix_gif2png_c.dpatch
+++ gif2png-2.5.1/debian/patches/10_fix_gif2png_c.dpatch
@@ -0,0 +1,61 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 10_fix_gif2png_c.dpatch by Erik Schanze <eriks@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: - clarify if/else construct, because of compiler warning
+## DP: - prevent buffer overflow with strcpy, closes: #550978
+
+@DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' gif2png-2.5.4~/gif2png.c gif2png-2.5.4/gif2png.c
+--- gif2png-2.5.4~/gif2png.c	2010-10-20 16:20:07.000000000 +0200
++++ gif2png-2.5.4/gif2png.c	2011-02-12 01:14:29.530909414 +0100
+@@ -639,6 +639,7 @@
+     int num_pics;
+     struct GIFelement *start;
+     int i, suppress_delete = FALSE;
++    int file_ext_max;
+     char *file_ext;
+ 
+     if (fp == NULL) return 1;
+@@ -673,9 +675,11 @@
+ 
+     /* create output filename */
+ 
+-    strcpy(outname, fname);
++    strncpy( outname, fname, sizeof( outname ) );
++    outname[sizeof( outname ) - 1] = 0;
+ 
+     file_ext = outname+strlen(outname)-4;
++    file_ext_max = sizeof(outname) - ( strlen(outname) - 4 );
+     if (strcmp(file_ext, ".gif") != 0 && strcmp(file_ext, ".GIF") != 0 &&
+ 	strcmp(file_ext, "_gif") != 0 && strcmp(file_ext, "_GIF") != 0) {
+ 	/* try to derive basename */
+@@ -686,7 +690,8 @@
+ 	}
+ 	if (file_ext<outname || *file_ext != '.') {
+ 	    /* as a last resort, just add .png to the filename */
+-	    file_ext = outname+strlen(outname);
++	    file_ext = outname + (size_t)(( strlen( outname ) <= sizeof( outname ) - 1 - 4 )? strlen( outname )
++										   : sizeof( outname ) - 1 - 4);
+ 	}
+     }
+ 
+@@ -708,7 +713,7 @@
+ 		fclose(fp);
+ 		++numpngs;
+ 		start = NULL;
+-		sprintf(file_ext, ".p%02d", i);
++		snprintf(file_ext, file_ext_max - 1, ".p%02d", i);
+ 	    }
+ 	}
+     }
+@@ -863,7 +868,8 @@
+ 	}
+     } else {
+ 	for (i = ac;i<argc; i++) {
+-	    strcpy(name, argv[i]);
++	    strncpy(name, argv[i], sizeof name - sizeof ".gif");
++	    name[sizeof name - sizeof ".gif"] = '\0'; 
+ 	    if ((fp = fopen(name, "rb")) == NULL) {
+ 		/* retry with .gif appended */
+ 		strcat(name, ".gif");

diff -u gif2png-2.5.2/debian/changelog gif2png-2.5.2/debian/changelog
--- gif2png-2.5.2/debian/changelog
+++ gif2png-2.5.2/debian/changelog
@@ -1,3 +1,11 @@
+gif2png (2.5.2-2.1) stable; urgency=low
+
+  * Non-maintainer upload as part of the Point Release Security effort
+  * CVE-2010-4694, CVE-2010-4695: Backport further work on
+    10_fix_gif2png_c.dpatch from the package in unstable (closes: #610479)
+
+ -- Jonathan Wiltshire <jmw@debian.org>  Fri, 25 Feb 2011 09:14:35 +0000
+
 gif2png (2.5.2-2) unstable; urgency=low
 
   * Adapted 10_fix_gif2png_c.dpatch, closes: #550978
diff -u gif2png-2.5.2/debian/patches/10_fix_gif2png_c.dpatch gif2png-2.5.2/debian/patches/10_fix_gif2png_c.dpatch
--- gif2png-2.5.2/debian/patches/10_fix_gif2png_c.dpatch
+++ gif2png-2.5.2/debian/patches/10_fix_gif2png_c.dpatch
@@ -6,10 +6,18 @@
 ## DP: - prevent buffer overflow with strcpy, closes: #550978
 
 @DPATCH@
-diff -urNad gif2png-2.5.2~/gif2png.c gif2png-2.5.2/gif2png.c
---- gif2png-2.5.2~/gif2png.c	2009-11-11 21:28:02.000000000 +0100
-+++ gif2png-2.5.2/gif2png.c	2009-12-05 00:11:56.790419772 +0100
-@@ -656,7 +656,7 @@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' gif2png-2.5.4~/gif2png.c gif2png-2.5.4/gif2png.c
+--- gif2png-2.5.4~/gif2png.c	2010-10-20 16:20:07.000000000 +0200
++++ gif2png-2.5.4/gif2png.c	2011-02-12 01:14:29.530909414 +0100
+@@ -639,6 +639,7 @@
+     int num_pics;
+     struct GIFelement *start;
+     int i, suppress_delete = FALSE;
++    int file_ext_max;
+     char *file_ext;
+ 
+     if (fp == NULL) return 1;
+@@ -655,7 +656,7 @@
      if (num_pics <= 0)
  	return 1;
  
@@ -18,7 +26,7 @@
  	if (num_pics != 1)
  	{
  	    fprintf(stderr, "gif2png: %s is multi-image\n", fname);
-@@ -673,6 +673,7 @@
+@@ -666,6 +667,7 @@
  	    printf("%s\n", fname);
  	    return 0;
  	}
@@ -26,7 +34,7 @@
  
      /* eliminate use of transparency, if that is called for */
      if (matte)
-@@ -680,7 +681,8 @@
+@@ -673,9 +675,11 @@
  
      /* create output filename */
  
@@ -35,8 +43,11 @@
 +    outname[sizeof( outname ) - 1] = 0;
  
      file_ext = outname+strlen(outname)-4;
++    file_ext_max = sizeof(outname) - ( strlen(outname) - 4 );
      if (strcmp(file_ext, ".gif") != 0 && strcmp(file_ext, ".GIF") != 0 &&
-@@ -693,7 +695,8 @@
+ 	strcmp(file_ext, "_gif") != 0 && strcmp(file_ext, "_GIF") != 0) {
+ 	/* try to derive basename */
+@@ -686,7 +690,8 @@
  	}
  	if (file_ext<outname || *file_ext != '.') {
  	    /* as a last resort, just add .png to the filename */
@@ -46,7 +57,16 @@
  	}
      }
  
-@@ -874,7 +877,8 @@
+@@ -708,7 +713,7 @@
+ 		fclose(fp);
+ 		++numpngs;
+ 		start = NULL;
+-		sprintf(file_ext, ".p%02d", i);
++		snprintf(file_ext, file_ext_max - 1, ".p%02d", i);
+ 	    }
+ 	}
+     }
+@@ -863,7 +868,8 @@
  	}
      } else {
  	for (i = ac;i<argc; i++) {

#! /bin/sh /usr/share/dpatch/dpatch-run
## 10_fix_gif2png_c.dpatch by Erik Schanze <eriks@debian.org>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: - clarify if/else construct, because of compiler warning
## DP: - prevent buffer overflow with strcpy, closes: #550978

@DPATCH@
diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' gif2png-2.5.4~/gif2png.c gif2png-2.5.4/gif2png.c
--- gif2png-2.5.4~/gif2png.c	2010-10-20 16:20:07.000000000 +0200
+++ gif2png-2.5.4/gif2png.c	2011-02-12 01:14:29.530909414 +0100
@@ -639,6 +639,7 @@
     int num_pics;
     struct GIFelement *start;
     int i, suppress_delete = FALSE;
+    int file_ext_max;
     char *file_ext;
 
     if (fp == NULL) return 1;
@@ -655,7 +656,7 @@
     if (num_pics <= 0)
 	return 1;
 
-    if (webconvert)
+    if (webconvert) {
 	if (num_pics != 1)
 	{
 	    fprintf(stderr, "gif2png: %s is multi-image\n", fname);
@@ -666,6 +667,7 @@
 	    printf("%s\n", fname);
 	    return 0;
 	}
+    }
 
     /* eliminate use of transparency, if that is called for */
     if (matte)
@@ -673,9 +675,11 @@
 
     /* create output filename */
 
-    strcpy(outname, fname);
+    strncpy( outname, fname, sizeof( outname ) );
+    outname[sizeof( outname ) - 1] = 0;
 
     file_ext = outname+strlen(outname)-4;
+    file_ext_max = sizeof(outname) - ( strlen(outname) - 4 );
     if (strcmp(file_ext, ".gif") != 0 && strcmp(file_ext, ".GIF") != 0 &&
 	strcmp(file_ext, "_gif") != 0 && strcmp(file_ext, "_GIF") != 0) {
 	/* try to derive basename */
@@ -686,7 +690,8 @@
 	}
 	if (file_ext<outname || *file_ext != '.') {
 	    /* as a last resort, just add .png to the filename */
-	    file_ext = outname+strlen(outname);
+	    file_ext = outname + (size_t)(( strlen( outname ) <= sizeof( outname ) - 1 - 4 )? strlen( outname )
+										   : sizeof( outname ) - 1 - 4);
 	}
     }
 
@@ -708,7 +713,7 @@
 		fclose(fp);
 		++numpngs;
 		start = NULL;
-		sprintf(file_ext, ".p%02d", i);
+		snprintf(file_ext, file_ext_max - 1, ".p%02d", i);
 	    }
 	}
     }
@@ -863,7 +868,8 @@
 	}
     } else {
 	for (i = ac;i<argc; i++) {
-	    strcpy(name, argv[i]);
+	    strncpy(name, argv[i], sizeof name - sizeof ".gif");
+	    name[sizeof name - sizeof ".gif"] = '\0'; 
 	    if ((fp = fopen(name, "rb")) == NULL) {
 		/* retry with .gif appended */
 		strcat(name, ".gif");

Attachment: signature.asc
Description: Digital signature