Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
From: Andrew Shadura <andrewsh@debian.org>
Date: Tue, 25 Oct 2016 11:10:31 +0200
Message-id: <[🔎] 147738663103.24555.311188333335067304.reportbug@nuevo>
Reply-to: Andrew Shadura <andrewsh@debian.org>, 842013@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695,
CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, CVE-2016-8700,
CVE-2016-8701, CVE-2016-8702, CVE-2016-8703.

Please find the attached debdiff.

- -- 
Cheers,
  Andrew

-----BEGIN PGP SIGNATURE-----

iQExBAEBCAAbBQJYDyGDFBxhbmRyZXdzaEBkZWJpYW4ub3JnAAoJEJ1bI/kYT6UU
dKUH/iQWfyPMdenlZQriv65nCzANS7qmg7Yav+06HuLIbH1MDxiQ5ZNVWuiYOjG2
ZYI90szkknb6936nx2QbMelC8oYZSbOTnMsxauR/3wTXjd71XhU4uPnNtsVgYglu
ZlJ0tn3aWC2PW/ZxC6rHnsP5BOcin5PynMLLPxI/yZ36855gmedJuJxI27sEeXWx
6NU8wiEVuSnieBipy1Lim9G7TLPfe9GugabtYRLJAgDsbTQ8lxZFQWXe9loVZjB/
meZ1fB96f748KbBPCZW3W3CWDVHaavwCfpsh0XpiSb4B3uKc0q0UxVR21ZcG0/iR
K66NT4jeZMM9thHDHXJVaZfIlS4=
=y46j
-----END PGP SIGNATURE-----

diff -Nru potrace-1.12/debian/changelog potrace-1.12/debian/changelog
--- potrace-1.12/debian/changelog	2015-04-12 14:15:25.000000000 +0200
+++ potrace-1.12/debian/changelog	2016-10-25 11:04:34.000000000 +0200
@@ -1,3 +1,13 @@
+potrace (1.12-1+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-8694, CVE-2016-8695, CVE-2016-8696,
+        CVE-2016-8697, CVE-2016-8698, CVE-2016-8699,
+        CVE-2016-8700, CVE-2016-8701, CVE-2016-8702,
+        CVE-2016-8703.
+
+ -- Andrew Shadura <andrewsh@debian.org>  Tue, 25 Oct 2016 11:04:34 +0200
+
 potrace (1.12-1) unstable; urgency=high
 
   * New upstream version.
diff -Nru potrace-1.12/debian/patches/CVE-2016-8694.patch potrace-1.12/debian/patches/CVE-2016-8694.patch
--- potrace-1.12/debian/patches/CVE-2016-8694.patch	1970-01-01 01:00:00.000000000 +0100
+++ potrace-1.12/debian/patches/CVE-2016-8694.patch	2016-10-25 11:04:08.000000000 +0200
@@ -0,0 +1,206 @@
+Author: Peter Selinger <selinger@mathstat.dal.ca>
+Description: Fix CVE-2016-8694.
+Origin: upstream
+
+--- a/src/bitmap.h
++++ b/src/bitmap.h
+@@ -8,6 +8,7 @@
+ #include <string.h>
+ #include <stdlib.h>
+ #include <errno.h>
++#include <stddef.h>
+ 
+ /* The bitmap type is defined in potracelib.h */
+ #include "potracelib.h"
+@@ -28,7 +29,7 @@
+ /* macros for accessing pixel at index (x,y). U* macros omit the
+    bounds check. */
+ 
+-#define bm_scanline(bm, y) ((bm)->map + (ssize_t)(y)*(ssize_t)(bm)->dy)
++#define bm_scanline(bm, y) ((bm)->map + (ptrdiff_t)(y)*(ptrdiff_t)(bm)->dy)
+ #define bm_index(bm, x, y) (&bm_scanline(bm, y)[(x)/BM_WORDBITS])
+ #define bm_mask(x) (BM_HIBIT >> ((x) & (BM_WORDBITS-1)))
+ #define bm_range(x, a) ((int)(x) >= 0 && (int)(x) < (a))
+@@ -57,10 +58,10 @@
+ static inline potrace_bitmap_t *bm_new(int w, int h) {
+   potrace_bitmap_t *bm;
+   int dy = w == 0 ? 0 : (w - 1) / BM_WORDBITS + 1;
+-  ssize_t size = (ssize_t)dy * (ssize_t)h * (ssize_t)BM_WORDSIZE;
++  ptrdiff_t size = (ptrdiff_t)dy * (ptrdiff_t)h * (ptrdiff_t)BM_WORDSIZE;
+ 
+   /* check for overflow error */
+-  if (size < 0 || size / h / dy != BM_WORDSIZE) {
++  if (size < 0 || (h != 0 && dy != 0 && size / h / dy != BM_WORDSIZE)) {
+     errno = ENOMEM;
+     return NULL;
+   }
+@@ -83,15 +84,15 @@
+ /* clear the given bitmap. Set all bits to c. */
+ static inline void bm_clear(potrace_bitmap_t *bm, int c) {
+   /* Note: if the bitmap was created with bm_new, then it is
+-     guaranteed that size will fit into the ssize_t type. */
+-  ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h * (ssize_t)BM_WORDSIZE;
++     guaranteed that size will fit into the ptrdiff_t type. */
++  ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h * (ptrdiff_t)BM_WORDSIZE;
+   memset(bm->map, c ? -1 : 0, size);
+ }
+ 
+ /* duplicate the given bitmap. Return NULL on error with errno set. */
+ static inline potrace_bitmap_t *bm_dup(const potrace_bitmap_t *bm) {
+   potrace_bitmap_t *bm1 = bm_new(bm->w, bm->h);
+-  ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h * (ssize_t)BM_WORDSIZE;
++  ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h * (ptrdiff_t)BM_WORDSIZE;
+   if (!bm1) {
+     return NULL;
+   }
+@@ -101,8 +102,8 @@
+ 
+ /* invert the given bitmap. */
+ static inline void bm_invert(potrace_bitmap_t *bm) {
+-  ssize_t i;
+-  ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h;
++  ptrdiff_t i;
++  ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h;
+ 
+   for (i = 0; i < size; i++) {
+     bm->map[i] ^= BM_ALLBITS;
+--- a/src/bitmap_io.c
++++ b/src/bitmap_io.c
+@@ -4,7 +4,6 @@
+ 
+ 
+ /* Routines for manipulating bitmaps, including reading pbm files. */
+-
+ #include <stdio.h>
+ 
+ #include "bitmap.h"
+@@ -424,6 +423,9 @@
+ /* correct y-coordinate for top-down format */
+ #define ycorr(y) (bmpinfo.topdown ? bmpinfo.h-1-y : y)
+ 
++/* safe colortable access */
++#define COLTABLE(c) ((c) < bmpinfo.ncolors ? coltable[(c)] : 0)
++
+ /* read BMP stream after magic number. Return values as for bm_read.
+    We choose to be as permissive as possible, since there are many
+    programs out there which produce BMP. For instance, ppmtobmp can
+@@ -509,6 +511,10 @@
+     goto format_error;
+   }
+ 
++  if (bmpinfo.comp > 3 || bmpinfo.bits > 32) {
++    goto format_error;
++  }
++
+   /* forward to color table (e.g., if bmpinfo.InfoSize == 64) */
+   TRY(bmp_forward(f, 14+bmpinfo.InfoSize));
+ 
+@@ -598,7 +604,7 @@
+ 	b = bitbuf >> (INTBITS - bmpinfo.bits);
+ 	bitbuf <<= bmpinfo.bits;
+ 	n -= bmpinfo.bits;
+-	BM_UPUT(bm, x, ycorr(y), coltable[b]);
++	BM_UPUT(bm, x, ycorr(y), COLTABLE(b));
+       }
+       TRY(bmp_pad(f));
+     }
+@@ -643,13 +649,14 @@
+   case 0x204:  /* 4-bit runlength compressed encoding (RLE4) */
+     x = 0;
+     y = 0;
++
+     while (1) {
+       TRY_EOF(bmp_readint(f, 1, &b)); /* opcode */
+       TRY_EOF(bmp_readint(f, 1, &c)); /* argument */
+       if (b>0) {
+ 	/* repeat count */
+-	col[0] = coltable[(c>>4) & 0xf];
+-	col[1] = coltable[c & 0xf];
++	col[0] = COLTABLE((c>>4) & 0xf);
++	col[1] = COLTABLE(c & 0xf);
+ 	for (i=0; i<b && x<bmpinfo.w; i++) {
+ 	  if (x>=bmpinfo.w) {
+ 	    x=0;
+@@ -687,7 +694,7 @@
+ 	  if (y>=bmpinfo.h) {
+ 	    break;
+ 	  }
+-	  BM_PUT(bm, x, ycorr(y), coltable[(b>>(4-4*(i&1))) & 0xf]);
++	  BM_PUT(bm, x, ycorr(y), COLTABLE((b>>(4-4*(i&1))) & 0xf));
+ 	  x++;
+ 	}
+ 	if ((c+1) & 2) {
+@@ -714,7 +721,7 @@
+ 	  if (y>=bmpinfo.h) {
+ 	    break;
+ 	  }
+-	  BM_UPUT(bm, x, ycorr(y), coltable[c]);
++	  BM_UPUT(bm, x, ycorr(y), COLTABLE(c));
+ 	  x++;
+ 	}
+       } else if (c == 0) {
+@@ -741,7 +748,7 @@
+           if (y>=bmpinfo.h) {
+             break;
+           }
+-	  BM_PUT(bm, x, ycorr(y), coltable[b]);
++	  BM_PUT(bm, x, ycorr(y), COLTABLE(b));
+ 	  x++;
+ 	}
+ 	if (c & 1) {
+@@ -770,7 +777,7 @@
+  format_error:
+  try_error:
+   free(coltable);
+-  free(bm);
++  bm_free(bm);
+   if (!bm_read_error) {
+     bm_read_error = "invalid bmp file";
+   }
+@@ -778,7 +785,7 @@
+ 
+  std_error:
+   free(coltable);
+-  free(bm);
++  bm_free(bm);
+   return -1;
+ }
+ 
+--- a/src/greymap.c
++++ b/src/greymap.c
+@@ -10,6 +10,7 @@
+ #include <string.h>
+ #include <math.h>
+ #include <errno.h>
++#include <stddef.h>
+ 
+ #include "greymap.h"
+ #include "bitops.h"
+@@ -28,7 +29,7 @@
+    Assumes w, h >= 0. */
+ greymap_t *gm_new(int w, int h) {
+   greymap_t *gm;
+-  ssize_t size = (ssize_t)w * (ssize_t)h * (ssize_t)sizeof(signed short int);
++  ptrdiff_t size = (ptrdiff_t)w * (ptrdiff_t)h * (ptrdiff_t)sizeof(signed short int);
+   
+   /* check for overflow error */
+   if (size < 0 || size / w / h != sizeof(signed short int)) {
+--- a/src/greymap.h
++++ b/src/greymap.h
+@@ -8,6 +8,7 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stddef.h>
+ 
+ /* internal format for greymaps. Note: in this format, rows are
+    ordered from bottom to top. The pixels in each row are given from
+@@ -23,7 +24,7 @@
+ /* macros for accessing pixel at index (x,y). Note that the origin is
+    in the *lower* left corner. U* macros omit the bounds check. */
+ 
+-#define gm_index(gm, x, y) (&(gm)->map[(x)+(y)*(ssize_t)(gm)->w])
++#define gm_index(gm, x, y) (&(gm)->map[(x)+(y)*(ptrdiff_t)(gm)->w])
+ #define gm_safe(gm, x, y) ((int)(x)>=0 && (int)(x)<(gm)->w && (int)(y)>=0 && (int)(y)<(gm)->h)
+ #define gm_bound(x, m) ((x)<0 ? 0 : (x)>=(m) ? (m)-1 : (x))
+ #define GM_UGET(gm, x, y) (*gm_index(gm, x, y))
diff -Nru potrace-1.12/debian/patches/series potrace-1.12/debian/patches/series
--- potrace-1.12/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ potrace-1.12/debian/patches/series	2016-10-25 11:03:56.000000000 +0200
@@ -0,0 +1 @@
+CVE-2016-8694.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Processed: nmu: daq_2.0.4-3
Next by Date: Bug#841911: transition: pari
Previous by thread: Bug#842010: marked as done (nmu: daq_2.0.4-3)
Next by thread: Processed: Re: Bug#842013: jessie-pu: package potrace/1.12-1+deb8u1
Index(es):
- Date
- Thread