Bug#861448: marked as done (unblock: libcroco/0.6.11-3)

To: Niels Thykier <niels@thykier.net>
Subject: Bug#861448: marked as done (unblock: libcroco/0.6.11-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 29 Apr 2017 10:57:03 +0000
Message-id: <[🔎] handler.861448.D861448.14934631858866.ackdone@bugs.debian.org>
References: <fad3e4a8-f89a-10d9-833f-7e3b567301c8@thykier.net> <[🔎] 149345633446.7553.8346446825544293413.reportbug@eldamar.local>

Your message dated Sat, 29 Apr 2017 10:51:00 +0000
with message-id <fad3e4a8-f89a-10d9-833f-7e3b567301c8@thykier.net>
and subject line Re: Bug#861448: unblock: libcroco/0.6.11-3
has caused the Debian Bug report #861448,
regarding unblock: libcroco/0.6.11-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
861448: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861448
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: libcroco/0.6.11-3
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 29 Apr 2017 10:58:54 +0200
Message-id: <[🔎] 149345633446.7553.8346446825544293413.reportbug@eldamar.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package libcroco

The upload addresses two CVEs, CVE-2017-7960 and the disputed (if it
security relevant) CVE-2017-7961, both covered via #860961.

The changelog reads as:

>libcroco (0.6.11-3) unstable; urgency=medium
>
>  * CVE-2017-7960-heap-buffer-overflow.patch:
>    - CVE-2017-7960: check end of input before reading from buffer.
>  * CVE-2017-7961-double-to-long-check.patch:
>    - CVE-2017-7961: check color value before converting to long.
>  * The above closes: #860961.
>
> -- Emilio Pozuelo Monfort <pochu@debian.org>  Sun, 23 Apr 2017 13:17:31 +0200

and attached is the full debdiff.

unblock libcroco/0.6.11-3

Regards,
Salvatore

diff -Nru libcroco-0.6.11/debian/changelog libcroco-0.6.11/debian/changelog
--- libcroco-0.6.11/debian/changelog	2016-09-21 04:15:28.000000000 +0200
+++ libcroco-0.6.11/debian/changelog	2017-04-23 13:17:31.000000000 +0200
@@ -1,3 +1,13 @@
+libcroco (0.6.11-3) unstable; urgency=medium
+
+  * CVE-2017-7960-heap-buffer-overflow.patch:
+    - CVE-2017-7960: check end of input before reading from buffer.
+  * CVE-2017-7961-double-to-long-check.patch:
+    - CVE-2017-7961: check color value before converting to long.
+  * The above closes: #860961.
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org>  Sun, 23 Apr 2017 13:17:31 +0200
+
 libcroco (0.6.11-2) unstable; urgency=medium
 
   * Convert from cdbs to dh.
diff -Nru libcroco-0.6.11/debian/control libcroco-0.6.11/debian/control
--- libcroco-0.6.11/debian/control	2016-09-21 04:15:28.000000000 +0200
+++ libcroco-0.6.11/debian/control	2017-04-23 13:17:31.000000000 +0200
@@ -6,7 +6,7 @@
 Section: libs
 Priority: optional
 Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
-Uploaders: Andreas Henriksson <andreas@fatal.se>, Josselin Mouette <joss@debian.org>, Martin Pitt <mpitt@debian.org>, Michael Biebl <biebl@debian.org>
+Uploaders: Andreas Henriksson <andreas@fatal.se>, Emilio Pozuelo Monfort <pochu@debian.org>, Josselin Mouette <joss@debian.org>, Michael Biebl <biebl@debian.org>
 Build-Depends: debhelper (>= 10),
                gtk-doc-tools,
                gnome-pkg-tools (>= 0.7),
diff -Nru libcroco-0.6.11/debian/patches/CVE-2017-7960-heap-buffer-overflow.patch libcroco-0.6.11/debian/patches/CVE-2017-7960-heap-buffer-overflow.patch
--- libcroco-0.6.11/debian/patches/CVE-2017-7960-heap-buffer-overflow.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcroco-0.6.11/debian/patches/CVE-2017-7960-heap-buffer-overflow.patch	2017-04-23 13:16:44.000000000 +0200
@@ -0,0 +1,58 @@
+From 898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:13:43 +0200
+Subject: input: check end of input before reading a byte
+
+When reading bytes we weren't check that the index wasn't
+out of bound and this could produce an invalid read which
+could deal to a security bug.
+---
+ src/cr-input.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/cr-input.c b/src/cr-input.c
+index 49000b1..3b63a88 100644
+--- a/src/cr-input.c
++++ b/src/cr-input.c
+@@ -256,7 +256,7 @@ cr_input_new_from_uri (const gchar * a_file_uri, enum CREncoding a_enc)
+                  *we should  free buf here because it's own by CRInput.
+                  *(see the last parameter of cr_input_new_from_buf().
+                  */
+-                buf = NULL ;
++                buf = NULL;
+         }
+ 
+  cleanup:
+@@ -404,6 +404,8 @@ cr_input_get_nb_bytes_left (CRInput const * a_this)
+ enum CRStatus
+ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+ {
++        gulong nb_bytes_left = 0;
++
+         g_return_val_if_fail (a_this && PRIVATE (a_this)
+                               && a_byte, CR_BAD_PARAM_ERROR);
+ 
+@@ -413,6 +415,12 @@ cr_input_read_byte (CRInput * a_this, guchar * a_byte)
+         if (PRIVATE (a_this)->end_of_input == TRUE)
+                 return CR_END_OF_INPUT_ERROR;
+ 
++        nb_bytes_left = cr_input_get_nb_bytes_left (a_this);
++
++        if (nb_bytes_left < 1) {
++                return CR_END_OF_INPUT_ERROR;
++        }
++
+         *a_byte = PRIVATE (a_this)->in_buf[PRIVATE (a_this)->next_byte_index];
+ 
+         if (PRIVATE (a_this)->nb_bytes -
+@@ -477,7 +485,6 @@ cr_input_read_char (CRInput * a_this, guint32 * a_char)
+                 if (*a_char == '\n') {
+                         PRIVATE (a_this)->end_of_line = TRUE;
+                 }
+-
+         }
+ 
+         return status;
+-- 
+cgit v0.12
+
diff -Nru libcroco-0.6.11/debian/patches/CVE-2017-7961-double-to-long-check.patch libcroco-0.6.11/debian/patches/CVE-2017-7961-double-to-long-check.patch
--- libcroco-0.6.11/debian/patches/CVE-2017-7961-double-to-long-check.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcroco-0.6.11/debian/patches/CVE-2017-7961-double-to-long-check.patch	2017-04-23 13:16:44.000000000 +0200
@@ -0,0 +1,42 @@
+From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
+Date: Sun, 16 Apr 2017 13:56:09 +0200
+Subject: tknzr: support only max long rgb values
+
+This fixes a possible out of bound when reading rgbs which
+are longer than the support MAXLONG
+---
+ src/cr-tknzr.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c
+index 1a7cfeb..1548c35 100644
+--- a/src/cr-tknzr.c
++++ b/src/cr-tknzr.c
+@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+         status = cr_tknzr_parse_num (a_this, &num);
+         ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+ 
++        if (num->val > G_MAXLONG) {
++                status = CR_PARSING_ERROR;
++                goto error;
++        }
++
+         red = num->val;
+         cr_num_destroy (num);
+         num = NULL;
+@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
+                 status = cr_tknzr_parse_num (a_this, &num);
+                 ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
+ 
++                if (num->val > G_MAXLONG) {
++                        status = CR_PARSING_ERROR;
++                        goto error;
++                }
++
+                 PEEK_BYTE (a_this, 1, &next_bytes[0]);
+                 if (next_bytes[0] == '%') {
+                         SKIP_CHARS (a_this, 1);
+-- 
+cgit v0.12
+
diff -Nru libcroco-0.6.11/debian/patches/series libcroco-0.6.11/debian/patches/series
--- libcroco-0.6.11/debian/patches/series	2012-02-10 07:11:51.000000000 +0100
+++ libcroco-0.6.11/debian/patches/series	2017-04-23 13:16:44.000000000 +0200
@@ -0,0 +1,2 @@
+CVE-2017-7960-heap-buffer-overflow.patch
+CVE-2017-7961-double-to-long-check.patch

--- End Message ---

--- Begin Message ---

To: Salvatore Bonaccorso <carnil@debian.org>, 861448-done@bugs.debian.org

Subject: Re: Bug#861448: unblock: libcroco/0.6.11-3

From: Niels Thykier <niels@thykier.net>

Date: Sat, 29 Apr 2017 10:51:00 +0000

Message-id: <fad3e4a8-f89a-10d9-833f-7e3b567301c8@thykier.net>

In-reply-to: <[🔎] 149345633446.7553.8346446825544293413.reportbug@eldamar.local>

References: <[🔎] 149345633446.7553.8346446825544293413.reportbug@eldamar.local>
Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package libcroco
> 
> The upload addresses two CVEs, CVE-2017-7960 and the disputed (if it
> security relevant) CVE-2017-7961, both covered via #860961.
> 
> The changelog reads as:
> 
>> libcroco (0.6.11-3) unstable; urgency=medium
>>
>>  * CVE-2017-7960-heap-buffer-overflow.patch:
>>    - CVE-2017-7960: check end of input before reading from buffer.
>>  * CVE-2017-7961-double-to-long-check.patch:
>>    - CVE-2017-7961: check color value before converting to long.
>>  * The above closes: #860961.
>>
>> -- Emilio Pozuelo Monfort <pochu@debian.org>  Sun, 23 Apr 2017 13:17:31 +0200
> 
> and attached is the full debdiff.
> 
> unblock libcroco/0.6.11-3
> 
> Regards,
> Salvatore
> 

Unblocked, thanks.

~Niels
--- End Message ---

Reply to:

References:
- Bug#861448: unblock: libcroco/0.6.11-3
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#851262: jessie-pu: package transmissionrpc/0.11-1
Next by Date: Bug#861449: marked as done (unblock: radare2/1.1.0+dfsg-5)
Previous by thread: Bug#861448: unblock: libcroco/0.6.11-3
Next by thread: Bug#861449: unblock: radare2/1.1.0+dfsg-5
Index(es):
- Date
- Thread