[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#842013: marked as done (jessie-pu: package potrace/1.12-1+deb8u1)

Your message dated Sat, 14 Jan 2017 12:37:03 +0000
with message-id <1484397423.1091.25.camel@adam-barratt.org.uk>
and subject line Closing requests included in today's point release
has caused the Debian Bug report #842013,
regarding jessie-pu: package potrace/1.12-1+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
842013: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842013
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I have prepared an upload fixing CVE-2016-8694, CVE-2016-8695,
CVE-2016-8696, CVE-2016-8697, CVE-2016-8698, CVE-2016-8699, CVE-2016-8700,
CVE-2016-8701, CVE-2016-8702, CVE-2016-8703.

Please find the attached debdiff.

- -- 
Cheers,
  Andrew

-----BEGIN PGP SIGNATURE-----

iQExBAEBCAAbBQJYDyGDFBxhbmRyZXdzaEBkZWJpYW4ub3JnAAoJEJ1bI/kYT6UU
dKUH/iQWfyPMdenlZQriv65nCzANS7qmg7Yav+06HuLIbH1MDxiQ5ZNVWuiYOjG2
ZYI90szkknb6936nx2QbMelC8oYZSbOTnMsxauR/3wTXjd71XhU4uPnNtsVgYglu
ZlJ0tn3aWC2PW/ZxC6rHnsP5BOcin5PynMLLPxI/yZ36855gmedJuJxI27sEeXWx
6NU8wiEVuSnieBipy1Lim9G7TLPfe9GugabtYRLJAgDsbTQ8lxZFQWXe9loVZjB/
meZ1fB96f748KbBPCZW3W3CWDVHaavwCfpsh0XpiSb4B3uKc0q0UxVR21ZcG0/iR
K66NT4jeZMM9thHDHXJVaZfIlS4=
=y46j
-----END PGP SIGNATURE-----

diff -Nru potrace-1.12/debian/changelog potrace-1.12/debian/changelog
--- potrace-1.12/debian/changelog	2015-04-12 14:15:25.000000000 +0200
+++ potrace-1.12/debian/changelog	2016-10-25 11:04:34.000000000 +0200
@@ -1,3 +1,13 @@
+potrace (1.12-1+deb8u1) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2016-8694, CVE-2016-8695, CVE-2016-8696,
+        CVE-2016-8697, CVE-2016-8698, CVE-2016-8699,
+        CVE-2016-8700, CVE-2016-8701, CVE-2016-8702,
+        CVE-2016-8703.
+
+ -- Andrew Shadura <andrewsh@debian.org>  Tue, 25 Oct 2016 11:04:34 +0200
+
 potrace (1.12-1) unstable; urgency=high
 
   * New upstream version.
diff -Nru potrace-1.12/debian/patches/CVE-2016-8694.patch potrace-1.12/debian/patches/CVE-2016-8694.patch
--- potrace-1.12/debian/patches/CVE-2016-8694.patch	1970-01-01 01:00:00.000000000 +0100
+++ potrace-1.12/debian/patches/CVE-2016-8694.patch	2016-10-25 11:04:08.000000000 +0200
@@ -0,0 +1,206 @@
+Author: Peter Selinger <selinger@mathstat.dal.ca>
+Description: Fix CVE-2016-8694.
+Origin: upstream
+
+--- a/src/bitmap.h
++++ b/src/bitmap.h
+@@ -8,6 +8,7 @@
+ #include <string.h>
+ #include <stdlib.h>
+ #include <errno.h>
++#include <stddef.h>
+ 
+ /* The bitmap type is defined in potracelib.h */
+ #include "potracelib.h"
+@@ -28,7 +29,7 @@
+ /* macros for accessing pixel at index (x,y). U* macros omit the
+    bounds check. */
+ 
+-#define bm_scanline(bm, y) ((bm)->map + (ssize_t)(y)*(ssize_t)(bm)->dy)
++#define bm_scanline(bm, y) ((bm)->map + (ptrdiff_t)(y)*(ptrdiff_t)(bm)->dy)
+ #define bm_index(bm, x, y) (&bm_scanline(bm, y)[(x)/BM_WORDBITS])
+ #define bm_mask(x) (BM_HIBIT >> ((x) & (BM_WORDBITS-1)))
+ #define bm_range(x, a) ((int)(x) >= 0 && (int)(x) < (a))
+@@ -57,10 +58,10 @@
+ static inline potrace_bitmap_t *bm_new(int w, int h) {
+   potrace_bitmap_t *bm;
+   int dy = w == 0 ? 0 : (w - 1) / BM_WORDBITS + 1;
+-  ssize_t size = (ssize_t)dy * (ssize_t)h * (ssize_t)BM_WORDSIZE;
++  ptrdiff_t size = (ptrdiff_t)dy * (ptrdiff_t)h * (ptrdiff_t)BM_WORDSIZE;
+ 
+   /* check for overflow error */
+-  if (size < 0 || size / h / dy != BM_WORDSIZE) {
++  if (size < 0 || (h != 0 && dy != 0 && size / h / dy != BM_WORDSIZE)) {
+     errno = ENOMEM;
+     return NULL;
+   }
+@@ -83,15 +84,15 @@
+ /* clear the given bitmap. Set all bits to c. */
+ static inline void bm_clear(potrace_bitmap_t *bm, int c) {
+   /* Note: if the bitmap was created with bm_new, then it is
+-     guaranteed that size will fit into the ssize_t type. */
+-  ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h * (ssize_t)BM_WORDSIZE;
++     guaranteed that size will fit into the ptrdiff_t type. */
++  ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h * (ptrdiff_t)BM_WORDSIZE;
+   memset(bm->map, c ? -1 : 0, size);
+ }
+ 
+ /* duplicate the given bitmap. Return NULL on error with errno set. */
+ static inline potrace_bitmap_t *bm_dup(const potrace_bitmap_t *bm) {
+   potrace_bitmap_t *bm1 = bm_new(bm->w, bm->h);
+-  ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h * (ssize_t)BM_WORDSIZE;
++  ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h * (ptrdiff_t)BM_WORDSIZE;
+   if (!bm1) {
+     return NULL;
+   }
+@@ -101,8 +102,8 @@
+ 
+ /* invert the given bitmap. */
+ static inline void bm_invert(potrace_bitmap_t *bm) {
+-  ssize_t i;
+-  ssize_t size = (ssize_t)bm->dy * (ssize_t)bm->h;
++  ptrdiff_t i;
++  ptrdiff_t size = (ptrdiff_t)bm->dy * (ptrdiff_t)bm->h;
+ 
+   for (i = 0; i < size; i++) {
+     bm->map[i] ^= BM_ALLBITS;
+--- a/src/bitmap_io.c
++++ b/src/bitmap_io.c
+@@ -4,7 +4,6 @@
+ 
+ 
+ /* Routines for manipulating bitmaps, including reading pbm files. */
+-
+ #include <stdio.h>
+ 
+ #include "bitmap.h"
+@@ -424,6 +423,9 @@
+ /* correct y-coordinate for top-down format */
+ #define ycorr(y) (bmpinfo.topdown ? bmpinfo.h-1-y : y)
+ 
++/* safe colortable access */
++#define COLTABLE(c) ((c) < bmpinfo.ncolors ? coltable[(c)] : 0)
++
+ /* read BMP stream after magic number. Return values as for bm_read.
+    We choose to be as permissive as possible, since there are many
+    programs out there which produce BMP. For instance, ppmtobmp can
+@@ -509,6 +511,10 @@
+     goto format_error;
+   }
+ 
++  if (bmpinfo.comp > 3 || bmpinfo.bits > 32) {
++    goto format_error;
++  }
++
+   /* forward to color table (e.g., if bmpinfo.InfoSize == 64) */
+   TRY(bmp_forward(f, 14+bmpinfo.InfoSize));
+ 
+@@ -598,7 +604,7 @@
+ 	b = bitbuf >> (INTBITS - bmpinfo.bits);
+ 	bitbuf <<= bmpinfo.bits;
+ 	n -= bmpinfo.bits;
+-	BM_UPUT(bm, x, ycorr(y), coltable[b]);
++	BM_UPUT(bm, x, ycorr(y), COLTABLE(b));
+       }
+       TRY(bmp_pad(f));
+     }
+@@ -643,13 +649,14 @@
+   case 0x204:  /* 4-bit runlength compressed encoding (RLE4) */
+     x = 0;
+     y = 0;
++
+     while (1) {
+       TRY_EOF(bmp_readint(f, 1, &b)); /* opcode */
+       TRY_EOF(bmp_readint(f, 1, &c)); /* argument */
+       if (b>0) {
+ 	/* repeat count */
+-	col[0] = coltable[(c>>4) & 0xf];
+-	col[1] = coltable[c & 0xf];
++	col[0] = COLTABLE((c>>4) & 0xf);
++	col[1] = COLTABLE(c & 0xf);
+ 	for (i=0; i<b && x<bmpinfo.w; i++) {
+ 	  if (x>=bmpinfo.w) {
+ 	    x=0;
+@@ -687,7 +694,7 @@
+ 	  if (y>=bmpinfo.h) {
+ 	    break;
+ 	  }
+-	  BM_PUT(bm, x, ycorr(y), coltable[(b>>(4-4*(i&1))) & 0xf]);
++	  BM_PUT(bm, x, ycorr(y), COLTABLE((b>>(4-4*(i&1))) & 0xf));
+ 	  x++;
+ 	}
+ 	if ((c+1) & 2) {
+@@ -714,7 +721,7 @@
+ 	  if (y>=bmpinfo.h) {
+ 	    break;
+ 	  }
+-	  BM_UPUT(bm, x, ycorr(y), coltable[c]);
++	  BM_UPUT(bm, x, ycorr(y), COLTABLE(c));
+ 	  x++;
+ 	}
+       } else if (c == 0) {
+@@ -741,7 +748,7 @@
+           if (y>=bmpinfo.h) {
+             break;
+           }
+-	  BM_PUT(bm, x, ycorr(y), coltable[b]);
++	  BM_PUT(bm, x, ycorr(y), COLTABLE(b));
+ 	  x++;
+ 	}
+ 	if (c & 1) {
+@@ -770,7 +777,7 @@
+  format_error:
+  try_error:
+   free(coltable);
+-  free(bm);
++  bm_free(bm);
+   if (!bm_read_error) {
+     bm_read_error = "invalid bmp file";
+   }
+@@ -778,7 +785,7 @@
+ 
+  std_error:
+   free(coltable);
+-  free(bm);
++  bm_free(bm);
+   return -1;
+ }
+ 
+--- a/src/greymap.c
++++ b/src/greymap.c
+@@ -10,6 +10,7 @@
+ #include <string.h>
+ #include <math.h>
+ #include <errno.h>
++#include <stddef.h>
+ 
+ #include "greymap.h"
+ #include "bitops.h"
+@@ -28,7 +29,7 @@
+    Assumes w, h >= 0. */
+ greymap_t *gm_new(int w, int h) {
+   greymap_t *gm;
+-  ssize_t size = (ssize_t)w * (ssize_t)h * (ssize_t)sizeof(signed short int);
++  ptrdiff_t size = (ptrdiff_t)w * (ptrdiff_t)h * (ptrdiff_t)sizeof(signed short int);
+   
+   /* check for overflow error */
+   if (size < 0 || size / w / h != sizeof(signed short int)) {
+--- a/src/greymap.h
++++ b/src/greymap.h
+@@ -8,6 +8,7 @@
+ 
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <stddef.h>
+ 
+ /* internal format for greymaps. Note: in this format, rows are
+    ordered from bottom to top. The pixels in each row are given from
+@@ -23,7 +24,7 @@
+ /* macros for accessing pixel at index (x,y). Note that the origin is
+    in the *lower* left corner. U* macros omit the bounds check. */
+ 
+-#define gm_index(gm, x, y) (&(gm)->map[(x)+(y)*(ssize_t)(gm)->w])
++#define gm_index(gm, x, y) (&(gm)->map[(x)+(y)*(ptrdiff_t)(gm)->w])
+ #define gm_safe(gm, x, y) ((int)(x)>=0 && (int)(x)<(gm)->w && (int)(y)>=0 && (int)(y)<(gm)->h)
+ #define gm_bound(x, m) ((x)<0 ? 0 : (x)>=(m) ? (m)-1 : (x))
+ #define GM_UGET(gm, x, y) (*gm_index(gm, x, y))
diff -Nru potrace-1.12/debian/patches/series potrace-1.12/debian/patches/series
--- potrace-1.12/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ potrace-1.12/debian/patches/series	2016-10-25 11:03:56.000000000 +0200
@@ -0,0 +1 @@
+CVE-2016-8694.patch

--- End Message ---
--- Begin Message --- 
Version: 8.7

Hi,

Each of these bugs refers to an update that was included in today's 8.7
point release.

Regards,

Adam

--- End Message ---
Reply to: