Bug#882503: jessie-pu: package sam2p/0.49.2-3
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
sam2p is currently affected by several security issues in Jessie.
Therefore I would like to update the package. I have contacted the
security team but they don't intend to release a DSA. Please find
attached the debdiff.
Regards,
Markus
diff -Nru sam2p-0.49.2/debian/changelog sam2p-0.49.2/debian/changelog
--- sam2p-0.49.2/debian/changelog 2014-08-31 18:31:23.000000000 +0200
+++ sam2p-0.49.2/debian/changelog 2017-11-22 21:39:20.000000000 +0100
@@ -1,3 +1,14 @@
+sam2p (0.49.2-3+deb8u1) jessie; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2017-14628, CVE-2017-14629, CVE-2017-14630, CVE-2017-14631,
+ CVE-2017-14636, CVE-2017-14637, CVE-2017-16663:
+ Several integer overflow or heap-based buffer overflow issues were
+ discovered in sam2p that may lead to an application crash or other
+ unspecified impact.
+
+ -- Markus Koschany <apo@debian.org> Wed, 22 Nov 2017 21:39:20 +0100
+
sam2p (0.49.2-3) unstable; urgency=medium
* debian/sam2p.1: correct the documentation of -m:dpi:RES and document
diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-14628.patch sam2p-0.49.2/debian/patches/CVE-2017-14628.patch
--- sam2p-0.49.2/debian/patches/CVE-2017-14628.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2017-14628.patch 2017-11-22 21:39:20.000000000 +0100
@@ -0,0 +1,33 @@
+---
+ in_pcx.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/in_pcx.cpp b/in_pcx.cpp
+index e65a6b8..592b678 100644
+--- a/in_pcx.cpp
++++ b/in_pcx.cpp
+@@ -355,7 +355,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr)
+
+ w = pinfo->w; h = pinfo->h;
+
+- planes = (int) hdr[PCX_PLANES];
++ planes = (unsigned) hdr[PCX_PLANES];
+ bperlin = hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8);
+
+ /* allocate 24-bit image */
+@@ -379,6 +379,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr)
+ if (c == EOF) { MACRO_GETC(fp); break; }
+ }
+ else cnt = 1;
++ if (cnt > nbytes) FatalError("Repeat count too large.");
+
+ #if 0 /**** pts ****/
+ if (c > maxv) maxv = c;
+@@ -403,6 +404,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr)
+ }
+ }
+ }
++ if (nbytes != 0) pcxError(0, "Image data truncated.");
+
+
+ #if 0 /**** pts ****/
diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-14629.patch sam2p-0.49.2/debian/patches/CVE-2017-14629.patch
--- sam2p-0.49.2/debian/patches/CVE-2017-14629.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2017-14629.patch 2017-11-22 21:39:20.000000000 +0100
@@ -0,0 +1,40 @@
+---
+ in_xpm.cpp | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/in_xpm.cpp b/in_xpm.cpp
+index dce69bf..33bda0f 100644
+--- a/in_xpm.cpp
++++ b/in_xpm.cpp
+@@ -285,14 +285,14 @@ static Image::Sampled *in_xpm_reader(Image::Loader::UFD *ufd, SimBuffer::Flat co
+ memset(bin, 255, sizeof(*bin) * 65536); /* Make bin[*]=-1 */
+ for (i=0,p=tab; (unsigned)i<colors; i++, p+=2) {
+ iimg->setPal(i, rgb[i]);
+- bin[(p[0]<<8)+p[1]]=i;
++ bin[(((unsigned char*)p)[0]<<8)+((unsigned char*)p)[1]]=i;
+ }
+ assert(p==pend);
+ while (ht--!=0) {
+ tok.getComma();
+ for (p=outbuf+ret->getRlen(); outbuf!=p; ) {
+ tok.readInStr(pend,2);
+- if ((s=bin[(pend[0]<<8)+pend[1]])<0) Error::sev(Error::EERROR) << "XPM: unpaletted color" << (Error*)0;
++ if ((s=bin[(((unsigned char*)pend)[0]<<8)+((unsigned char*)pend)[1]])<0) Error::sev(Error::EERROR) << "XPM: unpaletted color" << (Error*)0;
+ *outbuf++=s;
+ }
+ }
+@@ -301,12 +301,12 @@ static Image::Sampled *in_xpm_reader(Image::Loader::UFD *ufd, SimBuffer::Flat co
+ Image::Sampled::rgb_t rgb1;
+ unsigned short *bin=new unsigned short[65536], s;
+ memset(bin, 255, sizeof(*bin) * 65536); /* Make bin[*]=max */
+- for (i=0,p=tab; (unsigned)i<colors; i++, p+=2) bin[(p[0]<<8)+p[1]]=i;
++ for (i=0,p=tab; (unsigned)i<colors; i++, p+=2) bin[(((unsigned char*)p)[0]<<8)+((unsigned char*)p)[1]]=i;
+ while (ht--!=0) {
+ tok.getComma();
+ for (p=outbuf+ret->getRlen(); outbuf!=p; ) {
+ tok.readInStr(pend,2);
+- if ((s=bin[(pend[0]<<8)+pend[1]])==(unsigned short)-1) Error::sev(Error::EERROR) << "XPM: unpaletted color" << (Error*)0;
++ if ((s=bin[(((unsigned char*)pend)[0]<<8)+((unsigned char*)pend)[1]])==(unsigned short)-1) Error::sev(Error::EERROR) << "XPM: unpaletted color" << (Error*)0;
+ *outbuf++=(rgb1=rgb[s])>>16;
+ *outbuf++=rgb1>>8;
+ *outbuf++=rgb1;
diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-14630.patch sam2p-0.49.2/debian/patches/CVE-2017-14630.patch
--- sam2p-0.49.2/debian/patches/CVE-2017-14630.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2017-14630.patch 2017-11-22 21:39:20.000000000 +0100
@@ -0,0 +1,177 @@
+---
+ image.cpp | 36 ++++++++++++++++++++++++++++++++++--
+ in_pcx.cpp | 41 ++++++++++++++++++++++++++++-------------
+ 2 files changed, 62 insertions(+), 15 deletions(-)
+
+diff --git a/image.cpp b/image.cpp
+index 5238fd7..45762c2 100644
+--- a/image.cpp
++++ b/image.cpp
+@@ -105,6 +105,36 @@ char const *Image::Sampled::cs2devcs(unsigned char cs) {
+ return cs>=1 && cs<=5 ? names[cs] : (char*)NULLP;
+ }
+
++static void fatal_image_too_large() {
++ Error::sev(Error::EERROR) << "Image: Image too large." << (Error*)0;
++}
++
++static slen_t multiply_check(slen_t a, slen_t b) {
++ const slen_t result = a * b;
++ /* Check for overflow. Works only if everything is unsigned. */
++ if (result / a != b) fatal_image_too_large();
++ return result;
++}
++
++static slen_t multiply_check(slen_t a, slen_t b, slen_t c) {
++ return multiply_check(multiply_check(a, b), c);
++}
++
++static slen_t add_check(slen_t a, slen_t b) {
++ /* Check for overflow. Works only if everything is unsigned. */
++ if (b > (slen_t)-1 - a) fatal_image_too_large();
++ return a + b;
++}
++
++#if 0
++static slen_t add_check(slen_t a, slen_t b, slen_t c) {
++ return add_check(add_check(a, b), c);
++}
++#endif
++
++static slen_t add_check(slen_t a, slen_t b, slen_t c, slen_t d) {
++ return add_check(add_check(a, b), add_check(c, d));
++}
+
+ void Image::Sampled::init(slen_t l_comment, slen_t l_header, dimen_t wd_, dimen_t ht_,
+ /* ^^^ 24 is required for /Transparent in out_tiff_work */
+@@ -117,8 +147,10 @@ void Image::Sampled::init(slen_t l_comment, slen_t l_header, dimen_t wd_, dimen_
+ cpp=cpp_;
+ // pred=1;
+ transpc=0x1000000UL; /* Dat: this means: no transparent color */
+- rlen=(((rlen_t)bpc_)*cpp_*wd_+7)>>3;
+- beg=new char[len=l_comment+l_header+rlen*ht_+PADDING];
++ const slen_t rlens = add_check(multiply_check(bpc_, cpp_, wd_), 7) >> 3;
++ rlen = rlens;
++ if (rlen != rlens) fatal_image_too_large();
++ beg=new char[len=add_check(l_comment, l_header, multiply_check(rlen, ht_), bpc)];
+ rowbeg=(headp=const_cast<char*>(beg)+l_comment)+l_header;
+ trail=const_cast<char*>(beg)+len-bpc;
+ }
+diff --git a/in_pcx.cpp b/in_pcx.cpp
+index 592b678..a64be49 100644
+--- a/in_pcx.cpp
++++ b/in_pcx.cpp
+@@ -27,6 +27,7 @@
+ #define return_pcxError(bname, conststr) Error::sev(Error::EERROR) << "PCX: " conststr << (Error*)0
+ #define byte unsigned char
+ #define size_t slen_t
++#define PCX_SIZE_T slen_t
+ #define malloc_byte(n) new byte[n]
+ #define free(p) delete p
+ #define DEBUG 1
+@@ -108,6 +109,16 @@ static void pcxLoadRaster PARM((FILE *, byte *, int, byte *, dimen, dimen));
+ static int pcxError PARM((char *, char *));
+ #endif
+
++static PCX_SIZE_T multiply_check(PCX_SIZE_T a, PCX_SIZE_T b) {
++ const PCX_SIZE_T result = a * b;
++ /* Check for overflow. Works only if everything is unsigned. */
++ if (result / a != b) FatalError("Image too large.");
++ return result;
++}
++
++static PCX_SIZE_T multiply_check(PCX_SIZE_T a, PCX_SIZE_T b, PCX_SIZE_T c) {
++ return multiply_check(multiply_check(a, b), c);
++}
+
+ /*******************************************/
+ static Image::Sampled *LoadPCX
+@@ -197,12 +208,12 @@ static Image::Sampled *LoadPCX
+ Image::Indexed *img=new Image::Indexed(pinfo->w, pinfo->h, colors, 8);
+ pinfo->pal=(byte*)img->getHeadp();
+ ASSERT_SIDE(pcxLoadImage8((char*)NULLP/*bname*/, fp, pinfo, hdr));
+- memcpy(img->getRowbeg(), pinfo->pic, pinfo->w*pinfo->h);
++ memcpy(img->getRowbeg(), pinfo->pic, multiply_check(pinfo->w, pinfo->h));
+ ret=img;
+ } else {
+ Image::RGB *img=new Image::RGB(pinfo->w, pinfo->h, 8);
+ ASSERT_SIDE(pcxLoadImage24((char*)NULLP/*bname*/, fp, pinfo, hdr));
+- memcpy(img->getRowbeg(), pinfo->pic, pinfo->w*pinfo->h*3);
++ memcpy(img->getRowbeg(), pinfo->pic, multiply_check(pinfo->w, pinfo->h, 3));
+ ret=img;
+ }
+ free(pinfo->pic);
+@@ -304,8 +315,6 @@ static Image::Sampled *LoadPCX
+ return ret;
+ }
+
+-
+-
+ /*****************************/
+ static int pcxLoadImage8 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr), (fname, fp, pinfo, hdr),
+ (char *fname;
+@@ -318,11 +327,10 @@ static int pcxLoadImage8 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr),
+
+ byte *image;
+
+- /* note: overallocation to make life easier... */
+- image = (byte *) malloc_byte((size_t) (pinfo->h + 1) * pinfo->w + 16);
++ image = (byte *) malloc_byte(multiply_check(pinfo->h, pinfo->w));
+ if (!image) FatalError("Can't alloc 'image' in pcxLoadImage8()");
+
+- xvbzero((char *) image, (size_t) ((pinfo->h+1) * pinfo->w + 16));
++ xvbzero((char *) image, multiply_check(pinfo->h, pinfo->w));
+
+ switch (hdr[PCX_BPP]) {
+ case 1: case 2: case 4: case 8: pcxLoadRaster(fp, image, hdr[PCX_BPP], hdr, pinfo->w, pinfo->h); break;
+@@ -359,10 +367,17 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr)
+ bperlin = hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8);
+
+ /* allocate 24-bit image */
+- pic24 = (byte *) malloc_byte((size_t) w*h*planes);
++ const PCX_SIZE_T alloced = multiply_check(w, h, planes);
++ const PCX_SIZE_T w_planes = multiply_check(w, planes);
++ pic24 = (byte *) malloc_byte(alloced);
++
+ if (!pic24) FatalError("couldn't malloc 'pic24'");
+
+- xvbzero((char *) pic24, (size_t) w*h*planes);
++ /* This may still fail with a segfault for large values of alloced, even
++ * if malloc_byte has succeeded.
++ */
++ xvbzero((char *) pic24, alloced);
++ fprintf(stderr, "AAA3\n");
+
+ #if 0 /**** pts ****/
+ maxv = 0;
+@@ -370,7 +385,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr)
+ pix = pinfo->pic = pic24;
+ i = 0; /* planes, in this while loop */
+ j = 0; /* bytes per line, in this while loop */
+- nbytes = bperlin*h*planes;
++ nbytes = multiply_check(bperlin, h, planes);
+
+ while (nbytes > 0 && (c = MACRO_GETC(fp)) != EOF) {
+ if (c>=0xC0) { /* have a rep. count */
+@@ -395,10 +410,10 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr)
+ if (j == bperlin) {
+ j = 0;
+ if (++i < planes) {
+- pix -= (w*planes)-1; /* next plane on this line */
++ pix -= w_planes-1; /* next plane on this line */
+ }
+ else {
+- pix -= (planes-1); /* start of next line, first plane */
++ pix -= planes-1; /* start of next line, first plane */
+ i = 0;
+ }
+ }
+@@ -415,7 +430,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr)
+
+ for (i=0, pix=pic24; i<h; i++) {
+ if ((i&0x3f)==0) WaitCursor();
+- for (j=0; j<w*planes; j++, pix++) *pix = scale[*pix];
++ for (j=0; j<w_planes; j++, pix++) *pix = scale[*pix];
+ }
+ }
+ #endif
diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-14631.patch sam2p-0.49.2/debian/patches/CVE-2017-14631.patch
--- sam2p-0.49.2/debian/patches/CVE-2017-14631.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2017-14631.patch 2017-11-22 21:39:20.000000000 +0100
@@ -0,0 +1,56 @@
+---
+ in_pcx.cpp | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/in_pcx.cpp b/in_pcx.cpp
+index a64be49..f04e4c1 100644
+--- a/in_pcx.cpp
++++ b/in_pcx.cpp
+@@ -171,11 +171,11 @@ static Image::Sampled *LoadPCX
+ return_pcxError(bname,"unrecognized magic number");
+ }
+
+- pinfo->w = (hdr[PCX_XMAXL] + ((int) hdr[PCX_XMAXH]<<8))
+- - (hdr[PCX_XMINL] + ((int) hdr[PCX_XMINH]<<8));
++ pinfo->w = (hdr[PCX_XMAXL] + ((dimen) hdr[PCX_XMAXH]<<8))
++ - (hdr[PCX_XMINL] + ((dimen) hdr[PCX_XMINH]<<8));
+
+- pinfo->h = (hdr[PCX_YMAXL] + ((int) hdr[PCX_YMAXH]<<8))
+- - (hdr[PCX_YMINL] + ((int) hdr[PCX_YMINH]<<8));
++ pinfo->h = (hdr[PCX_YMAXL] + ((dimen) hdr[PCX_YMAXH]<<8))
++ - (hdr[PCX_YMINL] + ((dimen) hdr[PCX_YMINH]<<8));
+
+ pinfo->w++; pinfo->h++;
+
+@@ -188,7 +188,7 @@ static Image::Sampled *LoadPCX
+ pinfo->w, pinfo->h, hdr[PCX_VER], hdr[PCX_ENC]);
+ fprintf(stderr," BitsPerPixel=%d, planes=%d, BytePerRow=%d, colors=%d\n",
+ hdr[PCX_BPP], hdr[PCX_PLANES],
+- hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8),
++ hdr[PCX_BPRL] + ((dimen) hdr[PCX_BPRH]<<8),
+ colors);
+ }
+ #endif
+@@ -364,7 +364,7 @@ static int pcxLoadImage24 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr)
+ w = pinfo->w; h = pinfo->h;
+
+ planes = (unsigned) hdr[PCX_PLANES];
+- bperlin = hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8);
++ bperlin = hdr[PCX_BPRL] + ((dimen) hdr[PCX_BPRH]<<8);
+
+ /* allocate 24-bit image */
+ const PCX_SIZE_T alloced = multiply_check(w, h, planes);
+@@ -453,9 +453,10 @@ static void pcxLoadRaster ___((FILE *fp, byte *image, int depth, byte *hdr, dime
+ int b;
+ byte *oldimage;
+
+- bperlin = hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8);
+- if (depth == 1) pad = (bperlin * 8) - w;
+- else pad = bperlin - w;
++ bperlin = hdr[PCX_BPRL] + ((dimen) hdr[PCX_BPRH]<<8);
++ pad = (depth == 1) ? bperlin * 8 : bperlin;
++ if (pad < w) FatalError("pad too small");
++ pad -= w;
+
+ row = bcnt = 0;
+
diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-14636.patch sam2p-0.49.2/debian/patches/CVE-2017-14636.patch
--- sam2p-0.49.2/debian/patches/CVE-2017-14636.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2017-14636.patch 2017-11-22 21:39:20.000000000 +0100
@@ -0,0 +1,16 @@
+---
+ image.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/image.cpp b/image.cpp
+index e921fde..5238fd7 100644
+--- a/image.cpp
++++ b/image.cpp
+@@ -715,6 +715,7 @@ void Image::Indexed::sortPal() {
+ unsigned ncols = getNcols(), i;
+ assert(transp == -1 || transp + 0U == ncols - 1);
+ assert(ncols <= 256);
++ if (ncols == 0) return; /* Safe if ncols == 0 and transp == -1. */
+ if (transp + 0U == ncols - 1) --ncols;
+ if (ncols <= 1) return;
+ #if SIZEOF_SHORT>=4
diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-14637.patch sam2p-0.49.2/debian/patches/CVE-2017-14637.patch
--- sam2p-0.49.2/debian/patches/CVE-2017-14637.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2017-14637.patch 2017-11-22 21:39:20.000000000 +0100
@@ -0,0 +1,28 @@
+---
+ cols2.pl | 2 +-
+ xpmc.h | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/cols2.pl b/cols2.pl
+index b1a343a..b6f09cc 100644
+--- a/cols2.pl
++++ b/cols2.pl
+@@ -272,7 +272,7 @@ sub hash0($) {
+ push @{$P[$N]}, $_[0];
+ }
+
+-@P=();
++@P=(undef)x1109;
+ for (@L) { hash0($_); }
+ # my $S="";
+ # die @P;
+diff --git a/xpmc.h b/xpmc.h
+index 1960e48..1b965fb 100644
+--- a/xpmc.h
++++ b/xpmc.h
+@@ -1,4 +1,4 @@
+ #define xpmColors_mul 95
+ #define xpmColors_mod 1109
+-unsigned short xpmColors_ofs[]={0,0,0,1,0,0,0,0,0,0,0,0,15,0,43,0,0,0,0,0,0,0,65,0,0,0,84,0,0,0,0,0,96,0,0,0,0,0,0,0,113,0,0,0,0,0,0,0,0,0,0,129,140,151,162,173,199,210,221,232,243,0,254,0,0,0,0,268,0,0,0,0,282,0,0,0,0,0,0,0,0,0,0,0,0,0,0,296,0,310,0,0,0,0,0,0,0,0,0,0,0,0,0,329,0,0,0,0,0,0,0,0,343,352,0,0,0,0,0,0,368,0,0,0,0,0,0,0,0,0,0,0,0,0,382,0,0,0,0,0,0,0,0,0,0,0,391,402,413,424,435,446,457,468,479,490,0,0,0,0,0,0,0,0,0,501,0,516,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,525,0,0,0,0,0,0,540,0,557,0,0,0,568,0,0,576,0,0,0,0,0,0,0,0,0,0,594,0,0,0,0,0,607,0,0,0,0,0,0,0,0,0,0,0,0,0,0,623,634,645,656,667,678,689,700,711,722,0,0,733,0,0,0,743,0,0,0,0,0,0,0,0,0,0,0,0,763,0,0,0,0,771,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,785,0,0,0,794,0,0,0,0,0,0,0,0,806,816,0,0,0,0,833,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,842,853,864,875,886,897,908,919,930,941,0,952,0,0,0,0,0,966,0,0,0,0,0,0,0,0,0,980,0,0,0,0,0,0,989,0,0,1011,0,1026,0,0,0,0,0,0,0,0,0,1041,1056,0,0,1066,0,0,0,0,0,1075,109
0,0,1106,0,1120,0,0,0,1134,0,0,0,0,0,1148,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1167,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1180,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1199,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1214,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1228,0,0,0,0,0,0,1241,1255,0,0,0,0,1265,1279,0,0,0,0,0,0,0,0,0,1293,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1312,0,0,0,0,0,0,0,0,0,0,0,0,0,1324,0,1333,0,1345,0,0,0,0,0,0,0,0,0,0,1359,0,0,0,1370,0,0,0,0,1387,1405,0,0,1418,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1436,0,0,0,1450,0,0,0,1461,0,0,0,0,1482,0,1497,0,0,0,0,0,0,0,1511,0,0,0,0,0,0,0,0,0,1527,0,0,0,0,0,0,0,0,0,1541,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1560,1571,1582,1593,1604,1615,1626,1637,1648,1659,0,0,0,0,0,0,0,0,0,0,0,1670,0,0,1685,0,0,0,0,0,1699,0,0,0,0,0,0,0,1710,0,0,0,0,0,0,1721,0,0,0,0,0,0,0,0,0,0,0,1739,1748,0,0,0,0,0,0,1758,0,1776,0,1788,0,0,0,0,0,0,0,0,0,1806,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1831,1857,1868,1879,1890,1901,1912,1923,1934,1945,0,0,0,0,0,0,0,1956,0,0,
0,0,0,0,0,0,0,0,0,0,0,1969,0,0,0,0,0,0,0,1979,0,0,0,0,0,0,1994,0,2004,0,0,0,0,0,2015,0,0,0,0,0,0,0,0,0,0,0,0,2033,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2049,0,0,0,0,2067,2078,2089,2100,2111,2122,2133,2144,2155,2166,0,0,0,0,2177,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2190,2209,2225,0,0,0,0,0,0,0,2241,0,2256,0,0,0,0,2267,0,2286,0,2297,0,0,0,0,0,0,0,0,0,0,0,2312,0,0,0,0,0,0,0,0,0,0,0,0,2328,0,0,0,0,0,0,0,0,0,0,2340,0,0,0,2358,0,0,0,2372,2383,2394,2405,2432,2443,2464,2488,2499,2510,2521,2538,0,0,0,0,0,0,0,2558,2568,0,0,0,0,0,0,0,0,0,0,2583,0,0,0,2603,0,0,0,0,0,0,2623,0,0,0,2635,0,2649,0,0,0,2663,2673,2683,2693,2703,2713,2723,2733,2743,2753,0,0,0,0,0,0,2763,2777,0,0,0,0,2790,2809,0,0,0,0,2826,0,2841,2851,0,0,0,0,0,0,0,0,0,0,0,2862,2873,2884,2895,2906,2917,2928,2939,2950,2961,0,2972,0,0,2981,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2994,};
++unsigned short xpmColors_ofs[]={0,0,0,1,0,0,0,0,0,0,0,0,15,0,43,0,0,0,0,0,0,0,65,0,0,0,84,0,0,0,0,0,96,0,0,0,0,0,0,0,113,0,0,0,0,0,0,0,0,0,0,129,140,151,162,173,199,210,221,232,243,0,254,0,0,0,0,268,0,0,0,0,282,0,0,0,0,0,0,0,0,0,0,0,0,0,0,296,0,310,0,0,0,0,0,0,0,0,0,0,0,0,0,329,0,0,0,0,0,0,0,0,343,352,0,0,0,0,0,0,368,0,0,0,0,0,0,0,0,0,0,0,0,0,382,0,0,0,0,0,0,0,0,0,0,0,391,402,413,424,435,446,457,468,479,490,0,0,0,0,0,0,0,0,0,501,0,516,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,525,0,0,0,0,0,0,540,0,557,0,0,0,568,0,0,576,0,0,0,0,0,0,0,0,0,0,594,0,0,0,0,0,607,0,0,0,0,0,0,0,0,0,0,0,0,0,0,623,634,645,656,667,678,689,700,711,722,0,0,733,0,0,0,743,0,0,0,0,0,0,0,0,0,0,0,0,763,0,0,0,0,771,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,785,0,0,0,794,0,0,0,0,0,0,0,0,806,816,0,0,0,0,833,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,842,853,864,875,886,897,908,919,930,941,0,952,0,0,0,0,0,966,0,0,0,0,0,0,0,0,0,980,0,0,0,0,0,0,989,0,0,1011,0,1026,0,0,0,0,0,0,0,0,0,1041,1056,0,0,1066,0,0,0,0,0,1075,109
0,0,1106,0,1120,0,0,0,1134,0,0,0,0,0,1148,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1167,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1180,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1199,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1214,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1228,0,0,0,0,0,0,1241,1255,0,0,0,0,1265,1279,0,0,0,0,0,0,0,0,0,1293,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1312,0,0,0,0,0,0,0,0,0,0,0,0,0,1324,0,1333,0,1345,0,0,0,0,0,0,0,0,0,0,1359,0,0,0,1370,0,0,0,0,1387,1405,0,0,1418,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1436,0,0,0,1450,0,0,0,1461,0,0,0,0,1482,0,1497,0,0,0,0,0,0,0,1511,0,0,0,0,0,0,0,0,0,1527,0,0,0,0,0,0,0,0,0,1541,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1560,1571,1582,1593,1604,1615,1626,1637,1648,1659,0,0,0,0,0,0,0,0,0,0,0,1670,0,0,1685,0,0,0,0,0,1699,0,0,0,0,0,0,0,1710,0,0,0,0,0,0,1721,0,0,0,0,0,0,0,0,0,0,0,1739,1748,0,0,0,0,0,0,1758,0,1776,0,1788,0,0,0,0,0,0,0,0,0,1806,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1831,1857,1868,1879,1890,1901,1912,1923,1934,1945,0,0,0,0,0,0,0,1956,0,0,
0,0,0,0,0,0,0,0,0,0,0,1969,0,0,0,0,0,0,0,1979,0,0,0,0,0,0,1994,0,2004,0,0,0,0,0,2015,0,0,0,0,0,0,0,0,0,0,0,0,2033,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2049,0,0,0,0,2067,2078,2089,2100,2111,2122,2133,2144,2155,2166,0,0,0,0,2177,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2190,2209,2225,0,0,0,0,0,0,0,2241,0,2256,0,0,0,0,2267,0,2286,0,2297,0,0,0,0,0,0,0,0,0,0,0,2312,0,0,0,0,0,0,0,0,0,0,0,0,2328,0,0,0,0,0,0,0,0,0,0,2340,0,0,0,2358,0,0,0,2372,2383,2394,2405,2432,2443,2464,2488,2499,2510,2521,2538,0,0,0,0,0,0,0,2558,2568,0,0,0,0,0,0,0,0,0,0,2583,0,0,0,2603,0,0,0,0,0,0,2623,0,0,0,2635,0,2649,0,0,0,2663,2673,2683,2693,2703,2713,2723,2733,2743,2753,0,0,0,0,0,0,2763,2777,0,0,0,0,2790,2809,0,0,0,0,2826,0,2841,2851,0,0,0,0,0,0,0,0,0,0,0,2862,2873,2884,2895,2906,2917,2928,2939,2950,2961,0,2972,0,0,2981,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2994,0,0,0,0,0,0,0,0,0,0,0,};
+ char xpmColors_dat[]="\000LawnGreen\000|\374\000\000SlateGray\000p\200\220WhiteSmoke\000\365\365\365\000MediumForestGreen\000""2\201K\000LightSlateGray\000w\210\231\000Magenta\000\377\000\377\000DarkSeaGreen\000\217\274\217\000ForestGreen\000P\237i\000Gray60\000\231\231\231\000Gray61\000\234\234\234\000Gray62\000\236\236\236\000Gray63\000\241\241\241\000GreenYellow\000\255\377/Gray64\000\243\243\243\000Gray65\000\246\246\246\000Gray66\000\250\250\250\000Gray67\000\253\253\253\000Gray68\000\255\255\255\000Gray69\000\260\260\260\000PaleGreen\000s\336x\000chocolate\000\322i\036\000DarkKhaki\000\275\267k\000PeachPuff\000\377\332\271\000DarkOliveGreen\000UV/\000LightCyan\000\340\377\377\000Blue\000\000\000\377\000NavajoWhite\000\377\336\255\000AliceBlue\000\360\370\377\000Gold\000\332\252\000\000Gray70\000\263\263\263\000Gray71\000\265\265\265\000Gray72\000\270\270\270\000Gray73\000\272\272\272\000Gray74\000\275\275\275\000Gray75\000\277\277\277\000Gray76\000\302\302\302\000Gray77\000\3
04\304\304\000Gray78\000\307\307\307\000Gray79\000\311\311\311\000GhostWhite\000\370\370\377\000peru\000\315\205?\000DarkSalmon\000\351\226z\000MidnightBlue\000//d\000Salmon\000\351\226z\000Tan\000\336\270\207\000DarkSlateGray\000/OO\000moccasin\000\377\344\265\000LightYellow\000\377\377\340\000Gray80\000\314\314\314\000Gray81\000\317\317\317\000Gray82\000\321\321\321\000Gray83\000\324\324\324\000Gray84\000\326\326\326\000Gray85\000\331\331\331\000Gray86\000\333\333\333\000Gray87\000\336\336\336\000Gray88\000\340\340\340\000Gray89\000\343\343\343\000Azure\000\360\377\377\000MediumSlateBlue\000jj\215\000Red\000\377\000\000\000VioletRed\000\363>\226\000Plum\000\305H\233\000SkyBlue\000r\237\377\000linen\000\372\360\346\000AntiqueWhite\000\372\353\327\000Navy\000##u\000Gray90\000\345\345\345\000Gray91\000\350\350\350\000Gray92\000\353\353\353\000Gray93\000\355\355\355\000Gray94\000\360\360\360\000Gray95\000\362\362\362\000Gray96\000\365\365\365\000Gray97\000\367\367\367\000Gray98\000\37
2\372\372\000Gray99\000\374\374\374\000OliveDrab\000k\216#\000LightBlue\000\260\342\377\000None\000\003\002\001\000MediumSpringGreen\000#\216#\000BlueViolet\000\212+\342\000MediumBlue\000""22\314\000PapayaWhip\000\377\357\325\000Brown\000\245**\000Pink\000\377\265\305\000chartreuse\000\177\377\000\000SpringGreen\000A\254A\000RoyalBlue\000Ai\341\000Goldenrod\000\357\337\204\000Turquoise\000\031\314\337\000LightGoldenrod\000\356\335\202\000NavyBlue\000##u\000MediumSeaGreen\000""4wf\000PowderBlue\000\260\340\346\000LimeGreen\000\000\257\024\000honeydew\000\360\377\360\000LightPink\000\377\266\301\000ivory\000\377\377\360\000OrangeRed\000\377E\000\000SteelBlue\000Tp\252\000LightSteelBlue\000|\230\323\000Gray100\000\377\377\377\000Gray\000~~~\000DimGray\000TTT\000gainsboro\000\334\334\334\000tomato\000\377cG\000LemonChiffon\000\377\372\315\000DarkGoldenrod\000\270\206\013\000SeaGreen\000R\225\204\000DarkTurquoise\000\000\246\246\000Firebrick\000\216##\000Yellow\000\377\377\000\000MediumA
quamarine\000\000\223\217\000DodgerBlue\000\036\220\377\000CadetBlue\000_\222\236\000YellowGreen\000""2\330""8\000SlateBlue\000~\210\253\000LightSlateBlue\000\204p\377\000Gray10\000\032\032\032\000Gray11\000\034\034\034\000Gray12\000\037\037\037\000Gray13\000!!!\000Gray14\000$$$\000Gray15\000&&&\000Gray16\000)))\000Gray17\000+++\000Gray18\000...\000Gray19\000""000\000DarkOrange\000\377\214\000\000LightGray\000\250\250\250\000Orange\000\377\207\000\000Sienna\000\226R-\000PaleVioletRed\000\333p\223\000snow\000\377\372\372\000Coral\000\377rV\000PaleGoldenrod\000\356\350\252\000OldLace\000\375\365\346\000PaleTurquoise\000\257\356\356\000LightGoldenrodYellow\000\372\372\322\000DeepSkyBlue\000\000\277\377Gray20\000""333\000Gray21\000""666\000Gray22\000""888\000Gray23\000;;;\000Gray24\000===\000Gray25\000@@@\000Gray26\000BBB\000Gray27\000EEE\000Gray28\000GGG\000Gray29\000JJJ\000seashell\000\377\365\356\000Black\000\000\000\000\000DarkViolet\000\224\000\323\000Wheat\000\365\336\263\000Viole
t\000\234>\316\000LightSeaGreen\000\040\262\252\000FloralWhite\000\377\372\360\000LavenderBlush\000\377\360\365\000Gray30\000MMM\000Gray31\000OOO\000Gray32\000RRR\000Gray33\000TTT\000Gray34\000WWW\000Gray35\000YYY\000Gray36\000\\\\\\\000Gray37\000^^^\000Gray38\000aaa\000Gray39\000ccc\000DeepPink\000\377\024\223\000Green\000\000\377\000White\000\377\377\377\000LightSalmon\000\377\240z\000Transparent\000\000\000\001\000DarkOrchid\000\213\040\213\000purple\000\240\040\360\000BlanchedAlmond\000\377\353\315\000Orchid\000\357\204\357\000LightCoral\000\360\200\200\000SaddleBrown\000\213E\023\000Thistle\000\330\277\330\000DarkSlateBlue\000""8Kf\000burlywood\000\336\270\207\000Gray40\000fff\000Gray41\000iii\000Gray42\000kkk\000MediumPurple\000\223p\333Gray43\000nnn\000Gray44\000ppp\000Maroon\000\217\000RGray45\000sss\000IndianRed\000k99Gray46\000uuu\000Gray47\000xxx\000Gray48\000zzz\000Gray49\000}}}\000MediumOrchid\000\275R\275\000MediumVioletRed\000\325\040y\000Khaki\000\263\263~\000SandyBr
own\000\364\244`\000MediumGoldenrod\000\321\301f\000MediumTurquoise\000\000\322\322\000HotPink\000\377i\264\000MistyRose\000\377\344\341\000MintCream\000\365\377\372\000Gray0\000\000\000\000\000Gray1\000\003\003\003\000Gray2\000\005\005\005\000Gray3\000\010\010\010\000Gray4\000\012\012\012\000Gray5\000\015\015\015\000Gray6\000\017\017\017\000Gray7\000\022\022\022\000Gray8\000\024\024\024\000Gray9\000\027\027\027\000RosyBrown\000\274\217\217\000cornsilk\000\377\370\334\000CornflowerBlue\000\"\"\230\000LightSkyBlue\000\207\316\372\000Aquamarine\000""2\277\301\000Beige\000\365\365\334\000Bisque\000\377\344\304\000Gray50\000\177\177\177\000Gray51\000\202\202\202\000Gray52\000\205\205\205\000Gray53\000\207\207\207\000Gray54\000\212\212\212\000Gray55\000\214\214\214\000Gray56\000\217\217\217\000Gray57\000\221\221\221\000Gray58\000\224\224\224\000Gray59\000\226\226\226\000Cyan\000\000\377\377\000lavender\000\346\346\372\000DarkGreen\000\000V-";
diff -Nru sam2p-0.49.2/debian/patches/CVE-2017-16663.patch sam2p-0.49.2/debian/patches/CVE-2017-16663.patch
--- sam2p-0.49.2/debian/patches/CVE-2017-16663.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2017-16663.patch 2017-11-22 21:39:20.000000000 +0100
@@ -0,0 +1,141 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 22 Nov 2017 22:04:59 +0100
+Subject: CVE-2017-16663
+
+Bug-Upstream: https://github.com/pts/sam2p/issues/16
+Origin: https://github.com/pts/sam2p/commit/b3dd8209cc98673d682e82971bf822568f8efa27
+---
+ input-bmp.ci | 45 +++++++++++++++++++++++++++------------------
+ 1 file changed, 27 insertions(+), 18 deletions(-)
+
+diff --git a/input-bmp.ci b/input-bmp.ci
+index 9834f05..8aadcfc 100644
+--- a/input-bmp.ci
++++ b/input-bmp.ci
+@@ -48,6 +48,14 @@ struct Bitmap_Head_Struct
+ /* 36 */
+ } Bitmap_Head;
+
++static at_dimen_t multiply_check(at_dimen_t a, at_dimen_t b) {
++ const at_dimen_t result = a * b;
++ /* Check for overflow. Works only if everything is unsigned. */
++ if (result / a != b) FATALP("BMP: Image too large.");
++ return result;
++}
++
++
+ static long ToL (unsigned char *);
+ static short ToS (unsigned char *);
+ static int ReadColorMap (FILE *,
+@@ -56,12 +64,12 @@ static int ReadColorMap (FILE *,
+ int,
+ int *);
+ static unsigned char *ReadImage (FILE *,
+- int,
+- int,
++ at_dimen_t,
++ at_dimen_t,
+ unsigned char[256][3],
+ int,
+ int,
+- int,
++ at_dimen_t,
+ int);
+
+ #if PTS_SAM2P
+@@ -72,7 +80,8 @@ bitmap_type bmp_load_image (at_string filename)
+ {
+ FILE *fd;
+ unsigned char buffer[64];
+- int ColormapSize, rowbytes, Maps=0, Grey;
++ int ColormapSize, Maps=0, Grey;
++ at_dimen_t rowbytes;
+ unsigned char ColorMap[256][3];
+ bitmap_type image;
+
+@@ -183,7 +192,7 @@ bitmap_type bmp_load_image (at_string filename)
+ * word length (32 bits == 4 bytes)
+ */
+
+- rowbytes= ( (Bitmap_Head.biWidth * Bitmap_Head.biBitCnt - 1) / 32) * 4 + 4;
++ rowbytes = ((multiply_check(Bitmap_Head.biWidth, Bitmap_Head.biBitCnt) >> 3) + 3) & ~3;
+
+ #ifdef DEBUG
+ printf("\nSize: %u, Colors: %u, Bits: %u, Width: %u, Height: %u, Comp: %u, Zeile: %u\n",
+@@ -244,40 +253,40 @@ ReadColorMap (FILE *fd,
+
+ static unsigned char*
+ ReadImage (FILE *fd,
+- int width,
+- int height,
++ at_dimen_t width,
++ at_dimen_t height,
+ unsigned char cmap[256][3],
+ int bpp,
+ int compression,
+- int rowbytes,
++ at_dimen_t rowbytes,
+ int grey)
+ {
+ unsigned char v,howmuch;
+- int xpos = 0, ypos = 0;
++ unsigned xpos = 0, ypos = 0;
+ unsigned char *image;
+ unsigned char *temp, *buffer;
+- long rowstride, channels;
++ unsigned char channels;
+ unsigned short rgb;
++ const at_dimen_t wdht = multiply_check(width, height);
++ at_dimen_t rowstride;
+ int i, j;
+
+ if (bpp >= 16) /* color image */
+ {
+- XMALLOCT (image, unsigned char*, width * height * 3 * sizeof (unsigned char));
+ channels = 3;
+ }
+ else if (grey) /* grey image */
+ {
+- XMALLOCT (image, unsigned char*, width * height * 1 * sizeof (unsigned char));
+ channels = 1;
+ }
+ else /* indexed image */
+ {
+- XMALLOCT (image, unsigned char*, width * height * 1 * sizeof (unsigned char));
+ channels = 1;
+ }
+
+- XMALLOCT (buffer, unsigned char*, rowbytes);
+- rowstride = width * channels;
++ XMALLOCT (image, unsigned char*, multiply_check(wdht, channels));
++ XMALLOCT (buffer, unsigned char*, rowbytes);
++ rowstride = multiply_check(width, channels);
+
+ ypos = height - 1; /* Bitmaps begin in the lower left corner */
+
+@@ -353,14 +362,14 @@ ReadImage (FILE *fd,
+ xpos = 0;
+
+ }
+- if (ypos < 0)
++ if ((int)ypos < 0)
+ break;
+ }
+ break;
+ }
+ else
+ {
+- while (ypos >= 0 && xpos <= width)
++ while ((int)ypos >= 0 && xpos <= width)
+ {
+ (void) ReadOK (fd, buffer, 2);
+ if ((unsigned char) buffer[0] != 0)
+@@ -440,7 +449,7 @@ ReadImage (FILE *fd,
+ unsigned char *temp2, *temp3;
+ unsigned char index;
+ temp2 = temp = image;
+- XMALLOCT (image, unsigned char*, width * height * 3 * sizeof (unsigned char));
++ XMALLOCT (image, unsigned char*, multiply_check(wdht, 3));
+ temp3 = image;
+ for (ypos = 0; ypos < height; ypos++)
+ {
diff -Nru sam2p-0.49.2/debian/patches/series sam2p-0.49.2/debian/patches/series
--- sam2p-0.49.2/debian/patches/series 2013-09-08 18:52:45.000000000 +0200
+++ sam2p-0.49.2/debian/patches/series 2017-11-22 21:39:20.000000000 +0100
@@ -1,3 +1,10 @@
03_avoid_errormessage.patch
05_fix_nostrip.patch
08_respect-cxxflags.patch
+CVE-2017-14636.patch
+CVE-2017-14637.patch
+CVE-2017-14628.patch
+CVE-2017-14630.patch
+CVE-2017-14631.patch
+CVE-2017-14629.patch
+CVE-2017-16663.patch
Reply to: