Bug#895144: jessie-pu: package sam2p/0.49.2-3+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I would like to update sam2p in Jessie. This package is currently
affected by several security vulnerabilities. Please find attached the
debdiff.
Regards,
Markus
diff -Nru sam2p-0.49.2/debian/changelog sam2p-0.49.2/debian/changelog
--- sam2p-0.49.2/debian/changelog 2017-11-22 21:39:20.000000000 +0100
+++ sam2p-0.49.2/debian/changelog 2018-04-07 17:48:42.000000000 +0200
@@ -1,3 +1,13 @@
+sam2p (0.49.2-3+deb8u2) jessie; urgency=high
+
+ * Non-maintainer upload.
+ * Fix CVE-2018-7487, CVE-2018-7551, CVE-2018-7552, CVE-2018-7553 and
+ CVE-2018-7554. Multiple invalid frees and buffer-overflow vulnerabilities
+ were discovered in sam2p that may lead to a denial-of-service (application
+ crash) or unspecified other impact.
+
+ -- Markus Koschany <apo@debian.org> Sat, 07 Apr 2018 17:48:42 +0200
+
sam2p (0.49.2-3+deb8u1) jessie; urgency=high
* Non-maintainer upload.
diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7487.patch sam2p-0.49.2/debian/patches/CVE-2018-7487.patch
--- sam2p-0.49.2/debian/patches/CVE-2018-7487.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2018-7487.patch 2018-04-07 17:48:42.000000000 +0200
@@ -0,0 +1,22 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 4 Apr 2018 22:58:32 +0200
+Subject: CVE-2018-7487
+
+Bug-Upstream: https://github.com/pts/sam2p/issues/18
+---
+ in_pcx.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/in_pcx.cpp b/in_pcx.cpp
+index f04e4c1..e8e1ce1 100644
+--- a/in_pcx.cpp
++++ b/in_pcx.cpp
+@@ -239,7 +239,7 @@ static Image::Sampled *LoadPCX
+ if (fread(pinfo->pal, 1, colors*3, fp) != colors * 3 + 0U ||
+ ferror(fp) || feof(fp)) {
+ pcxError(bname,"Error reading PCX colormap. Using grayscale.");
+- for (i=0; i<256; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i;
++ for (i=0; i<colors; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i;
+ }
+ }
+ else if (colors<=16) { /* internal colormap */
diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7551.patch sam2p-0.49.2/debian/patches/CVE-2018-7551.patch
--- sam2p-0.49.2/debian/patches/CVE-2018-7551.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2018-7551.patch 2018-04-07 17:48:42.000000000 +0200
@@ -0,0 +1,75 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 5 Apr 2018 11:02:16 +0200
+Subject: CVE-2018-7551
+
+Bug-Upstream: https://github.com/pts/sam2p/issues/28
+Origin: https://github.com/pts/sam2p/commit/a6621e996f976912252018be8a8836ee6a966ee3
+---
+ input-pnm.ci | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/input-pnm.ci b/input-pnm.ci
+index 1645071..033a8ca 100644
+--- a/input-pnm.ci
++++ b/input-pnm.ci
+@@ -177,6 +177,18 @@ static struct struct_pnm_types
+ { 0 , 0, 0, 0, NULL}
+ };
+
++static slen_t multiply_check(slen_t a, slen_t b) {
++ slen_t result;
++ if (a == 0) return 0;
++ /* Check for overflow. Works only if everything is unsigned. */
++ if ((result = a * b) / a != b) FATALP("PNM: can't open file\n");
++ return result;
++}
++
++static slen_t multiply_check(slen_t a, slen_t b, slen_t c) {
++ return multiply_check(multiply_check(a, b), c);
++}
++
+ #if PTS_SAM2P
+ bitmap_type pnm_load_image (FILEE* filename)
+ #else
+@@ -265,8 +277,8 @@ bitmap_type pnm_load_image (at_string filename)
+ BITMAP_HEIGHT (bitmap) = (at_dimen_t) pnminfo->yres;
+
+ BITMAP_PLANES (bitmap) = (pnminfo->np)?(pnminfo->np):1;
+- /* BITMAP_BITS (bitmap) = (unsigned char *) malloc (pnminfo->yres * pnminfo->xres * BITMAP_PLANES (bitmap)); */
+- XMALLOCT(BITMAP_BITS (bitmap), unsigned char *, pnminfo->yres * pnminfo->xres * BITMAP_PLANES (bitmap));
++ /* BITMAP_BITS (bitmap) = (unsigned char *) malloc ((slen_t)pnminfo->yres * pnminfo->xres * BITMAP_PLANES (bitmap)); */
++ XMALLOCT(BITMAP_BITS (bitmap), unsigned char *, multiply_check(pnminfo->yres, pnminfo->xres, BITMAP_PLANES (bitmap)));
+ pnminfo->loader (scan, pnminfo, BITMAP_BITS (bitmap));
+ /* vvv Dat: We detect truncation late truncated files will just have garbage :-( */
+ if (pnmscanner_eof(scan))
+@@ -299,7 +311,7 @@ pnm_load_ascii (PNMScanner *scan,
+ #endif
+ d = data;
+ if (info->np==0) { /* PBM */
+- dend=d+info->xres*info->yres;
++ dend=d+(slen_t)info->xres*info->yres;
+ while (d!=dend) {
+ /* pnmscanner_getsmalltoken(scan, (unsigned char *)buf); */
+ pnmscanner_eatwhitespace(scan);
+@@ -307,7 +319,7 @@ pnm_load_ascii (PNMScanner *scan,
+ pnmscanner_getchar(scan);
+ }
+ } else { /* PGM or PPM */ /**** pts ****/
+- dend=d+info->xres*info->yres*info->np;
++ dend=d+(slen_t)info->xres*info->yres*info->np;
+ switch (s=info->maxval) {
+ case 255:
+ while (d!=dend) {
+@@ -350,10 +362,10 @@ pnm_load_raw (PNMScanner *scan,
+
+ scanlines = info->yres;
+ d = data;
+- delta=info->xres * info->np;
++ delta=(slen_t)info->xres * info->np;
+ dend=d+delta*scanlines;
+ while (d!=dend) {
+- if (info->xres*info->np != fread_FILEE((char*)d, delta, fd)) return;
++ if (delta != fread_FILEE((char*)d, delta, fd)) return;
+ d+=delta;
+ }
+ d=data;
diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7553.patch sam2p-0.49.2/debian/patches/CVE-2018-7553.patch
--- sam2p-0.49.2/debian/patches/CVE-2018-7553.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2018-7553.patch 2018-04-07 17:48:42.000000000 +0200
@@ -0,0 +1,67 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 4 Apr 2018 23:01:09 +0200
+Subject: CVE-2018-7553
+
+Bug-Upstream: https://github.com/pts/sam2p/issues/32
+Origin: https://github.com/pts/sam2p/commit/2ca32ec848fd97074367bc26b239fa25bbf0e720
+---
+ in_pcx.cpp | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/in_pcx.cpp b/in_pcx.cpp
+index e8e1ce1..456c150 100644
+--- a/in_pcx.cpp
++++ b/in_pcx.cpp
+@@ -109,6 +109,12 @@ static void pcxLoadRaster PARM((FILE *, byte *, int, byte *, dimen, dimen));
+ static int pcxError PARM((char *, char *));
+ #endif
+
++static slen_t add_check(PCX_SIZE_T a, PCX_SIZE_T b) {
++ /* Check for overflow. Works only if everything is unsigned. */
++ if (b > (PCX_SIZE_T)-1 - a) FatalError("Image too large.");
++ return a + b;
++}
++
+ static PCX_SIZE_T multiply_check(PCX_SIZE_T a, PCX_SIZE_T b) {
+ const PCX_SIZE_T result = a * b;
+ /* Check for overflow. Works only if everything is unsigned. */
+@@ -327,7 +333,8 @@ static int pcxLoadImage8 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr),
+
+ byte *image;
+
+- image = (byte *) malloc_byte(multiply_check(pinfo->h, pinfo->w));
++ /* Adding 7 bytes as a sentinel for depth == 1 in pcxLoadRaster. */
++ image = (byte *) malloc_byte(add_check(multiply_check(pinfo->h, pinfo->w), 7));
+ if (!image) FatalError("Can't alloc 'image' in pcxLoadImage8()");
+
+ xvbzero((char *) image, multiply_check(pinfo->h, pinfo->w));
+@@ -449,14 +456,17 @@ static void pcxLoadRaster ___((FILE *fp, byte *image, int depth, byte *hdr, dime
+ {
+ /* was supported: 8 bits per pixel, 1 plane, or 1 bit per pixel, 1-8 planes */
+
+- unsigned row, bcnt, bperlin, pad, cnt, pmask, i, pleft;
++ unsigned row, cnt, pmask, pleft;
++ PCX_SIZE_T bperlin, pad, bcnt;
+ int b;
+ byte *oldimage;
+
+ bperlin = hdr[PCX_BPRL] + ((dimen) hdr[PCX_BPRH]<<8);
+- pad = (depth == 1) ? bperlin * 8 : bperlin;
+- if (pad < w) FatalError("pad too small");
++ pad = multiply_check(bperlin, 8 / depth);
++ if (pad < w) FatalError("bperlin too small");
+ pad -= w;
++ /* image (including sentinel) isn't large enough for bperlin. */
++ if (pad > 7) FatalError("bperlin too large");
+
+ row = bcnt = 0;
+
+@@ -471,7 +481,7 @@ static void pcxLoadRaster ___((FILE *fp, byte *image, int depth, byte *hdr, dime
+ }
+ else cnt = 1;
+
+- for (i=0; i<cnt; i++) {
++ while (cnt-- > 0) {
+ switch (depth) {
+ case 1:
+ *image++|=(b&0x80)?pmask:0;
diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7554.patch sam2p-0.49.2/debian/patches/CVE-2018-7554.patch
--- sam2p-0.49.2/debian/patches/CVE-2018-7554.patch 1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2018-7554.patch 2018-04-07 17:48:42.000000000 +0200
@@ -0,0 +1,193 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 5 Apr 2018 11:25:44 +0200
+Subject: CVE-2018-7554
+
+This is also the fix for CVE-2018-7552. Verified by testing the patch against
+the reproducer.
+
+Bug-Upstream: https://github.com/pts/sam2p/issues/29
+Origin: https://github.com/pts/sam2p/commit/118cb8102b767df4100d8a14184e44b33a822861
+Origin: https://github.com/pts/sam2p/commit/1e43ec5fe34b009cb43f90a9d562442ca347cd75
+Origin: https://github.com/pts/sam2p/commit/beea3bd8dd05a731fddfa447ff0bad19fe32c973
+Origin: https://github.com/pts/sam2p/commit/47378716ab03d6b39ee959c949df551c643942f1
+---
+ input-bmp.ci | 57 ++++++++++++++++++++++++++++++++++++---------------------
+ input-pnm.ci | 4 +++-
+ 2 files changed, 39 insertions(+), 22 deletions(-)
+
+diff --git a/input-bmp.ci b/input-bmp.ci
+index 8aadcfc..64f7947 100644
+--- a/input-bmp.ci
++++ b/input-bmp.ci
+@@ -81,7 +81,7 @@ bitmap_type bmp_load_image (at_string filename)
+ FILE *fd;
+ unsigned char buffer[64];
+ int ColormapSize, Maps=0, Grey;
+- at_dimen_t rowbytes;
++ at_dimen_t rowbytes, wd_bpp;
+ unsigned char ColorMap[256][3];
+ bitmap_type image;
+
+@@ -167,6 +167,14 @@ bitmap_type bmp_load_image (at_string filename)
+ else
+ FATALP ("BMP: Error reading BMP file header #4");
+
++ switch (Bitmap_Head.biBitCnt) {
++ case 32: case 24: case 16: case 8: case 4: case 2: case 1: break;
++ default:
++ FATALP ("BMP: Invalid bpp.");
++ }
++
++ if (Maps != 3 && Maps != 4) FATALP("BMP: Bad color_size.");
++
+ /* Valid options 1, 4, 8, 16, 24, 32 */
+ /* 16 is awful, we should probably shoot whoever invented it */
+
+@@ -191,8 +199,8 @@ bitmap_type bmp_load_image (at_string filename)
+ /* Windows and OS/2 declare filler so that rows are a multiple of
+ * word length (32 bits == 4 bytes)
+ */
+-
+- rowbytes = ((multiply_check(Bitmap_Head.biWidth, Bitmap_Head.biBitCnt) >> 3) + 3) & ~3;
++ wd_bpp = multiply_check(Bitmap_Head.biWidth, Bitmap_Head.biBitCnt);
++ rowbytes = ((wd_bpp >> 5) + (wd_bpp & 31 ? 1 : 0)) << 2;
+
+ #ifdef DEBUG
+ printf("\nSize: %u, Colors: %u, Bits: %u, Width: %u, Height: %u, Comp: %u, Zeile: %u\n",
+@@ -227,27 +235,31 @@ bitmap_type bmp_load_image (at_string filename)
+
+ static int
+ ReadColorMap (FILE *fd,
+- unsigned char buffer[256][3],
+- int number,
+- int size,
++ unsigned char cmap[256][3],
++ int color_count,
++ int color_size, /* 3 or 4. */
+ int *grey)
+ {
+ int i;
+ unsigned char rgb[4];
+
+- *grey=(number>2);
+- for (i = 0; i < number ; i++)
++#ifdef DEBUG
++ fprintf(stderr, "color_size=%d\n", color_size);
++#endif
++ *grey=(color_count>2);
++ for (i = 0; i < color_count ; i++)
+ {
+- if (!ReadOK (fd, rgb, size))
++ if (!ReadOK (fd, rgb, color_size))
+ FATALP ("BMP: Bad colormap");
+
+ /* Bitmap save the colors in another order! But change only once! */
+
+- buffer[i][0] = rgb[2];
+- buffer[i][1] = rgb[1];
+- buffer[i][2] = rgb[0];
++ cmap[i][0] = rgb[2];
++ cmap[i][1] = rgb[1];
++ cmap[i][2] = rgb[0];
+ *grey = ((*grey) && (rgb[0]==rgb[1]) && (rgb[1]==rgb[2]));
+ }
++ memset(&cmap[i], 0, (256 - i) * 3);
+ return 0;
+ }
+
+@@ -285,6 +297,7 @@ ReadImage (FILE *fd,
+ }
+
+ XMALLOCT (image, unsigned char*, multiply_check(wdht, channels));
++ memset(image, 0, wdht * channels);
+ XMALLOCT (buffer, unsigned char*, rowbytes);
+ rowstride = multiply_check(width, channels);
+
+@@ -303,7 +316,7 @@ ReadImage (FILE *fd,
+ *(temp++)= buffer[xpos * 4 + 1];
+ *(temp++)= buffer[xpos * 4];
+ }
+- --ypos; /* next line */
++ if (ypos-- == 0) break; /* next line */
+ }
+ }
+ break;
+@@ -319,7 +332,7 @@ ReadImage (FILE *fd,
+ *(temp++)= buffer[xpos * 3 + 1];
+ *(temp++)= buffer[xpos * 3];
+ }
+- --ypos; /* next line */
++ if (ypos-- == 0) break; /* next line */
+ }
+ }
+ break;
+@@ -336,7 +349,7 @@ ReadImage (FILE *fd,
+ *(temp++)= (unsigned char)(((rgb >> 5) & 0x1f) * 8);
+ *(temp++)= (unsigned char)(((rgb) & 0x1f) * 8);
+ }
+- --ypos; /* next line */
++ if (ypos-- == 0) break; /* next line */
+ }
+ }
+ break;
+@@ -347,23 +360,25 @@ ReadImage (FILE *fd,
+ {
+ if (compression == 0)
+ {
++ const int bpp8 = 8 / bpp;
++ const at_dimen_t rowpad = rowbytes - (width * bpp + 7) / 8;
++#ifdef DEBUG
++ fprintf(stderr, "BMP bpp=%d width=%d height=%d channels=%d malloced=%d rowbytes=%d\n", bpp, width, height, channls, width * height * channels, rowbytes);
++#endif
+ while (ReadOK (fd, &v, 1))
+ {
+- for (i = 1; (i <= (8 / bpp)) && (xpos < width); i++, xpos++)
++ for (i = 1; i <= bpp8 && xpos < width; i++, xpos++)
+ {
+ temp = (unsigned char*) (image + (ypos * rowstride) + (xpos * channels));
+ *temp= (unsigned char)(( v & ( ((1<<bpp)-1) << (8-(i*bpp)) ) ) >> (8-(i*bpp)));
+ }
+ if (xpos == width)
+ {
+- (void) ReadOK (fd, buffer, rowbytes - 1 -
+- (width * bpp - 1) / 8);
+- ypos--;
++ if (!ReadOK (fd, buffer, rowpad)) break;
++ if (ypos-- == 0) break; /* next line */
+ xpos = 0;
+
+ }
+- if ((int)ypos < 0)
+- break;
+ }
+ break;
+ }
+diff --git a/input-pnm.ci b/input-pnm.ci
+index 23de594..2c07b00 100644
+--- a/input-pnm.ci
++++ b/input-pnm.ci
+@@ -236,6 +236,7 @@ bitmap_type pnm_load_image (at_string filename)
+ FATALP ("PNM: is not a valid file");
+
+ /* Look up magic number to see what type of PNM this is */
++ pnminfo->loader = NULL;
+ for (ctr=0; pnm_types[ctr].name; ctr++)
+ if (buf[1] == pnm_types[ctr].name)
+ {
+@@ -243,6 +244,7 @@ bitmap_type pnm_load_image (at_string filename)
+ pnminfo->asciibody = pnm_types[ctr].asciibody;
+ pnminfo->maxval = pnm_types[ctr].maxval;
+ pnminfo->loader = pnm_types[ctr].loader;
++ break;
+ }
+ if (!pnminfo->loader)
+ FATALP ("PNM: file not in a supported format");
+@@ -402,7 +404,7 @@ pnm_load_rawpbm (PNMScanner *scan,
+
+ fd = pnmscanner_fd(scan);
+ /****pts****/ /* rowlen = (unsigned int)ceil((double)(info->xres)/8.0);*/
+- rowlen=(info->xres+7)>>3;
++ rowlen = (info->xres >> 3) + (info->xres & 3 ? 1 : 0);
+ /* buf = (unsigned char *)malloc(rowlen*sizeof(unsigned char)); */
+ XMALLOCT(buf, unsigned char*, rowlen*sizeof(unsigned char));
+
diff -Nru sam2p-0.49.2/debian/patches/series sam2p-0.49.2/debian/patches/series
--- sam2p-0.49.2/debian/patches/series 2017-11-22 21:39:20.000000000 +0100
+++ sam2p-0.49.2/debian/patches/series 2018-04-07 17:48:42.000000000 +0200
@@ -8,3 +8,7 @@
CVE-2017-14631.patch
CVE-2017-14629.patch
CVE-2017-16663.patch
+CVE-2018-7551.patch
+CVE-2018-7554.patch
+CVE-2018-7487.patch
+CVE-2018-7553.patch
Reply to: