[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#895144: marked as done (jessie-pu: package sam2p/0.49.2-3+deb8u1)

Your message dated Sat, 23 Jun 2018 12:32:13 +0100
with message-id <1529753533.11744.69.camel@adam-barratt.org.uk>
and subject line Closing bugs for requests included in the EoL jessie point release
has caused the Debian Bug report #895144,
regarding jessie-pu: package sam2p/0.49.2-3+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
895144: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895144
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I would like to update sam2p in Jessie. This package is currently
affected by several security vulnerabilities. Please find attached the
debdiff.

Regards,

Markus

diff -Nru sam2p-0.49.2/debian/changelog sam2p-0.49.2/debian/changelog
--- sam2p-0.49.2/debian/changelog	2017-11-22 21:39:20.000000000 +0100
+++ sam2p-0.49.2/debian/changelog	2018-04-07 17:48:42.000000000 +0200
@@ -1,3 +1,13 @@
+sam2p (0.49.2-3+deb8u2) jessie; urgency=high
+
+  * Non-maintainer upload.
+  * Fix CVE-2018-7487, CVE-2018-7551, CVE-2018-7552, CVE-2018-7553 and
+    CVE-2018-7554. Multiple invalid frees and buffer-overflow vulnerabilities
+    were discovered in sam2p that may lead to a denial-of-service (application
+    crash) or unspecified other impact.
+
+ -- Markus Koschany <apo@debian.org>  Sat, 07 Apr 2018 17:48:42 +0200
+
 sam2p (0.49.2-3+deb8u1) jessie; urgency=high
 
   * Non-maintainer upload.
diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7487.patch sam2p-0.49.2/debian/patches/CVE-2018-7487.patch
--- sam2p-0.49.2/debian/patches/CVE-2018-7487.patch	1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2018-7487.patch	2018-04-07 17:48:42.000000000 +0200
@@ -0,0 +1,22 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 4 Apr 2018 22:58:32 +0200
+Subject: CVE-2018-7487
+
+Bug-Upstream: https://github.com/pts/sam2p/issues/18
+---
+ in_pcx.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/in_pcx.cpp b/in_pcx.cpp
+index f04e4c1..e8e1ce1 100644
+--- a/in_pcx.cpp
++++ b/in_pcx.cpp
+@@ -239,7 +239,7 @@ static Image::Sampled *LoadPCX
+     if (fread(pinfo->pal, 1, colors*3, fp) != colors * 3 + 0U ||
+         ferror(fp) || feof(fp)) {
+       pcxError(bname,"Error reading PCX colormap.  Using grayscale.");
+-      for (i=0; i<256; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i;
++      for (i=0; i<colors; i++) PAL_R(pinfo,i) = PAL_G(pinfo,i) = PAL_B(pinfo,i) = i;
+     }
+   }
+   else if (colors<=16) {   /* internal colormap */
diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7551.patch sam2p-0.49.2/debian/patches/CVE-2018-7551.patch
--- sam2p-0.49.2/debian/patches/CVE-2018-7551.patch	1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2018-7551.patch	2018-04-07 17:48:42.000000000 +0200
@@ -0,0 +1,75 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 5 Apr 2018 11:02:16 +0200
+Subject: CVE-2018-7551
+
+Bug-Upstream: https://github.com/pts/sam2p/issues/28
+Origin: https://github.com/pts/sam2p/commit/a6621e996f976912252018be8a8836ee6a966ee3
+---
+ input-pnm.ci | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/input-pnm.ci b/input-pnm.ci
+index 1645071..033a8ca 100644
+--- a/input-pnm.ci
++++ b/input-pnm.ci
+@@ -177,6 +177,18 @@ static struct struct_pnm_types
+   {  0 , 0, 0,   0, NULL}
+ };
+ 
++static slen_t multiply_check(slen_t a, slen_t b) {
++  slen_t result;
++  if (a == 0) return 0;
++  /* Check for overflow. Works only if everything is unsigned. */
++  if ((result = a * b) / a != b) FATALP("PNM: can't open file\n");
++  return result;
++}
++
++static slen_t multiply_check(slen_t a, slen_t b, slen_t c) {
++  return multiply_check(multiply_check(a, b), c);
++}
++
+ #if PTS_SAM2P
+ bitmap_type pnm_load_image (FILEE* filename)
+ #else
+@@ -265,8 +277,8 @@ bitmap_type pnm_load_image (at_string filename)
+   BITMAP_HEIGHT (bitmap) = (at_dimen_t) pnminfo->yres;
+ 
+   BITMAP_PLANES (bitmap) = (pnminfo->np)?(pnminfo->np):1;
+-  /* BITMAP_BITS (bitmap) = (unsigned char *) malloc (pnminfo->yres * pnminfo->xres * BITMAP_PLANES (bitmap)); */
+-  XMALLOCT(BITMAP_BITS (bitmap), unsigned char *, pnminfo->yres * pnminfo->xres * BITMAP_PLANES (bitmap));
++  /* BITMAP_BITS (bitmap) = (unsigned char *) malloc ((slen_t)pnminfo->yres * pnminfo->xres * BITMAP_PLANES (bitmap)); */
++  XMALLOCT(BITMAP_BITS (bitmap), unsigned char *, multiply_check(pnminfo->yres, pnminfo->xres, BITMAP_PLANES (bitmap)));
+   pnminfo->loader (scan, pnminfo, BITMAP_BITS (bitmap));
+   /* vvv Dat: We detect truncation late truncated files will just have garbage :-( */
+   if (pnmscanner_eof(scan))
+@@ -299,7 +311,7 @@ pnm_load_ascii (PNMScanner *scan,
+   #endif
+   d = data;
+   if (info->np==0) { /* PBM */
+-    dend=d+info->xres*info->yres;
++    dend=d+(slen_t)info->xres*info->yres;
+     while (d!=dend) {
+       /* pnmscanner_getsmalltoken(scan, (unsigned char *)buf); */
+       pnmscanner_eatwhitespace(scan);
+@@ -307,7 +319,7 @@ pnm_load_ascii (PNMScanner *scan,
+       pnmscanner_getchar(scan);
+     }
+   } else { /* PGM or PPM */ /**** pts ****/
+-    dend=d+info->xres*info->yres*info->np;
++    dend=d+(slen_t)info->xres*info->yres*info->np;
+     switch (s=info->maxval) {
+      case 255:
+       while (d!=dend) {
+@@ -350,10 +362,10 @@ pnm_load_raw (PNMScanner *scan,
+ 
+   scanlines = info->yres;
+   d = data;
+-  delta=info->xres * info->np;
++  delta=(slen_t)info->xres * info->np;
+   dend=d+delta*scanlines;
+   while (d!=dend) {
+-    if (info->xres*info->np != fread_FILEE((char*)d, delta, fd)) return;
++    if (delta != fread_FILEE((char*)d, delta, fd)) return;
+     d+=delta;
+   }
+   d=data;
diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7553.patch sam2p-0.49.2/debian/patches/CVE-2018-7553.patch
--- sam2p-0.49.2/debian/patches/CVE-2018-7553.patch	1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2018-7553.patch	2018-04-07 17:48:42.000000000 +0200
@@ -0,0 +1,67 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 4 Apr 2018 23:01:09 +0200
+Subject: CVE-2018-7553
+
+Bug-Upstream: https://github.com/pts/sam2p/issues/32
+Origin: https://github.com/pts/sam2p/commit/2ca32ec848fd97074367bc26b239fa25bbf0e720
+---
+ in_pcx.cpp | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/in_pcx.cpp b/in_pcx.cpp
+index e8e1ce1..456c150 100644
+--- a/in_pcx.cpp
++++ b/in_pcx.cpp
+@@ -109,6 +109,12 @@ static void pcxLoadRaster  PARM((FILE *, byte *, int, byte *, dimen, dimen));
+ static int  pcxError       PARM((char *, char *));
+ #endif
+ 
++static slen_t add_check(PCX_SIZE_T a, PCX_SIZE_T b) {
++  /* Check for overflow. Works only if everything is unsigned. */
++  if (b > (PCX_SIZE_T)-1 - a) FatalError("Image too large.");
++  return a + b;
++}
++
+ static PCX_SIZE_T multiply_check(PCX_SIZE_T a, PCX_SIZE_T b) {
+   const PCX_SIZE_T result = a * b;
+   /* Check for overflow. Works only if everything is unsigned. */
+@@ -327,7 +333,8 @@ static int pcxLoadImage8 ___((char *fname, FILE *fp, PICINFO *pinfo, byte *hdr),
+   
+   byte *image;
+   
+-  image = (byte *) malloc_byte(multiply_check(pinfo->h, pinfo->w));
++  /* Adding 7 bytes as a sentinel for depth == 1 in pcxLoadRaster. */
++  image = (byte *) malloc_byte(add_check(multiply_check(pinfo->h, pinfo->w), 7));
+   if (!image) FatalError("Can't alloc 'image' in pcxLoadImage8()");
+   
+   xvbzero((char *) image, multiply_check(pinfo->h, pinfo->w));
+@@ -449,14 +456,17 @@ static void pcxLoadRaster ___((FILE *fp, byte *image, int depth, byte *hdr, dime
+ {
+   /* was supported:  8 bits per pixel, 1 plane, or 1 bit per pixel, 1-8 planes */
+ 
+-  unsigned row, bcnt, bperlin, pad, cnt, pmask, i, pleft;
++  unsigned row, cnt, pmask, pleft;
++  PCX_SIZE_T bperlin, pad, bcnt;
+   int b;
+   byte *oldimage;
+ 
+   bperlin = hdr[PCX_BPRL] + ((dimen) hdr[PCX_BPRH]<<8);
+-  pad = (depth == 1) ? bperlin * 8 : bperlin;
+-  if (pad < w) FatalError("pad too small");
++  pad = multiply_check(bperlin, 8 / depth);
++  if (pad < w) FatalError("bperlin too small");
+   pad -= w;
++  /* image (including sentinel) isn't large enough for bperlin. */
++  if (pad > 7) FatalError("bperlin too large");
+ 
+   row = bcnt = 0;
+ 
+@@ -471,7 +481,7 @@ static void pcxLoadRaster ___((FILE *fp, byte *image, int depth, byte *hdr, dime
+     }
+     else cnt = 1;
+     
+-    for (i=0; i<cnt; i++) {
++    while (cnt-- > 0) {
+       switch (depth) {
+        case 1:
+         *image++|=(b&0x80)?pmask:0;
diff -Nru sam2p-0.49.2/debian/patches/CVE-2018-7554.patch sam2p-0.49.2/debian/patches/CVE-2018-7554.patch
--- sam2p-0.49.2/debian/patches/CVE-2018-7554.patch	1970-01-01 01:00:00.000000000 +0100
+++ sam2p-0.49.2/debian/patches/CVE-2018-7554.patch	2018-04-07 17:48:42.000000000 +0200
@@ -0,0 +1,193 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 5 Apr 2018 11:25:44 +0200
+Subject: CVE-2018-7554
+
+This is also the fix for CVE-2018-7552. Verified by testing the patch against
+the reproducer.
+
+Bug-Upstream: https://github.com/pts/sam2p/issues/29
+Origin: https://github.com/pts/sam2p/commit/118cb8102b767df4100d8a14184e44b33a822861
+Origin: https://github.com/pts/sam2p/commit/1e43ec5fe34b009cb43f90a9d562442ca347cd75
+Origin: https://github.com/pts/sam2p/commit/beea3bd8dd05a731fddfa447ff0bad19fe32c973
+Origin: https://github.com/pts/sam2p/commit/47378716ab03d6b39ee959c949df551c643942f1
+---
+ input-bmp.ci | 57 ++++++++++++++++++++++++++++++++++++---------------------
+ input-pnm.ci |  4 +++-
+ 2 files changed, 39 insertions(+), 22 deletions(-)
+
+diff --git a/input-bmp.ci b/input-bmp.ci
+index 8aadcfc..64f7947 100644
+--- a/input-bmp.ci
++++ b/input-bmp.ci
+@@ -81,7 +81,7 @@ bitmap_type bmp_load_image (at_string filename)
+   FILE *fd;
+   unsigned char buffer[64];
+   int ColormapSize, Maps=0, Grey;
+-  at_dimen_t rowbytes;
++  at_dimen_t rowbytes, wd_bpp;
+   unsigned char ColorMap[256][3];
+   bitmap_type image;
+ 
+@@ -167,6 +167,14 @@ bitmap_type bmp_load_image (at_string filename)
+   else
+       FATALP ("BMP: Error reading BMP file header #4");
+ 
++  switch (Bitmap_Head.biBitCnt) {
++   case 32: case 24: case 16: case 8: case 4: case 2: case 1: break;
++   default:
++    FATALP ("BMP: Invalid bpp.");
++  }
++
++  if (Maps != 3 && Maps != 4) FATALP("BMP: Bad color_size.");
++
+   /* Valid options 1, 4, 8, 16, 24, 32 */
+   /* 16 is awful, we should probably shoot whoever invented it */
+   
+@@ -191,8 +199,8 @@ bitmap_type bmp_load_image (at_string filename)
+   /* Windows and OS/2 declare filler so that rows are a multiple of
+    * word length (32 bits == 4 bytes)
+    */
+-
+-  rowbytes = ((multiply_check(Bitmap_Head.biWidth, Bitmap_Head.biBitCnt) >> 3) + 3) & ~3;
++  wd_bpp = multiply_check(Bitmap_Head.biWidth, Bitmap_Head.biBitCnt);
++  rowbytes = ((wd_bpp >> 5) + (wd_bpp & 31 ? 1 : 0)) << 2;
+ 
+ #ifdef DEBUG
+   printf("\nSize: %u, Colors: %u, Bits: %u, Width: %u, Height: %u, Comp: %u, Zeile: %u\n",
+@@ -227,27 +235,31 @@ bitmap_type bmp_load_image (at_string filename)
+ 
+ static int
+ ReadColorMap (FILE   *fd,
+-	      unsigned char  buffer[256][3],
+-	      int    number,
+-	      int    size,
++	      unsigned char  cmap[256][3],
++	      int    color_count,
++	      int    color_size,  /* 3 or 4. */
+ 	      int   *grey)
+ {
+   int i;
+   unsigned char rgb[4];
+ 
+-  *grey=(number>2);
+-  for (i = 0; i < number ; i++)
++#ifdef DEBUG
++  fprintf(stderr, "color_size=%d\n", color_size);
++#endif
++  *grey=(color_count>2);
++  for (i = 0; i < color_count ; i++)
+     {
+-      if (!ReadOK (fd, rgb, size))
++      if (!ReadOK (fd, rgb, color_size))
+           FATALP ("BMP: Bad colormap");
+ 
+       /* Bitmap save the colors in another order! But change only once! */
+ 
+-      buffer[i][0] = rgb[2];
+-      buffer[i][1] = rgb[1];
+-      buffer[i][2] = rgb[0];
++      cmap[i][0] = rgb[2];
++      cmap[i][1] = rgb[1];
++      cmap[i][2] = rgb[0];
+       *grey = ((*grey) && (rgb[0]==rgb[1]) && (rgb[1]==rgb[2]));
+     }
++  memset(&cmap[i], 0, (256 - i) * 3);
+   return 0;
+ }
+ 
+@@ -285,6 +297,7 @@ ReadImage (FILE   *fd,
+ 	}
+ 
+   XMALLOCT (image, unsigned char*, multiply_check(wdht, channels));
++  memset(image, 0, wdht * channels);
+   XMALLOCT (buffer, unsigned char*, rowbytes);
+   rowstride = multiply_check(width, channels);
+ 
+@@ -303,7 +316,7 @@ ReadImage (FILE   *fd,
+                *(temp++)= buffer[xpos * 4 + 1];
+                *(temp++)= buffer[xpos * 4];
+             }
+-          --ypos; /* next line */
++          if (ypos-- == 0) break;  /* next line */
+         }
+     }
+ 	break;
+@@ -319,7 +332,7 @@ ReadImage (FILE   *fd,
+                *(temp++)= buffer[xpos * 3 + 1];
+                *(temp++)= buffer[xpos * 3];
+             }
+-          --ypos; /* next line */
++          if (ypos-- == 0) break;  /* next line */
+         }
+ 	}
+     break;
+@@ -336,7 +349,7 @@ ReadImage (FILE   *fd,
+                *(temp++)= (unsigned char)(((rgb >> 5)  & 0x1f) * 8);
+                *(temp++)= (unsigned char)(((rgb)       & 0x1f) * 8);
+             }
+-          --ypos; /* next line */
++          if (ypos-- == 0) break;  /* next line */
+         }
+     }
+ 	break;
+@@ -347,23 +360,25 @@ ReadImage (FILE   *fd,
+     {
+       if (compression == 0)
+ 	  {
++	    const int bpp8  = 8 / bpp;
++	    const at_dimen_t rowpad = rowbytes - (width * bpp + 7) / 8;
++#ifdef DEBUG
++	    fprintf(stderr, "BMP bpp=%d width=%d height=%d channels=%d malloced=%d rowbytes=%d\n", bpp, width, height, channls, width * height * channels, rowbytes);
++#endif
+ 	    while (ReadOK (fd, &v, 1))
+ 	      {
+-		for (i = 1; (i <= (8 / bpp)) && (xpos < width); i++, xpos++)
++		for (i = 1; i <= bpp8 && xpos < width; i++, xpos++)
+ 		  {
+ 		    temp = (unsigned char*) (image + (ypos * rowstride) + (xpos * channels));
+ 		    *temp= (unsigned char)(( v & ( ((1<<bpp)-1) << (8-(i*bpp)) ) ) >> (8-(i*bpp)));
+ 		  }
+ 		if (xpos == width)
+ 		  {
+-		    (void) ReadOK (fd, buffer, rowbytes - 1 -
+-                                   (width * bpp - 1) / 8);
+-		    ypos--;
++		    if (!ReadOK (fd, buffer, rowpad)) break;
++		    if (ypos-- == 0) break;  /* next line */
+ 		    xpos = 0;
+ 
+ 		  }
+-		if ((int)ypos < 0)
+-		  break;
+ 	      }
+ 	    break;
+ 	  }
+diff --git a/input-pnm.ci b/input-pnm.ci
+index 23de594..2c07b00 100644
+--- a/input-pnm.ci
++++ b/input-pnm.ci
+@@ -236,6 +236,7 @@ bitmap_type pnm_load_image (at_string filename)
+     FATALP ("PNM: is not a valid file");
+ 
+   /* Look up magic number to see what type of PNM this is */
++  pnminfo->loader = NULL;
+   for (ctr=0; pnm_types[ctr].name; ctr++)
+     if (buf[1] == pnm_types[ctr].name)
+       {
+@@ -243,6 +244,7 @@ bitmap_type pnm_load_image (at_string filename)
+ 	pnminfo->asciibody = pnm_types[ctr].asciibody;
+ 	pnminfo->maxval    = pnm_types[ctr].maxval;
+ 	pnminfo->loader    = pnm_types[ctr].loader;
++	break;
+       }
+   if (!pnminfo->loader)
+       FATALP ("PNM: file not in a supported format");
+@@ -402,7 +404,7 @@ pnm_load_rawpbm (PNMScanner *scan,
+ 
+   fd = pnmscanner_fd(scan);
+   /****pts****/ /* rowlen = (unsigned int)ceil((double)(info->xres)/8.0);*/
+-  rowlen=(info->xres+7)>>3;
++  rowlen = (info->xres >> 3) + (info->xres & 3 ? 1 : 0);
+   /* buf = (unsigned char *)malloc(rowlen*sizeof(unsigned char)); */
+   XMALLOCT(buf, unsigned char*, rowlen*sizeof(unsigned char));
+ 
diff -Nru sam2p-0.49.2/debian/patches/series sam2p-0.49.2/debian/patches/series
--- sam2p-0.49.2/debian/patches/series	2017-11-22 21:39:20.000000000 +0100
+++ sam2p-0.49.2/debian/patches/series	2018-04-07 17:48:42.000000000 +0200
@@ -8,3 +8,7 @@
 CVE-2017-14631.patch
 CVE-2017-14629.patch
 CVE-2017-16663.patch
+CVE-2018-7551.patch
+CVE-2018-7554.patch
+CVE-2018-7487.patch
+CVE-2018-7553.patch

--- End Message ---
--- Begin Message --- 
Version: 8.11

Hi,

The updates referenced by these bugs were included in today's EoL point
release for jessie (8.11).

Regards,

Adam

--- End Message ---
Reply to: