--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: stretch-pu: package vips/8.4.5-1+deb9u1
- From: László Böszörményi (GCS) <gcs@debian.org>
- Date: Sat, 9 Mar 2019 22:14:32 +0100
- Message-id: <CAKjSHr2Zk6pWGOG_7vTCo0W=-aJZByfN0O80yuYdi1zHfSCAcw@mail.gmail.com>
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi SRMs,
There are two security issues in VIPS, which don't warrant a DSA.
I would like to update it via PU. Debdiff is attached.
Thanks in advance,
Laszlo/GCS
diff -Nru vips-8.4.5/debian/changelog vips-8.4.5/debian/changelog
--- vips-8.4.5/debian/changelog 2016-12-21 19:04:52.000000000 +0100
+++ vips-8.4.5/debian/changelog 2019-01-18 19:15:36.000000000 +0100
@@ -1,3 +1,12 @@
+vips (8.4.5-1+deb9u1) stretch; urgency=medium
+
+ * Fix CVE-2018-7998: NULL function pointer dereference vulnerability in the
+ vips_region_generate() function.
+ * Fix CVE-2019-6976: zero memory on malloc to prevent write of uninit
+ memory under some error conditions.
+
+ -- Laszlo Boszormenyi (GCS) <gcs@debian.org> Fri, 18 Jan 2019 18:15:36 +0000
+
vips (8.4.5-1) unstable; urgency=low
* New upstream release.
diff -Nru vips-8.4.5/debian/patches/fix_a_crash_with_delayed_load.patch vips-8.4.5/debian/patches/fix_a_crash_with_delayed_load.patch
--- vips-8.4.5/debian/patches/fix_a_crash_with_delayed_load.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.4.5/debian/patches/fix_a_crash_with_delayed_load.patch 2019-01-18 19:15:36.000000000 +0100
@@ -0,0 +1,101 @@
+From 20d840e6da15c1574b3ed998bc92f91d1e36c2a5 Mon Sep 17 00:00:00 2001
+From: John Cupitt <jcupitt@gmail.com>
+Date: Mon, 5 Mar 2018 14:42:09 +0000
+Subject: [PATCH] fix a crash with delayed load
+
+If a delayed load failed, it could leave the pipeline only half-set up.
+Sebsequent threads could then segv.
+
+Set a load-has-failed flag and test before generate.
+
+See https://github.com/jcupitt/libvips/issues/893
+---
+ ChangeLog | 1 +
+ libvips/foreign/foreign.c | 25 +++++++++++++++++++------
+ libvips/include/vips/foreign.h | 5 +++++
+ 3 files changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index 68f646540..08aaab8c2 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,6 @@
++12/2/18 started 8.6.3
++- fix a crash if a delayed load failed [gsharpsh00ter]
++
+ 8/12/16 started 8.4.5
+ - allow libgsf-1.14.26 to help centos, thanks tdiprima
+
+diff --git a/libvips/foreign/foreign.c b/libvips/foreign/foreign.c
+index 35ad2be52..fb03fd746 100644
+--- a/libvips/foreign/foreign.c
++++ b/libvips/foreign/foreign.c
+@@ -14,6 +14,8 @@
+ * - forward progress signals from load
+ * 23/5/16
+ * - remove max-alpha stuff, this is now automatic
++ * 5/3/18
++ * - block _start if one start fails, see #893
+ */
+
+ /*
+@@ -761,6 +763,11 @@ vips_foreign_load_start( VipsImage *out, void *a, void *b )
+ VipsForeignLoad *load = VIPS_FOREIGN_LOAD( b );
+ VipsForeignLoadClass *class = VIPS_FOREIGN_LOAD_GET_CLASS( load );
+
++ /* If this start has failed before in another thread, we can fail now.
++ */
++ if( load->error )
++ return( NULL );
++
+ if( !load->real ) {
+ if( !(load->real = vips_foreign_load_temp( load )) )
+ return( NULL );
+@@ -777,19 +784,25 @@ vips_foreign_load_start( VipsImage *out,
+ */
+ load->real->progress_signal = load->out;
+
+- if( class->load( load ) ||
+- vips_image_pio_input( load->real ) )
+- return( NULL );
+-
+- /* ->header() read the header into @out, load has read the
++ /* Load the image and check the result.
++ *
++ * ->header() read the header into @out, load has read the
+ * image into @real. They must match exactly in size, bands,
+ * format and coding for the copy to work.
+ *
+ * Some versions of ImageMagick give different results between
+ * Ping and Load for some formats, for example.
++ *
++ * If the load fails, we need to stop
+ */
+- if( !vips_foreign_load_iscompat( load->real, out ) )
++ if( class->load( load ) ||
++ vips_image_pio_input( load->real ) ||
++ !vips_foreign_load_iscompat( load->real, out ) ) {
++ vips_operation_invalidate( VIPS_OPERATION( load ) );
++ load->error = TRUE;
++
+ return( NULL );
++ }
+
+ /* We have to tell vips that out depends on real. We've set
+ * the demand hint below, but not given an input there.
+diff --git a/libvips/include/vips/foreign.h b/libvips/include/vips/foreign.h
+index 47e285e37..dcbf21c82 100644
+--- a/libvips/include/vips/foreign.h
++++ b/libvips/include/vips/foreign.h
+@@ -149,6 +149,11 @@ typedef struct _VipsForeignLoad {
+ /* Set this to tag the operation as nocache.
+ */
+ gboolean nocache;
++
++ /* Set if a start function fails. We want to prevent the other starts
++ * from also triggering the load.
++ */
++ gboolean error;
+ } VipsForeignLoad;
+
+ typedef struct _VipsForeignLoadClass {
diff -Nru vips-8.4.5/debian/patches/series vips-8.4.5/debian/patches/series
--- vips-8.4.5/debian/patches/series 2016-08-18 21:23:54.000000000 +0200
+++ vips-8.4.5/debian/patches/series 2019-01-18 19:15:36.000000000 +0100
@@ -1 +1,3 @@
reproducible-build.patch
+fix_a_crash_with_delayed_load.patch
+zero_memory_on_malloc.patch
diff -Nru vips-8.4.5/debian/patches/zero_memory_on_malloc.patch vips-8.4.5/debian/patches/zero_memory_on_malloc.patch
--- vips-8.4.5/debian/patches/zero_memory_on_malloc.patch 1970-01-01 01:00:00.000000000 +0100
+++ vips-8.4.5/debian/patches/zero_memory_on_malloc.patch 2019-01-18 19:15:36.000000000 +0100
@@ -0,0 +1,49 @@
+From 00622428bda8d7521db8d74260b519fa41d69d0a Mon Sep 17 00:00:00 2001
+From: John Cupitt <jcupitt@gmail.com>
+Date: Fri, 18 Jan 2019 10:10:43 +0000
+Subject: [PATCH] zero memory on malloc
+
+to prevent write of uninit memory under some error conditions
+
+thanks Balint
+---
+ ChangeLog | 5 ++++-
+ libvips/iofuncs/memory.c | 4 ++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/ChangeLog b/ChangeLog
+index e80313a8d..057adf95d 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,9 @@
++4/1/19 started 8.7.4
++- magicksave with magick6 API did not chain exceptions correctly causing a
++ memory leak under some conditions [kleisauke]
++- zero memory on allocate to prevent write of uninitialized memory under some
++ error conditions [Balint Varga-Perke]
++
+ 12/2/18 started 8.6.3
+ - fix a crash if a delayed load failed [gsharpsh00ter]
+
+diff --git a/libvips/iofuncs/memory.c b/libvips/iofuncs/memory.c
+index d877e2e0f..9f9b55f83 100644
+--- a/libvips/iofuncs/memory.c
++++ b/libvips/iofuncs/memory.c
+@@ -164,7 +164,7 @@ vips_malloc( VipsObject *object, size_t size )
+ {
+ void *buf;
+
+- buf = g_malloc( size );
++ buf = g_malloc0( size );
+
+ if( object ) {
+ g_signal_connect( object, "postclose",
+@@ -302,7 +302,7 @@ vips_tracked_malloc( size_t size )
+ */
+ size += 16;
+
+- if( !(buf = g_try_malloc( size )) ) {
++ if( !(buf = g_try_malloc0( size )) ) {
+ #ifdef DEBUG
+ g_assert_not_reached();
+ #endif /*DEBUG*/
--- End Message ---