Bug#928213: stretch-pu: package libcaca/0.99.beta19-2.1~deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Control: fixed 917807 0.99.beta19-2+deb8u1
This is a rebuild of the buster package (migrated three weeks ago)
which contains the following change:
* Cherry-Pick fixes from upstream git repository:
- CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and
CVE-2018-20549 (Closes: #917807)
Effectively the same changes (but with somewhat different patches)
are already in jessie-lts since January (I checked by diffing the trees
with patches applied).
The type change from unsigned int to size_t in some structs might be an
ABI/API break on 64-bit architectures, but there has neither been a
transition in sid nor have any bugs been reported for jessie, buster or
sid.
The following packages might be affected in stretch:
# Depends:
ffmpeg: libavdevice57
gst-plugins-good1.0: gstreamer1.0-plugins-good
libsdl1.2: libsdl1.2-dev
libsdl1.2debian
minbif: minbif
mplayer: mplayer
mplayer-gui
toilet: toilet
vlc: vlc-plugin-video-output
xine-lib-1.2: libxine2-console
xine-ui: xine-console
# Build-Depends:
diffoscope: caca-utils
ffmpeg: libcaca-dev
gst-plugins-good1.0: libcaca-dev
libsdl1.2: libcaca-dev
minbif: libcaca-dev
mplayer: libcaca-dev
toilet: libcaca-dev (>= 0.99.beta18)
vlc: libcaca-dev (>= 0.99.beta4)
xine-lib-1.2: libcaca-dev
xine-ui: libcaca-dev
I primarily noticed (and want to fix) the version ordering violation
between jessie-lts (0.99.beta19-2+deb8u1) and stretch (0.99.beta19-2),
I have no clue about or any interest in libcaca itself.
Andreas
diff -Nru libcaca-0.99.beta19/debian/changelog libcaca-0.99.beta19/debian/changelog
--- libcaca-0.99.beta19/debian/changelog 2014-06-02 22:39:11.000000000 +0200
+++ libcaca-0.99.beta19/debian/changelog 2019-04-29 23:17:44.000000000 +0200
@@ -1,3 +1,19 @@
+libcaca (0.99.beta19-2.1~deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for stretch.
+
+ -- Andreas Beckmann <anbe@debian.org> Mon, 29 Apr 2019 23:17:44 +0200
+
+libcaca (0.99.beta19-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Cherry-Pick fixes from upstream git repository:
+ - CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and
+ CVE-2018-20549 (Closes: #917807)
+
+ -- Tobias Frost <tobi@debian.org> Sat, 06 Apr 2019 22:18:41 +0200
+
libcaca (0.99.beta19-2) unstable; urgency=medium
* debian/patches/100_doxygen.diff: remove deprecated Doxygen variables.
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch 2019-04-06 21:36:52.000000000 +0200
@@ -0,0 +1,45 @@
+From 84bd155087b93ab2d8d7cb5b1ac94ecd4cf4f93c Mon Sep 17 00:00:00 2001
+From: Sam Hocevar <sam@hocevar.net>
+Date: Sat, 29 Dec 2018 22:13:56 +0100
+Subject: [PATCH] dither: fix integer overflows that were causing a division by
+ zero.
+
+Fixes: #36 (CVE-2018-20544)
+---
+ caca/dither.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/caca/dither.c b/caca/dither.c
+index 04b678e0..c6ebab1b 100644
+--- a/caca/dither.c
++++ b/caca/dither.c
+@@ -991,10 +991,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int y, int w, int h,
+ /* First get RGB */
+ if(d->antialias)
+ {
+- fromx = (x - x1) * w / deltax;
+- fromy = (y - y1) * h / deltay;
+- tox = (x - x1 + 1) * w / deltax;
+- toy = (y - y1 + 1) * h / deltay;
++ fromx = (uint64_t)(x - x1) * w / deltax;
++ fromy = (uint64_t)(y - y1) * h / deltay;
++ tox = (uint64_t)(x - x1 + 1) * w / deltax;
++ toy = (uint64_t)(y - y1 + 1) * h / deltay;
+
+ /* We want at least one pixel */
+ if(tox == fromx) tox++;
+@@ -1017,10 +1017,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int y, int w, int h,
+ }
+ else
+ {
+- fromx = (x - x1) * w / deltax;
+- fromy = (y - y1) * h / deltay;
+- tox = (x - x1 + 1) * w / deltax;
+- toy = (y - y1 + 1) * h / deltay;
++ fromx = (uint64_t)(x - x1) * w / deltax;
++ fromy = (uint64_t)(y - y1) * h / deltay;
++ tox = (uint64_t)(x - x1 + 1) * w / deltax;
++ toy = (uint64_t)(y - y1 + 1) * h / deltay;
+
+ /* tox and toy can overflow the canvas, but they cannot overflow
+ * when averaged with fromx and fromy because these are guaranteed
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch 2019-04-06 22:08:34.000000000 +0200
@@ -0,0 +1,34 @@
+Description: img2txt: fix an integer overflow in the BMP loader.
+Origin: https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592
+Forwarded: not-needed
+Applied-Upstream: https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592
+Last-Update: 2019-04-06
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/common-image.h
++++ b/src/common-image.h
+@@ -1,19 +1,19 @@
+ /*
+ * Imaging tools for cacaview and img2irc
+- * Copyright (c) 2003-2012 Sam Hocevar <sam@hocevar.net>
+- * All Rights Reserved
++ * Copyright (c) 2003-2018 Sam Hocevar <sam@hocevar.net>
++ * All Rights Reserved
+ *
+ * This program is free software. It comes without any warranty, to
+ * the extent permitted by applicable law. You can redistribute it
+ * and/or modify it under the terms of the Do What the Fuck You Want
+- * to Public License, Version 2, as published by Sam Hocevar. See
+- * http://www.wtfpl.net/ for more details.
++ * to Public License, Version 2, as published by the WTFPL Task Force.
++ * See http://www.wtfpl.net/ for more details.
+ */
+
+ struct image
+ {
+ char *pixels;
+- unsigned int w, h;
++ size_t w, h;
+ struct caca_dither *dither;
+ void *priv;
+ };
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch 2019-04-06 21:39:32.000000000 +0200
@@ -0,0 +1,36 @@
+From 02a09ec9e5ed8981e7a810bfb6a0172dc24f0790 Mon Sep 17 00:00:00 2001
+From: Sam Hocevar <sam@hocevar.net>
+Date: Sun, 30 Dec 2018 13:18:27 +0100
+Subject: [PATCH] dither: fix integer multiplication overflow that caused
+ crashes.
+
+Fixes: #38 (CVE-2018-20546)
+Fixes: #39 (CVE-2018-20547)
+---
+ caca/dither.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/caca/dither.c b/caca/dither.c
+index c6ebab1b..b2e24e55 100644
+--- a/caca/dither.c
++++ b/caca/dither.c
+@@ -6,8 +6,8 @@
+ * This library is free software. It comes without any warranty, to
+ * the extent permitted by applicable law. You can redistribute it
+ * and/or modify it under the terms of the Do What the Fuck You Want
+- * to Public License, Version 2, as published by Sam Hocevar. See
+- * http://www.wtfpl.net/ for more details.
++ * to Public License, Version 2, as published by the WTFPL Task Force.
++ * See http://www.wtfpl.net/ for more details.
+ */
+
+ /*
+@@ -116,7 +116,7 @@ enum color_mode
+ struct caca_dither
+ {
+ int bpp, has_palette, has_alpha;
+- int w, h, pitch;
++ size_t w, h, pitch;
+ int rmask, gmask, bmask, amask;
+ int rright, gright, bright, aright;
+ int rleft, gleft, bleft, aleft;
diff -Nru libcaca-0.99.beta19/debian/patches/series libcaca-0.99.beta19/debian/patches/series
--- libcaca-0.99.beta19/debian/patches/series 2014-05-16 21:30:34.000000000 +0200
+++ libcaca-0.99.beta19/debian/patches/series 2019-04-06 21:46:52.000000000 +0200
@@ -1,2 +1,5 @@
100_doxygen.diff
200_glut_header.diff
+CVE-2018-20544.patch
+CVE-2018-20545+20547+20549.patch
+CVE-2018-20546+20547.patch
Reply to: