[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#928213: marked as done (stretch-pu: package libcaca/0.99.beta19-2.1~deb9u1)

Your message dated Sat, 07 Sep 2019 14:37:11 +0100
with message-id <17351b82f829eb6917f78885cb849c4060b0a4a6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 9.10 point release
has caused the Debian Bug report #928213,
regarding stretch-pu: package libcaca/0.99.beta19-2.1~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
928213: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928213
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Control: fixed 917807 0.99.beta19-2+deb8u1

This is a rebuild of the buster package (migrated three weeks ago)
which contains the following change:

  * Cherry-Pick fixes from upstream git repository:
    - CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and
      CVE-2018-20549 (Closes: #917807)

Effectively the same changes (but with somewhat different patches)
are already in jessie-lts since January (I checked by diffing the trees
with patches applied).

The type change from unsigned int to size_t in some structs might be an
ABI/API break on 64-bit architectures, but there has neither been a
transition in sid nor have any bugs been reported for jessie, buster or
sid.

The following packages might be affected in stretch:

# Depends:
ffmpeg: libavdevice57
gst-plugins-good1.0: gstreamer1.0-plugins-good
libsdl1.2: libsdl1.2-dev
           libsdl1.2debian
minbif: minbif
mplayer: mplayer
         mplayer-gui
toilet: toilet
vlc: vlc-plugin-video-output
xine-lib-1.2: libxine2-console
xine-ui: xine-console

# Build-Depends:
diffoscope: caca-utils
ffmpeg: libcaca-dev
gst-plugins-good1.0: libcaca-dev
libsdl1.2: libcaca-dev
minbif: libcaca-dev
mplayer: libcaca-dev
toilet: libcaca-dev (>= 0.99.beta18)
vlc: libcaca-dev (>= 0.99.beta4)
xine-lib-1.2: libcaca-dev
xine-ui: libcaca-dev


I primarily noticed (and want to fix) the version ordering violation
between jessie-lts (0.99.beta19-2+deb8u1) and stretch (0.99.beta19-2),
I have no clue about or any interest in libcaca itself.


Andreas

diff -Nru libcaca-0.99.beta19/debian/changelog libcaca-0.99.beta19/debian/changelog
--- libcaca-0.99.beta19/debian/changelog	2014-06-02 22:39:11.000000000 +0200
+++ libcaca-0.99.beta19/debian/changelog	2019-04-29 23:17:44.000000000 +0200
@@ -1,3 +1,19 @@
+libcaca (0.99.beta19-2.1~deb9u1) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for stretch.
+
+ -- Andreas Beckmann <anbe@debian.org>  Mon, 29 Apr 2019 23:17:44 +0200
+
+libcaca (0.99.beta19-2.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Cherry-Pick fixes from upstream git repository:
+    - CVE-2018-20545, CVE-2018-20546, CVE-2018-20547,CVE-2018-20548 and
+      CVE-2018-20549 (Closes: #917807)
+
+ -- Tobias Frost <tobi@debian.org>  Sat, 06 Apr 2019 22:18:41 +0200
+
 libcaca (0.99.beta19-2) unstable; urgency=medium
 
   * debian/patches/100_doxygen.diff: remove deprecated Doxygen variables.
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20544.patch	2019-04-06 21:36:52.000000000 +0200
@@ -0,0 +1,45 @@
+From 84bd155087b93ab2d8d7cb5b1ac94ecd4cf4f93c Mon Sep 17 00:00:00 2001
+From: Sam Hocevar <sam@hocevar.net>
+Date: Sat, 29 Dec 2018 22:13:56 +0100
+Subject: [PATCH] dither: fix integer overflows that were causing a division by
+ zero.
+
+Fixes: #36 (CVE-2018-20544)
+---
+ caca/dither.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/caca/dither.c b/caca/dither.c
+index 04b678e0..c6ebab1b 100644
+--- a/caca/dither.c
++++ b/caca/dither.c
+@@ -991,10 +991,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int y, int w, int h,
+         /* First get RGB */
+         if(d->antialias)
+         {
+-            fromx = (x - x1) * w / deltax;
+-            fromy = (y - y1) * h / deltay;
+-            tox = (x - x1 + 1) * w / deltax;
+-            toy = (y - y1 + 1) * h / deltay;
++            fromx = (uint64_t)(x - x1) * w / deltax;
++            fromy = (uint64_t)(y - y1) * h / deltay;
++            tox = (uint64_t)(x - x1 + 1) * w / deltax;
++            toy = (uint64_t)(y - y1 + 1) * h / deltay;
+ 
+             /* We want at least one pixel */
+             if(tox == fromx) tox++;
+@@ -1017,10 +1017,10 @@ int caca_dither_bitmap(caca_canvas_t *cv, int x, int y, int w, int h,
+         }
+         else
+         {
+-            fromx = (x - x1) * w / deltax;
+-            fromy = (y - y1) * h / deltay;
+-            tox = (x - x1 + 1) * w / deltax;
+-            toy = (y - y1 + 1) * h / deltay;
++            fromx = (uint64_t)(x - x1) * w / deltax;
++            fromy = (uint64_t)(y - y1) * h / deltay;
++            tox = (uint64_t)(x - x1 + 1) * w / deltax;
++            toy = (uint64_t)(y - y1 + 1) * h / deltay;
+ 
+             /* tox and toy can overflow the canvas, but they cannot overflow
+              * when averaged with fromx and fromy because these are guaranteed
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20545+20547+20549.patch	2019-04-06 22:08:34.000000000 +0200
@@ -0,0 +1,34 @@
+Description: img2txt: fix an integer overflow in the BMP loader.
+Origin: https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592
+Forwarded: not-needed
+Applied-Upstream: https://github.com/cacalabs/libcaca/commit/3e52dabe3e64dc50f4422effe364a1457a8a8592
+Last-Update: 2019-04-06
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/src/common-image.h
++++ b/src/common-image.h
+@@ -1,19 +1,19 @@
+ /*
+  *  Imaging tools for cacaview and img2irc
+- *  Copyright (c) 2003-2012 Sam Hocevar <sam@hocevar.net>
+- *                All Rights Reserved
++ *  Copyright (c) 2003-2018 Sam Hocevar <sam@hocevar.net>
++ *              All Rights Reserved
+  *
+  *  This program is free software. It comes without any warranty, to
+  *  the extent permitted by applicable law. You can redistribute it
+  *  and/or modify it under the terms of the Do What the Fuck You Want
+- *  to Public License, Version 2, as published by Sam Hocevar. See
+- *  http://www.wtfpl.net/ for more details.
++ *  to Public License, Version 2, as published by the WTFPL Task Force.
++ *  See http://www.wtfpl.net/ for more details.
+  */
+ 
+ struct image
+ {
+     char *pixels;
+-    unsigned int w, h;
++    size_t w, h;
+     struct caca_dither *dither;
+     void *priv;
+ };
diff -Nru libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch
--- libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcaca-0.99.beta19/debian/patches/CVE-2018-20546+20547.patch	2019-04-06 21:39:32.000000000 +0200
@@ -0,0 +1,36 @@
+From 02a09ec9e5ed8981e7a810bfb6a0172dc24f0790 Mon Sep 17 00:00:00 2001
+From: Sam Hocevar <sam@hocevar.net>
+Date: Sun, 30 Dec 2018 13:18:27 +0100
+Subject: [PATCH] dither: fix integer multiplication overflow that caused
+ crashes.
+
+Fixes: #38 (CVE-2018-20546)
+Fixes: #39 (CVE-2018-20547)
+---
+ caca/dither.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/caca/dither.c b/caca/dither.c
+index c6ebab1b..b2e24e55 100644
+--- a/caca/dither.c
++++ b/caca/dither.c
+@@ -6,8 +6,8 @@
+  *  This library is free software. It comes without any warranty, to
+  *  the extent permitted by applicable law. You can redistribute it
+  *  and/or modify it under the terms of the Do What the Fuck You Want
+- *  to Public License, Version 2, as published by Sam Hocevar. See
+- *  http://www.wtfpl.net/ for more details.
++ *  to Public License, Version 2, as published by the WTFPL Task Force.
++ *  See http://www.wtfpl.net/ for more details.
+  */
+ 
+ /*
+@@ -116,7 +116,7 @@ enum color_mode
+ struct caca_dither
+ {
+     int bpp, has_palette, has_alpha;
+-    int w, h, pitch;
++    size_t w, h, pitch;
+     int rmask, gmask, bmask, amask;
+     int rright, gright, bright, aright;
+     int rleft, gleft, bleft, aleft;
diff -Nru libcaca-0.99.beta19/debian/patches/series libcaca-0.99.beta19/debian/patches/series
--- libcaca-0.99.beta19/debian/patches/series	2014-05-16 21:30:34.000000000 +0200
+++ libcaca-0.99.beta19/debian/patches/series	2019-04-06 21:46:52.000000000 +0200
@@ -1,2 +1,5 @@
 100_doxygen.diff
 200_glut_header.diff
+CVE-2018-20544.patch
+CVE-2018-20545+20547+20549.patch
+CVE-2018-20546+20547.patch

--- End Message ---
--- Begin Message --- 
Version: 9.10

Hi,

The fixes referenced by each of these bugs were included in today's
stretch point release (9.10).

Regards,

Adam

--- End Message ---
Reply to: