[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#939908: marked as done (buster-pu: libsixel/1.8.2-1+deb10u1)



Your message dated Thu, 19 Sep 2019 09:36:44 +0900
with message-id <20190919093644.92a54ad232740a215ed66a0f@daionet.gr.jp>
and subject line Done: buster-pu: libsixel/1.8.2-1+deb10u1
has caused the Debian Bug report #939908,
regarding buster-pu: libsixel/1.8.2-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
939908: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939908
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: patch security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

The patch fixes:
CVE-2018-19756
CVE-2018-19757
CVE-2018-19759
CVE-2018-19761
CVE-2018-19762
CVE-2018-19763
CVE-2019-3573
CVE-2019-3574
diff --git a/debian/changelog b/debian/changelog
index b00aee0..bcffff3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+libsixel (1.8.2-1+deb10u1) buster-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * d/patches/0001-Add-malloc-size-check.patch: fix CVE-2018-19756
+  * d/patches/0002-assign-default-error-message.patch: fix CVE-2018-19757
+  * d/patches/0003-add-limitation-to-width-and-height.patch: fix CVE-2018-19759
+  * d/patches/0004-position-error-check.patch: fix CVE-2018-19761
+  * d/patches/0005-size-check.patch: fix CVE-2018-19762
+  * d/patches/0006-prevent-to-access-heap-overflow.patch: fix CVE-2018-19763
+  * d/patches/0007-check-error-for-jpeg_read_scanlines.patch: fix CVE-2019-3573
+  * d/patches/0008-check-number-of-repeat_count.patch: fix CVE-2019-3574
+
+ -- NOKUBI Takatsugu <knok@daionet.gr.jp>  Mon, 09 Sep 2019 12:42:52 +0900
+
 libsixel (1.8.2-1) unstable; urgency=medium
 
   * New upstream, security fix (closes: #903858)
diff --git a/debian/patches/0001-Add-malloc-size-check.patch b/debian/patches/0001-Add-malloc-size-check.patch
new file mode 100644
index 0000000..b53305f
--- /dev/null
+++ b/debian/patches/0001-Add-malloc-size-check.patch
@@ -0,0 +1,24 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Mon, 8 Jul 2019 13:46:11 +0900
+Subject: Add malloc size check
+
+---
+ src/allocator.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/allocator.c b/src/allocator.c
+index b9b2d02..bb0c009 100644
+--- a/src/allocator.c
++++ b/src/allocator.c
+@@ -147,6 +147,11 @@ sixel_allocator_malloc(
+     assert(allocator);
+     assert(allocator->fn_malloc);
+ 
++    if (n == 0) {
++        sixel_helper_set_additional_message(
++            "sixel_allocator_malloc: called with n == 0");
++        return NULL;
++    }
+     return allocator->fn_malloc(n);
+ }
+ 
diff --git a/debian/patches/0002-assign-default-error-message.patch b/debian/patches/0002-assign-default-error-message.patch
new file mode 100644
index 0000000..c7d4687
--- /dev/null
+++ b/debian/patches/0002-assign-default-error-message.patch
@@ -0,0 +1,21 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Tue, 23 Jul 2019 17:12:43 +0900
+Subject: assign default error message
+
+---
+ src/stb_image.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/stb_image.h b/src/stb_image.h
+index 2673809..09ebbd5 100644
+--- a/src/stb_image.h
++++ b/src/stb_image.h
+@@ -845,6 +845,8 @@ static const char *stbi__g_failure_reason;
+ 
+ STBIDEF const char *stbi_failure_reason(void)
+ {
++   if (stbi__g_failure_reason == NULL)
++      stbi__g_failure_reason = "unknwon error, refer error message before assignment";
+    return stbi__g_failure_reason;
+ }
+ 
diff --git a/debian/patches/0003-add-limitation-to-width-and-height.patch b/debian/patches/0003-add-limitation-to-width-and-height.patch
new file mode 100644
index 0000000..63528b8
--- /dev/null
+++ b/debian/patches/0003-add-limitation-to-width-and-height.patch
@@ -0,0 +1,39 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Thu, 1 Aug 2019 14:59:58 +0900
+Subject: add limitation to width and height
+
+---
+ include/sixel.h.in | 3 +++
+ src/decoder.c      | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/include/sixel.h.in b/include/sixel.h.in
+index 7ffe90f..4365c67 100644
+--- a/include/sixel.h.in
++++ b/include/sixel.h.in
+@@ -366,6 +366,9 @@ typedef int SIXELSTATUS;
+ #define SIXEL_OPTFLAG_VERSION           ('V')  /* -V, --version: show version and license info */
+ #define SIXEL_OPTFLAG_HELP              ('H')  /* -H, --help: show this help */
+ 
++#define SIXEL_WIDTH_LIMIT               1000000
++#define SIXEL_HEIGHT_LIMIT              1000000
++
+ #if SIXEL_USE_DEPRECATED_SYMBOLS
+ /* output character size */
+ enum characterSize {
+diff --git a/src/decoder.c b/src/decoder.c
+index 63ab4af..c763e4d 100644
+--- a/src/decoder.c
++++ b/src/decoder.c
+@@ -315,6 +315,11 @@ sixel_decoder_decode(
+         goto end;
+     }
+ 
++    if (sx > SIXEL_WIDTH_LIMIT || sy > SIXEL_HEIGHT_LIMIT) {
++        status = SIXEL_BAD_INPUT;
++        goto end;
++    }
++
+     status = sixel_helper_write_image_file(indexed_pixels, sx, sy, palette,
+                                            SIXEL_PIXELFORMAT_PAL8,
+                                            decoder->output,
diff --git a/debian/patches/0004-position-error-check.patch b/debian/patches/0004-position-error-check.patch
new file mode 100644
index 0000000..126d3d7
--- /dev/null
+++ b/debian/patches/0004-position-error-check.patch
@@ -0,0 +1,23 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Thu, 25 Jul 2019 16:19:59 +0900
+Subject: position error check
+
+---
+ src/fromsixel.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 7d8390a..1d86858 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -572,6 +572,10 @@ sixel_decode_raw_impl(
+                         image->ncolors = context->color_index;
+                     }
+ 
++                    if (context->pos_x < 0 || context->pos_y < 0) {
++                        status = SIXEL_BAD_INPUT;
++                        goto end;
++                    }
+                     bits = *p - '?';
+ 
+                     if (bits == 0) {
diff --git a/debian/patches/0005-size-check.patch b/debian/patches/0005-size-check.patch
new file mode 100644
index 0000000..ad00ce5
--- /dev/null
+++ b/debian/patches/0005-size-check.patch
@@ -0,0 +1,21 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Mon, 8 Jul 2019 12:20:58 +0900
+Subject: size check
+
+---
+ src/fromsixel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 1d86858..8cc8ce0 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -290,7 +290,7 @@ image_buffer_resize(
+ 
+     size = (size_t)(width * height);
+     alt_buffer = (unsigned char *)sixel_allocator_malloc(allocator, size);
+-    if (alt_buffer == NULL) {
++    if (alt_buffer == NULL || size == 0) {
+         /* free source image */
+         sixel_allocator_free(allocator, image->data);
+         image->data = NULL;
diff --git a/debian/patches/0006-prevent-to-access-heap-overflow.patch b/debian/patches/0006-prevent-to-access-heap-overflow.patch
new file mode 100644
index 0000000..d117429
--- /dev/null
+++ b/debian/patches/0006-prevent-to-access-heap-overflow.patch
@@ -0,0 +1,24 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Wed, 24 Jul 2019 15:12:49 +0900
+Subject: prevent to access heap overflow
+
+---
+ src/fromsixel.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 8cc8ce0..f451c80 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -888,7 +888,10 @@ sixel_decode_raw(
+     }
+ 
+     *ncolors = image.ncolors + 1;
+-    *palette = (unsigned char *)sixel_allocator_malloc(allocator, (size_t)(*ncolors * 3));
++    int alloc_size = *ncolors;
++    if (alloc_size < 256) // memory access range should be 0 <= 255 (in write_png_to_file)
++        alloc_size = 256;
++    *palette = (unsigned char *)sixel_allocator_malloc(allocator, (size_t)(alloc_size * 3));
+     if (palette == NULL) {
+         sixel_allocator_free(allocator, image.data);
+         sixel_helper_set_additional_message(
diff --git a/debian/patches/0007-check-error-for-jpeg_read_scanlines.patch b/debian/patches/0007-check-error-for-jpeg_read_scanlines.patch
new file mode 100644
index 0000000..23dfbba
--- /dev/null
+++ b/debian/patches/0007-check-error-for-jpeg_read_scanlines.patch
@@ -0,0 +1,26 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Fri, 30 Aug 2019 11:33:15 +0900
+Subject: check error for jpeg_read_scanlines
+
+---
+ src/loader.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/loader.c b/src/loader.c
+index cb1e61f..823571d 100644
+--- a/src/loader.c
++++ b/src/loader.c
+@@ -195,7 +195,12 @@ load_jpeg(unsigned char **result,
+ 
+     while (cinfo.output_scanline < cinfo.output_height) {
+         jpeg_read_scanlines(&cinfo, buffer, 1);
+-        memcpy(*result + (cinfo.output_scanline - 1) * row_stride, buffer[0], row_stride);
++        if (cinfo.err->num_warnings > 0) {
++            sixel_helper_set_additional_message(
++                "jpeg_read_scanlines: error/warining occuered.");
++            status = SIXEL_BAD_INPUT;
++            goto end;
++        }        memcpy(*result + (cinfo.output_scanline - 1) * row_stride, buffer[0], row_stride);
+     }
+ 
+     status = SIXEL_OK;
diff --git a/debian/patches/0008-check-number-of-repeat_count.patch b/debian/patches/0008-check-number-of-repeat_count.patch
new file mode 100644
index 0000000..bde6e5f
--- /dev/null
+++ b/debian/patches/0008-check-number-of-repeat_count.patch
@@ -0,0 +1,24 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Fri, 30 Aug 2019 11:37:02 +0900
+Subject: check number of repeat_count
+
+---
+ src/fromsixel.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index f451c80..bc7dfbe 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -733,6 +733,11 @@ sixel_decode_raw_impl(
+                 if (context->repeat_count == 0) {
+                     context->repeat_count = 1;
+                 }
++                if (context->repeat_count > 0x7fff) { /* check too huge number
++*/
++                    status = SIXEL_BAD_INPUT;
++                    goto end;
++                }
+                 context->state = PS_DECSIXEL;
+                 context->param = 0;
+                 context->nparams = 0;
diff --git a/debian/patches/series b/debian/patches/series
index e69de29..113b98e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1,8 @@
+0001-Add-malloc-size-check.patch
+0002-assign-default-error-message.patch
+0003-add-limitation-to-width-and-height.patch
+0004-position-error-check.patch
+0005-size-check.patch
+0006-prevent-to-access-heap-overflow.patch
+0007-check-error-for-jpeg_read_scanlines.patch
+0008-check-number-of-repeat_count.patch

--- End Message ---
--- Begin Message ---
Package: release.debian.org

I'll submit again, more appropriciately.

--- End Message ---

Reply to: