[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#940685: marked as done (buster-pu: libsixel/1.8.2-1+deb10u1)

Your message dated Sat, 16 Nov 2019 10:08:47 +0000
with message-id <83c9ffab6f08361485f70dda4733a7a24aeec09b.camel@adam-barratt.org.uk>
and subject line Closing bugs for 10.2 point release fixes
has caused the Debian Bug report #940685,
regarding buster-pu: libsixel/1.8.2-1+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
940685: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=940685
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: patch security buster
User: release.debian.org@packages.debian.org
Usertags: pu

I'll upload a new version of libsixel for buster.
It contains many security fix reported by #931311

fixed package for unstable had already uploaded.
This is just a backports but almost same.


diff -Nru libsixel-1.8.2/debian/changelog libsixel-1.8.2/debian/changelog
--- libsixel-1.8.2/debian/changelog	2018-07-23 16:29:35.000000000 +0900
+++ libsixel-1.8.2/debian/changelog	2019-09-09 12:42:52.000000000 +0900
@@ -1,3 +1,17 @@
+libsixel (1.8.2-1+deb10u1) buster; urgency=high
+
+  * d/patches/0001-Add-malloc-size-check.patch: fix CVE-2018-19756
+  * d/patches/0002-assign-default-error-message.patch: fix CVE-2018-19757
+  * d/patches/0003-add-limitation-to-width-and-height.patch: fix CVE-2018-19759
+  * d/patches/0004-position-error-check.patch: fix CVE-2018-19761
+  * d/patches/0005-size-check.patch: fix CVE-2018-19762
+  * d/patches/0006-prevent-to-access-heap-overflow.patch: fix CVE-2018-19763
+  * d/patches/0007-check-error-for-jpeg_read_scanlines.patch: fix CVE-2019-3573
+  * d/patches/0008-check-number-of-repeat_count.patch: fix CVE-2019-3574
+  * security fix, closes: #931311
+
+ -- NOKUBI Takatsugu <knok@daionet.gr.jp>  Mon, 09 Sep 2019 12:42:52 +0900
+
 libsixel (1.8.2-1) unstable; urgency=medium
 
   * New upstream, security fix (closes: #903858)
diff -Nru libsixel-1.8.2/debian/patches/0001-Add-malloc-size-check.patch libsixel-1.8.2/debian/patches/0001-Add-malloc-size-check.patch
--- libsixel-1.8.2/debian/patches/0001-Add-malloc-size-check.patch	1970-01-01 09:00:00.000000000 +0900
+++ libsixel-1.8.2/debian/patches/0001-Add-malloc-size-check.patch	2019-09-09 12:42:52.000000000 +0900
@@ -0,0 +1,24 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Mon, 8 Jul 2019 13:46:11 +0900
+Subject: Add malloc size check
+
+---
+ src/allocator.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/allocator.c b/src/allocator.c
+index b9b2d02..bb0c009 100644
+--- a/src/allocator.c
++++ b/src/allocator.c
+@@ -147,6 +147,11 @@ sixel_allocator_malloc(
+     assert(allocator);
+     assert(allocator->fn_malloc);
+ 
++    if (n == 0) {
++        sixel_helper_set_additional_message(
++            "sixel_allocator_malloc: called with n == 0");
++        return NULL;
++    }
+     return allocator->fn_malloc(n);
+ }
+ 
diff -Nru libsixel-1.8.2/debian/patches/0002-assign-default-error-message.patch libsixel-1.8.2/debian/patches/0002-assign-default-error-message.patch
--- libsixel-1.8.2/debian/patches/0002-assign-default-error-message.patch	1970-01-01 09:00:00.000000000 +0900
+++ libsixel-1.8.2/debian/patches/0002-assign-default-error-message.patch	2019-09-09 12:42:52.000000000 +0900
@@ -0,0 +1,21 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Tue, 23 Jul 2019 17:12:43 +0900
+Subject: assign default error message
+
+---
+ src/stb_image.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/stb_image.h b/src/stb_image.h
+index 2673809..09ebbd5 100644
+--- a/src/stb_image.h
++++ b/src/stb_image.h
+@@ -845,6 +845,8 @@ static const char *stbi__g_failure_reason;
+ 
+ STBIDEF const char *stbi_failure_reason(void)
+ {
++   if (stbi__g_failure_reason == NULL)
++      stbi__g_failure_reason = "unknwon error, refer error message before assignment";
+    return stbi__g_failure_reason;
+ }
+ 
diff -Nru libsixel-1.8.2/debian/patches/0003-add-limitation-to-width-and-height.patch libsixel-1.8.2/debian/patches/0003-add-limitation-to-width-and-height.patch
--- libsixel-1.8.2/debian/patches/0003-add-limitation-to-width-and-height.patch	1970-01-01 09:00:00.000000000 +0900
+++ libsixel-1.8.2/debian/patches/0003-add-limitation-to-width-and-height.patch	2019-09-09 12:42:52.000000000 +0900
@@ -0,0 +1,39 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Thu, 1 Aug 2019 14:59:58 +0900
+Subject: add limitation to width and height
+
+---
+ include/sixel.h.in | 3 +++
+ src/decoder.c      | 5 +++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/include/sixel.h.in b/include/sixel.h.in
+index 7ffe90f..4365c67 100644
+--- a/include/sixel.h.in
++++ b/include/sixel.h.in
+@@ -366,6 +366,9 @@ typedef int SIXELSTATUS;
+ #define SIXEL_OPTFLAG_VERSION           ('V')  /* -V, --version: show version and license info */
+ #define SIXEL_OPTFLAG_HELP              ('H')  /* -H, --help: show this help */
+ 
++#define SIXEL_WIDTH_LIMIT               1000000
++#define SIXEL_HEIGHT_LIMIT              1000000
++
+ #if SIXEL_USE_DEPRECATED_SYMBOLS
+ /* output character size */
+ enum characterSize {
+diff --git a/src/decoder.c b/src/decoder.c
+index 63ab4af..c763e4d 100644
+--- a/src/decoder.c
++++ b/src/decoder.c
+@@ -315,6 +315,11 @@ sixel_decoder_decode(
+         goto end;
+     }
+ 
++    if (sx > SIXEL_WIDTH_LIMIT || sy > SIXEL_HEIGHT_LIMIT) {
++        status = SIXEL_BAD_INPUT;
++        goto end;
++    }
++
+     status = sixel_helper_write_image_file(indexed_pixels, sx, sy, palette,
+                                            SIXEL_PIXELFORMAT_PAL8,
+                                            decoder->output,
diff -Nru libsixel-1.8.2/debian/patches/0004-position-error-check.patch libsixel-1.8.2/debian/patches/0004-position-error-check.patch
--- libsixel-1.8.2/debian/patches/0004-position-error-check.patch	1970-01-01 09:00:00.000000000 +0900
+++ libsixel-1.8.2/debian/patches/0004-position-error-check.patch	2019-09-09 12:42:52.000000000 +0900
@@ -0,0 +1,23 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Thu, 25 Jul 2019 16:19:59 +0900
+Subject: position error check
+
+---
+ src/fromsixel.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 7d8390a..1d86858 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -572,6 +572,10 @@ sixel_decode_raw_impl(
+                         image->ncolors = context->color_index;
+                     }
+ 
++                    if (context->pos_x < 0 || context->pos_y < 0) {
++                        status = SIXEL_BAD_INPUT;
++                        goto end;
++                    }
+                     bits = *p - '?';
+ 
+                     if (bits == 0) {
diff -Nru libsixel-1.8.2/debian/patches/0005-size-check.patch libsixel-1.8.2/debian/patches/0005-size-check.patch
--- libsixel-1.8.2/debian/patches/0005-size-check.patch	1970-01-01 09:00:00.000000000 +0900
+++ libsixel-1.8.2/debian/patches/0005-size-check.patch	2019-09-09 12:42:52.000000000 +0900
@@ -0,0 +1,21 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Mon, 8 Jul 2019 12:20:58 +0900
+Subject: size check
+
+---
+ src/fromsixel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 1d86858..8cc8ce0 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -290,7 +290,7 @@ image_buffer_resize(
+ 
+     size = (size_t)(width * height);
+     alt_buffer = (unsigned char *)sixel_allocator_malloc(allocator, size);
+-    if (alt_buffer == NULL) {
++    if (alt_buffer == NULL || size == 0) {
+         /* free source image */
+         sixel_allocator_free(allocator, image->data);
+         image->data = NULL;
diff -Nru libsixel-1.8.2/debian/patches/0006-prevent-to-access-heap-overflow.patch libsixel-1.8.2/debian/patches/0006-prevent-to-access-heap-overflow.patch
--- libsixel-1.8.2/debian/patches/0006-prevent-to-access-heap-overflow.patch	1970-01-01 09:00:00.000000000 +0900
+++ libsixel-1.8.2/debian/patches/0006-prevent-to-access-heap-overflow.patch	2019-09-09 12:42:52.000000000 +0900
@@ -0,0 +1,24 @@
+From: Takatsugu Nokubi <takatsugu.nokubi@robotfund.co.jp>
+Date: Wed, 24 Jul 2019 15:12:49 +0900
+Subject: prevent to access heap overflow
+
+---
+ src/fromsixel.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index 8cc8ce0..f451c80 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -888,7 +888,10 @@ sixel_decode_raw(
+     }
+ 
+     *ncolors = image.ncolors + 1;
+-    *palette = (unsigned char *)sixel_allocator_malloc(allocator, (size_t)(*ncolors * 3));
++    int alloc_size = *ncolors;
++    if (alloc_size < 256) // memory access range should be 0 <= 255 (in write_png_to_file)
++        alloc_size = 256;
++    *palette = (unsigned char *)sixel_allocator_malloc(allocator, (size_t)(alloc_size * 3));
+     if (palette == NULL) {
+         sixel_allocator_free(allocator, image.data);
+         sixel_helper_set_additional_message(
diff -Nru libsixel-1.8.2/debian/patches/0007-check-error-for-jpeg_read_scanlines.patch libsixel-1.8.2/debian/patches/0007-check-error-for-jpeg_read_scanlines.patch
--- libsixel-1.8.2/debian/patches/0007-check-error-for-jpeg_read_scanlines.patch	1970-01-01 09:00:00.000000000 +0900
+++ libsixel-1.8.2/debian/patches/0007-check-error-for-jpeg_read_scanlines.patch	2019-09-09 12:42:52.000000000 +0900
@@ -0,0 +1,26 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Fri, 30 Aug 2019 11:33:15 +0900
+Subject: check error for jpeg_read_scanlines
+
+---
+ src/loader.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/loader.c b/src/loader.c
+index cb1e61f..823571d 100644
+--- a/src/loader.c
++++ b/src/loader.c
+@@ -195,7 +195,12 @@ load_jpeg(unsigned char **result,
+ 
+     while (cinfo.output_scanline < cinfo.output_height) {
+         jpeg_read_scanlines(&cinfo, buffer, 1);
+-        memcpy(*result + (cinfo.output_scanline - 1) * row_stride, buffer[0], row_stride);
++        if (cinfo.err->num_warnings > 0) {
++            sixel_helper_set_additional_message(
++                "jpeg_read_scanlines: error/warining occuered.");
++            status = SIXEL_BAD_INPUT;
++            goto end;
++        }        memcpy(*result + (cinfo.output_scanline - 1) * row_stride, buffer[0], row_stride);
+     }
+ 
+     status = SIXEL_OK;
diff -Nru libsixel-1.8.2/debian/patches/0008-check-number-of-repeat_count.patch libsixel-1.8.2/debian/patches/0008-check-number-of-repeat_count.patch
--- libsixel-1.8.2/debian/patches/0008-check-number-of-repeat_count.patch	1970-01-01 09:00:00.000000000 +0900
+++ libsixel-1.8.2/debian/patches/0008-check-number-of-repeat_count.patch	2019-09-09 12:42:52.000000000 +0900
@@ -0,0 +1,24 @@
+From: NOKUBI Takatsugu <knok@daionet.gr.jp>
+Date: Fri, 30 Aug 2019 11:37:02 +0900
+Subject: check number of repeat_count
+
+---
+ src/fromsixel.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/fromsixel.c b/src/fromsixel.c
+index f451c80..bc7dfbe 100644
+--- a/src/fromsixel.c
++++ b/src/fromsixel.c
+@@ -733,6 +733,11 @@ sixel_decode_raw_impl(
+                 if (context->repeat_count == 0) {
+                     context->repeat_count = 1;
+                 }
++                if (context->repeat_count > 0x7fff) { /* check too huge number
++*/
++                    status = SIXEL_BAD_INPUT;
++                    goto end;
++                }
+                 context->state = PS_DECSIXEL;
+                 context->param = 0;
+                 context->nparams = 0;
diff -Nru libsixel-1.8.2/debian/patches/series libsixel-1.8.2/debian/patches/series
--- libsixel-1.8.2/debian/patches/series	2018-07-11 16:35:05.000000000 +0900
+++ libsixel-1.8.2/debian/patches/series	2019-09-09 12:42:52.000000000 +0900
@@ -0,0 +1,8 @@
+0001-Add-malloc-size-check.patch
+0002-assign-default-error-message.patch
+0003-add-limitation-to-width-and-height.patch
+0004-position-error-check.patch
+0005-size-check.patch
+0006-prevent-to-access-heap-overflow.patch
+0007-check-error-for-jpeg_read_scanlines.patch
+0008-check-number-of-repeat_count.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.2

Hi,

The fixes referenced by these bugs were included in today's 10.2 stable
point release.

Regards,

Adam

--- End Message ---
Reply to: