Bug#929855: unblock: libheif/1.3.2-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package libheif to address CVE-2019-11471, aka #928210 in Debian/buster.
unblock libheif/1.3.2-2
debdiff follows:
diff --git a/debian/changelog b/debian/changelog
index 9452979..23246df 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+libheif (1.3.2-2) unstable; urgency=medium
+
+ * Team Upload
+
+ [ Dylan Aïssi ]
+ * Add patch to fix CVE-2019-11471, Closes: #928210
+
+ -- Reinhard Tartler <siretart@tauware.de> Sat, 01 Jun 2019 17:56:05 -0400
+
libheif (1.3.2-1) unstable; urgency=medium
* Imported Upstream version 1.3.2
diff --git a/debian/patches/CVE-2019-11471.patch b/debian/patches/CVE-2019-11471.patch
new file mode 100644
index 0000000..767bb45
--- /dev/null
+++ b/debian/patches/CVE-2019-11471.patch
@@ -0,0 +1,60 @@
+Author: Joachim Bauch <bauch at struktur.de>
+Description: Fix CVE-2019-11471
+ Detect and handle recursive image references.
+ Detect non-existing referenced alpha images.
+ Detect non-existing referenced depth images.
+Origin: upstream, https://github.com/strukturag/libheif/commit/e89fbbe0705a4b8e755f148fd4c4c84007295d16
+ https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014
+ https://github.com/strukturag/libheif/commit/5a9b7f7564e158c6339f6d78a77de23720b15afd
+Bug: https://github.com/strukturag/libheif/issues/123
+ https://github.com/strukturag/libheif/issues/125
+Bug-Debian: https://bugs.debian.org/928210
+
+--- a/libheif/heif_context.cc
++++ b/libheif/heif_context.cc
+@@ -520,6 +520,11 @@
+ "Thumbnail references another thumbnail");
+ }
+
++ if (image.get() == master_iter->second.get()) {
++ return Error(heif_error_Invalid_input,
++ heif_suberror_Nonexisting_item_referenced,
++ "Recursive thumbnail image detected");
++ }
+ master_iter->second->add_thumbnail(image);
+
+ remove_top_level_image(image);
+@@ -566,6 +571,16 @@
+ image->set_is_alpha_channel_of(refs[0]);
+
+ auto master_iter = m_all_images.find(refs[0]);
++ if (master_iter == m_all_images.end()) {
++ return Error(heif_error_Invalid_input,
++ heif_suberror_Nonexisting_item_referenced,
++ "Non-existing alpha image referenced");
++ }
++ if (image.get() == master_iter->second.get()) {
++ return Error(heif_error_Invalid_input,
++ heif_suberror_Nonexisting_item_referenced,
++ "Recursive alpha image detected");
++ }
+ master_iter->second->set_alpha_channel(image);
+ }
+
+@@ -576,6 +591,16 @@
+ image->set_is_depth_channel_of(refs[0]);
+
+ auto master_iter = m_all_images.find(refs[0]);
++ if (master_iter == m_all_images.end()) {
++ return Error(heif_error_Invalid_input,
++ heif_suberror_Nonexisting_item_referenced,
++ "Non-existing depth image referenced");
++ }
++ if (image.get() == master_iter->second.get()) {
++ return Error(heif_error_Invalid_input,
++ heif_suberror_Nonexisting_item_referenced,
++ "Recursive depth image detected");
++ }
+ master_iter->second->set_depth_channel(image);
+
+ auto subtypes = auxC_property->get_subtypes();
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..acd8abf
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2019-11471.patch
-- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (500, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to: