Control: tags -1 confirmed moreinfo On 2021-06-03 23:36:47 +0200, Håvard Flaget Aasen wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: haavard_aasen@yahoo.no > > Please unblock package htmldoc > > This release adds patches to fix 8 CVE's and closes: #989437. > > There are two things which is not needed in this release. > Though the changes is not related to the code. I added the file > 'debian/gbp.conf' since I changed the repository layout. I also fixed a > minor error in the previous changelog entry, added a missing '#' in a > 'close bug' statement. > > [ Reason ] > CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191, > CVE-2021-23206, CVE-2021-26252, CVE-2021-26259 and CVE-2021-26948 > > [ Impact ] > > [ Tests ] > I have manually tested CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, > CVE-2021-23206 and CVE-2021-26252 > The issues in GitHub provided files that failed, before the fix was > applied, and succeeded with this release. > > [ Risks ] > I consider this to be of minor risk. Code is coming from upstream, which > also has released a new version with the changes. > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > > unblock htmldoc/1.9.11-4 ACK, please remove moreinfo tag once the new version is available in unstable. Cheers > > Regards, > Håvard > diff -Nru htmldoc-1.9.11/debian/changelog htmldoc-1.9.11/debian/changelog > --- htmldoc-1.9.11/debian/changelog 2021-05-10 16:10:41.000000000 +0200 > +++ htmldoc-1.9.11/debian/changelog 2021-06-03 21:29:16.000000000 +0200 > @@ -1,7 +1,16 @@ > +htmldoc (1.9.11-4) unstable; urgency=medium > + > + * Add patches to fix many CVE's. Closes: #989437 > + Fix: CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191, > + CVE-2021-23206, CVE-2021-26252, CVE-2021-26259, CVE-2021-26948. > + * Switch to DEP-14 layout > + > + -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Thu, 03 Jun 2021 21:29:16 +0200 > + > htmldoc (1.9.11-3) unstable; urgency=medium > > * Add patch to mitigate buffer-overflow caused by integer-overflow in > - image_load_gif() Closes: 984765 and fixes CVE-2021-20308 > + image_load_gif() Closes: #984765 and fixes CVE-2021-20308 > > -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Mon, 10 May 2021 16:10:41 +0200 > > diff -Nru htmldoc-1.9.11/debian/gbp.conf htmldoc-1.9.11/debian/gbp.conf > --- htmldoc-1.9.11/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 > +++ htmldoc-1.9.11/debian/gbp.conf 2021-05-23 08:32:55.000000000 +0200 > @@ -0,0 +1,3 @@ > +[DEFAULT] > +debian-branch = debian/latest > +upstream-branch = upstream/latest > diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch > --- htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch 1970-01-01 01:00:00.000000000 +0100 > +++ htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch 2021-06-03 21:29:16.000000000 +0200 > @@ -0,0 +1,128 @@ > +From: Michael R Sweet <michael.r.sweet@gmail.com> > +Date: Thu, 1 Apr 2021 09:37:58 -0400 > +Subject: CVE-2021-23158, CVE-2021-23191, CVE-2021-26252 > + > +Fix JPEG error handling (Issue #415) > + > +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/369b2ea1fd0d0537ba707f20a2f047b6afd2fbdc > +Bug: https://github.com/michaelrsweet/htmldoc/issues/412 > +Bug: https://github.com/michaelrsweet/htmldoc/issues/414 > +Bug: https://github.com/michaelrsweet/htmldoc/issues/415 > +Bug-Debian: https://bugs.debian.org/989437 > +--- > + htmldoc/file.c | 9 ++++++++- > + htmldoc/image.cxx | 38 +++++++++++++++++++++++++++++++------- > + htmldoc/ps-pdf.cxx | 5 +++++ > + 3 files changed, 44 insertions(+), 8 deletions(-) > + > +diff --git a/htmldoc/file.c b/htmldoc/file.c > +index 20229c1..9f017de 100644 > +--- a/htmldoc/file.c > ++++ b/htmldoc/file.c > +@@ -1000,8 +1000,15 @@ file_rlookup(const char *filename) /* I - Filename */ > + > + > + for (i = web_files, wc = web_cache; i > 0; i --, wc ++) > ++ { > + if (!strcmp(wc->name, filename)) > +- return (wc->url); > ++ { > ++ if (!strncmp(wc->url, "data:", 5)) > ++ return ("data URL"); > ++ else > ++ return (wc->url); > ++ } > ++ } > + > + return (filename); > + } > +diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx > +index 8f53050..74abfac 100644 > +--- a/htmldoc/image.cxx > ++++ b/htmldoc/image.cxx > +@@ -1336,6 +1336,15 @@ image_load_gif(image_t *img, /* I - Image pointer */ > + } > + > + > ++typedef struct hd_jpeg_err_s // JPEG error manager extension > ++{ > ++ struct jpeg_error_mgr jerr; // JPEG error manager information > ++ jmp_buf retbuf; // setjmp() return buffer > ++ char message[JMSG_LENGTH_MAX]; > ++ // Last error message > ++} hd_jpeg_err_t; > ++ > ++ > + /* > + * 'image_load_jpeg()' - Load a JPEG image file. > + */ > +@@ -1347,14 +1356,21 @@ image_load_jpeg(image_t *img, /* I - Image pointer */ > + int load_data)/* I - 1 = load image data, 0 = just info */ > + { > + struct jpeg_decompress_struct cinfo; /* Decompressor info */ > +- struct jpeg_error_mgr jerr; /* Error handler info */ > +- JSAMPROW row; /* Sample row pointer */ > ++ hd_jpeg_err_t jerr; // JPEG error handler > ++JSAMPROW row; /* Sample row pointer */ > + > + > +- jpeg_std_error(&jerr); > +- jerr.error_exit = jpeg_error_handler; > ++ jpeg_std_error(&jerr.jerr); > ++ jerr.jerr.error_exit = jpeg_error_handler; > + > +- cinfo.err = &jerr; > ++ if (setjmp(jerr.retbuf)) > ++ { > ++ progress_error(HD_ERROR_BAD_FORMAT, "%s (%s)", jerr.message, file_rlookup(img->filename)); > ++ jpeg_destroy_decompress(&cinfo); > ++ return (-1); > ++ } > ++ > ++ cinfo.err = (struct jpeg_error_mgr *)&jerr; > + jpeg_create_decompress(&cinfo); > + jpeg_stdio_src(&cinfo, fp); > + jpeg_read_header(&cinfo, (boolean)1); > +@@ -1797,9 +1813,17 @@ image_unload(image_t *img) // I - Image > + */ > + > + static void > +-jpeg_error_handler(j_common_ptr) > ++jpeg_error_handler(j_common_ptr p) // Common JPEG data > + { > +- return; > ++ hd_jpeg_err_t *jerr = (hd_jpeg_err_t *)p->err; > ++ // JPEG error handler > ++ > ++ > ++ // Save the error message in the string buffer... > ++ (jerr->jerr.format_message)(p, jerr->message); > ++ > ++ // Return to the point we called setjmp()... > ++ longjmp(jerr->retbuf, 1); > + } > + > + > +diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx > +index af1a55e..499f487 100644 > +--- a/htmldoc/ps-pdf.cxx > ++++ b/htmldoc/ps-pdf.cxx > +@@ -1404,6 +1404,8 @@ pspdf_prepare_page(int page) /* I - Page number */ > + > + > + DEBUG_printf(("pspdf_prepare_page(%d)\n", page)); > ++ if (page < 0 || page >= num_pages) > ++ return; > + > + /* > + * Make a page number; use roman numerals for the table of contents > +@@ -12258,6 +12260,9 @@ write_trailer(FILE *out, /* I - Output file */ > + > + for (j = 1; j <= TocDocCount; j ++) > + { > ++ if (chapter_starts[j] < 0) > ++ continue; > ++ > + page = pages + chapter_starts[j]; > + start = chapter_starts[j] - chapter_starts[1] + 1; > + type = 'D'; > diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch > --- htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch 1970-01-01 01:00:00.000000000 +0100 > +++ htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch 2021-06-03 21:29:16.000000000 +0200 > @@ -0,0 +1,26 @@ > +From: Michael R Sweet <michael.r.sweet@gmail.com> > +Date: Thu, 1 Apr 2021 09:47:56 -0400 > +Subject: CVE-2021-23165 > + > +Fix a number-up crash bug (Issue #413) > + > +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6e8a95561988500b5b5ae4861b3b0cbf4fba517f > +Bug: https://github.com/michaelrsweet/htmldoc/issues/413 > +Bug-Debian: https://bugs.debian.org/989437 > +--- > + htmldoc/ps-pdf.cxx | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx > +index 8804df4..7fbc345 100644 > +--- a/htmldoc/ps-pdf.cxx > ++++ b/htmldoc/ps-pdf.cxx > +@@ -1318,7 +1318,7 @@ pspdf_prepare_outpages() > + chapter_outstarts[c] = num_outpages; > + > + for (i = chapter_starts[c], j = 0, nup = -1, page = pages + i; > +- i <= chapter_ends[c]; > ++ i <= chapter_ends[c] && num_outpages < num_pages; > + i ++, page ++) > + { > + if (nup != page->nup) > diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch > --- htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch 1970-01-01 01:00:00.000000000 +0100 > +++ htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch 2021-06-03 21:29:16.000000000 +0200 > @@ -0,0 +1,35 @@ > +From: Michael R Sweet <msweet@msweet.org> > +Date: Tue, 26 Jan 2021 08:02:32 -0500 > +Subject: CVE-2021-23180 > + > +Fix a crash bug with malformed URIs (Issue #418) > + > +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/19c582fb32eac74b57e155cffbb529377a9e751a > +Bug: https://github.com/michaelrsweet/htmldoc/issues/418 > +Bug-Debian: https://bugs.debian.org/989437 > +--- > + htmldoc/file.c | 4 +++- > + 1 file changed, 3 insertions(+), 1 deletion(-) > + > +diff --git a/htmldoc/file.c b/htmldoc/file.c > +index 9f017de..eee89af 100644 > +--- a/htmldoc/file.c > ++++ b/htmldoc/file.c > +@@ -304,6 +304,7 @@ const char * /* O - File extension */ > + file_extension(const char *s) /* I - Filename or URL */ > + { > + const char *extension; /* Pointer to directory separator */ > ++ char *bufptr; /* Pointer into buffer */ > + static char buf[1024]; /* Buffer for files with targets */ > + > + > +@@ -334,7 +335,8 @@ file_extension(const char *s) /* I - Filename or URL */ > + > + strlcpy(buf, extension, sizeof(buf)); > + > +- *(char *)strchr(buf, '#') = '\0'; > ++ if ((bufptr = strchr(buf, '#')) != NULL) > ++ *bufptr = '\0'; > + > + return (buf); > + } > diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch > --- htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch 1970-01-01 01:00:00.000000000 +0100 > +++ htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch 2021-06-03 21:29:16.000000000 +0200 > @@ -0,0 +1,61 @@ > +From: Michael R Sweet <michael.r.sweet@gmail.com> > +Date: Thu, 1 Apr 2021 08:21:57 -0400 > +Subject: CVE-2021-23206 > + > +Fix crash bugs with bogus table attributes (Issue #416) > + > +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/ba61a3ece382389ae4482c7027af8b32e8ab4cc8 > +Bug: https://github.com/michaelrsweet/htmldoc/issues/416 > +Bug-Debian: https://bugs.debian.org/989437 > +--- > + htmldoc/ps-pdf.cxx | 16 +++++++++++++--- > + 1 file changed, 13 insertions(+), 3 deletions(-) > + > +diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx > +index 499f487..bb8a5b9 100644 > +--- a/htmldoc/ps-pdf.cxx > ++++ b/htmldoc/ps-pdf.cxx > +@@ -5735,7 +5735,7 @@ render_table_row(hdtable_t &table, > + if ((var = htmlGetVariable(cells[row][col], (uchar *)"ROWSPAN")) != NULL) > + table.row_spans[col] = atoi((char *)var); > + > +- if (table.row_spans[col] == 1) > ++ if (table.row_spans[col] <= 1) > + table.row_spans[col] = 0; > + > + if (table.row_spans[col] > (table.num_rows - row)) > +@@ -6555,7 +6555,12 @@ parse_table(tree_t *t, // I - Tree to parse > + { > + // Handle colspan and rowspan stuff... > + if ((var = htmlGetVariable(tempcol, (uchar *)"COLSPAN")) != NULL) > +- colspan = atoi((char *)var); > ++ { > ++ if ((colspan = atoi((char *)var)) < 1) > ++ colspan = 1; > ++ else if (colspan > (MAX_COLUMNS - col)) > ++ colspan = MAX_COLUMNS - col; > ++ } > + else > + colspan = 1; > + > +@@ -6563,7 +6568,7 @@ parse_table(tree_t *t, // I - Tree to parse > + { > + table.row_spans[col] = atoi((char *)var); > + > +- if (table.row_spans[col] == 1) > ++ if (table.row_spans[col] <= 1) > + table.row_spans[col] = 0; > + > + for (tcol = 1; tcol < colspan; tcol ++) > +@@ -6585,6 +6590,11 @@ parse_table(tree_t *t, // I - Tree to parse > + { > + col_width -= 2.0 * table.cellpadding; > + } > ++ > ++ if (col_width <= 0.0f) > ++ col_width = 0.0f; > ++ else if (col_width > PageWidth) > ++ col_width = PageWidth; > + } > + else > + col_width = 0.0f; > diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch > --- htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch 1970-01-01 01:00:00.000000000 +0100 > +++ htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch 2021-06-03 21:29:16.000000000 +0200 > @@ -0,0 +1,71 @@ > +From: Michael R Sweet <michael.r.sweet@gmail.com> > +Date: Thu, 1 Apr 2021 08:14:29 -0400 > +Subject: CVE-2021-26259 > + > +Fix a crash bug with bogus table attributes (Issue #417) > + > +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/0ddab26a542c74770317b622e985c52430092ba5 > +Bug: https://github.com/michaelrsweet/htmldoc/issues/417 > +Bug-Debian: https://bugs.debian.org/989437 > +--- > + htmldoc/ps-pdf.cxx | 23 +++++++++++++++++++---- > + 1 file changed, 19 insertions(+), 4 deletions(-) > + > +diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx > +index bb8a5b9..8804df4 100644 > +--- a/htmldoc/ps-pdf.cxx > ++++ b/htmldoc/ps-pdf.cxx > +@@ -6379,6 +6379,9 @@ parse_table(tree_t *t, // I - Tree to parse > + table_width = (float)(atof((char *)var) * (right - left) / 100.0f); > + else > + table_width = (float)(atoi((char *)var) * PagePrintWidth / _htmlBrowserWidth); > ++ > ++ if (table_width < 0.0f || table_width > PagePrintWidth) > ++ table_width = right - left; > + } > + else > + table_width = right - left; > +@@ -6396,19 +6399,31 @@ parse_table(tree_t *t, // I - Tree to parse > + DEBUG_printf(("table_width = %.1f\n", table_width)); > + > + if ((var = htmlGetVariable(t, (uchar *)"CELLPADDING")) != NULL) > +- table.cellpadding = atoi((char *)var); > ++ { > ++ if ((table.cellpadding = atoi((char *)var)) < 0.0f) > ++ table.cellpadding = 0.0f; > ++ else if (table.cellpadding > 20.0f) > ++ table.cellpadding = 20.0f; > ++ } > + else > + table.cellpadding = 1.0f; > + > + if ((var = htmlGetVariable(t, (uchar *)"CELLSPACING")) != NULL) > +- cellspacing = atoi((char *)var); > ++ { > ++ if ((cellspacing = atoi((char *)var)) < 0.0f) > ++ cellspacing = 0.0f; > ++ else if (cellspacing > 20.0f) > ++ cellspacing = 20.0f; > ++ } > + else > + cellspacing = 0.0f; > + > + if ((var = htmlGetVariable(t, (uchar *)"BORDER")) != NULL) > + { > +- if ((table.border = (float)atof((char *)var)) == 0.0 && var[0] != '0') > ++ if ((table.border = (float)atof((char *)var)) <= 0.0 && var[0] != '0') > + table.border = 1.0f; > ++ else if (table.border > 20.0f) > ++ table.border = 20.0f; > + > + table.cellpadding += table.border; > + } > +@@ -6438,7 +6453,7 @@ parse_table(tree_t *t, // I - Tree to parse > + > + table.border_size = table.border - 1.0f; > + > +- cellspacing *= PagePrintWidth / _htmlBrowserWidth; > ++ cellspacing *= PagePrintWidth / _htmlBrowserWidth; > + table.cellpadding *= PagePrintWidth / _htmlBrowserWidth; > + table.border *= PagePrintWidth / _htmlBrowserWidth; > + table.border_size *= PagePrintWidth / _htmlBrowserWidth; > diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch > --- htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch 1970-01-01 01:00:00.000000000 +0100 > +++ htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch 2021-06-03 21:29:16.000000000 +0200 > @@ -0,0 +1,65 @@ > +From: =?utf-8?q?H=C3=A5vard_Flaget_Aasen?= <haavard_aasen@yahoo.no> > +Date: Thu, 3 Jun 2021 21:15:52 +0200 > +Subject: CVE-2021-26948 > + > +Fix crash bug with data: URIs (Issue #410) > + > +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/008861d8339c6ec777e487770b70b95b1ed0c1d2 > +Bug: https://github.com/michaelrsweet/htmldoc/issues/410 > +Bug-Debian: https://bugs.debian.org/989437 > +--- > + htmldoc/file.c | 10 +++++++++- > + 1 file changed, 9 insertions(+), 1 deletion(-) > + > +diff --git a/htmldoc/file.c b/htmldoc/file.c > +index eee89af..9a5f3e2 100644 > +--- a/htmldoc/file.c > ++++ b/htmldoc/file.c > +@@ -624,11 +624,13 @@ file_find(const char *path, /* I - Path "dir;dir;dir" */ > + */ > + > + for (i = 0; i < (int)web_files; i ++) > ++ { > + if (strcmp(s, web_cache[i].name) == 0) > + { > + DEBUG_printf(("file_find: Returning cache file \"%s\"!\n", s)); > + return (s); > + } > ++ } > + > + DEBUG_printf(("file_find: \"%s\" not in web cache of %d files...\n", s, (int)web_files)); > + > +@@ -637,11 +639,14 @@ file_find(const char *path, /* I - Path "dir;dir;dir" */ > + */ > + > + if (strchr(s, '%') == NULL) > ++ { > + strlcpy(basename, s, sizeof(basename)); > ++ } > + else > + { > + for (sptr = s, temp = basename; > + *sptr && temp < (basename + sizeof(basename) - 1);) > ++ { > + if (*sptr == '%' && isxdigit(sptr[1]) && isxdigit(sptr[2])) > + { > + /* > +@@ -664,6 +669,7 @@ file_find(const char *path, /* I - Path "dir;dir;dir" */ > + } > + else > + *temp++ = *sptr++; > ++ } > + > + *temp = '\0'; > + } > +@@ -918,7 +924,9 @@ file_localize(const char *filename, /* I - Filename */ > + const char * /* O - Method string ("http", "ftp", etc.) */ > + file_method(const char *s) /* I - Filename or URL */ > + { > +- if (strncmp(s, "http:", 5) == 0) > ++ if (strncmp(s, "data:", 5) == 0) > ++ return ("data"); > ++ else if (strncmp(s, "http:", 5) == 0) > + return ("http"); > + else if (strncmp(s, "https:", 6) == 0) > + return ("https"); > diff -Nru htmldoc-1.9.11/debian/patches/series htmldoc-1.9.11/debian/patches/series > --- htmldoc-1.9.11/debian/patches/series 2021-05-10 16:10:41.000000000 +0200 > +++ htmldoc-1.9.11/debian/patches/series 2021-06-03 21:29:16.000000000 +0200 > @@ -6,3 +6,9 @@ > disable_libz.patch > remove-os-check.patch > Fix-crash-bug-with-bad-GIFs-Issue-423.patch > +CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch > +CVE-2021-23165.patch > +CVE-2021-23180.patch > +CVE-2021-23206.patch > +CVE-2021-26259.patch > +CVE-2021-26948.patch -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature