Control: tags -1 confirmed moreinfo
On 2021-06-03 23:36:47 +0200, Håvard Flaget Aasen wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: haavard_aasen@yahoo.no
>
> Please unblock package htmldoc
>
> This release adds patches to fix 8 CVE's and closes: #989437.
>
> There are two things which is not needed in this release.
> Though the changes is not related to the code. I added the file
> 'debian/gbp.conf' since I changed the repository layout. I also fixed a
> minor error in the previous changelog entry, added a missing '#' in a
> 'close bug' statement.
>
> [ Reason ]
> CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191,
> CVE-2021-23206, CVE-2021-26252, CVE-2021-26259 and CVE-2021-26948
>
> [ Impact ]
>
> [ Tests ]
> I have manually tested CVE-2021-23158, CVE-2021-23165, CVE-2021-23180,
> CVE-2021-23206 and CVE-2021-26252
> The issues in GitHub provided files that failed, before the fix was
> applied, and succeeded with this release.
>
> [ Risks ]
> I consider this to be of minor risk. Code is coming from upstream, which
> also has released a new version with the changes.
>
> [ Checklist ]
> [x] all changes are documented in the d/changelog
> [x] I reviewed all changes and I approve them
> [x] attach debdiff against the package in testing
>
> [ Other info ]
>
> unblock htmldoc/1.9.11-4
ACK, please remove moreinfo tag once the new version is available in
unstable.
Cheers
>
> Regards,
> Håvard
> diff -Nru htmldoc-1.9.11/debian/changelog htmldoc-1.9.11/debian/changelog
> --- htmldoc-1.9.11/debian/changelog 2021-05-10 16:10:41.000000000 +0200
> +++ htmldoc-1.9.11/debian/changelog 2021-06-03 21:29:16.000000000 +0200
> @@ -1,7 +1,16 @@
> +htmldoc (1.9.11-4) unstable; urgency=medium
> +
> + * Add patches to fix many CVE's. Closes: #989437
> + Fix: CVE-2021-23158, CVE-2021-23165, CVE-2021-23180, CVE-2021-23191,
> + CVE-2021-23206, CVE-2021-26252, CVE-2021-26259, CVE-2021-26948.
> + * Switch to DEP-14 layout
> +
> + -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Thu, 03 Jun 2021 21:29:16 +0200
> +
> htmldoc (1.9.11-3) unstable; urgency=medium
>
> * Add patch to mitigate buffer-overflow caused by integer-overflow in
> - image_load_gif() Closes: 984765 and fixes CVE-2021-20308
> + image_load_gif() Closes: #984765 and fixes CVE-2021-20308
>
> -- Håvard Flaget Aasen <haavard_aasen@yahoo.no> Mon, 10 May 2021 16:10:41 +0200
>
> diff -Nru htmldoc-1.9.11/debian/gbp.conf htmldoc-1.9.11/debian/gbp.conf
> --- htmldoc-1.9.11/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
> +++ htmldoc-1.9.11/debian/gbp.conf 2021-05-23 08:32:55.000000000 +0200
> @@ -0,0 +1,3 @@
> +[DEFAULT]
> +debian-branch = debian/latest
> +upstream-branch = upstream/latest
> diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch
> --- htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch 1970-01-01 01:00:00.000000000 +0100
> +++ htmldoc-1.9.11/debian/patches/CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch 2021-06-03 21:29:16.000000000 +0200
> @@ -0,0 +1,128 @@
> +From: Michael R Sweet <michael.r.sweet@gmail.com>
> +Date: Thu, 1 Apr 2021 09:37:58 -0400
> +Subject: CVE-2021-23158, CVE-2021-23191, CVE-2021-26252
> +
> +Fix JPEG error handling (Issue #415)
> +
> +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/369b2ea1fd0d0537ba707f20a2f047b6afd2fbdc
> +Bug: https://github.com/michaelrsweet/htmldoc/issues/412
> +Bug: https://github.com/michaelrsweet/htmldoc/issues/414
> +Bug: https://github.com/michaelrsweet/htmldoc/issues/415
> +Bug-Debian: https://bugs.debian.org/989437
> +---
> + htmldoc/file.c | 9 ++++++++-
> + htmldoc/image.cxx | 38 +++++++++++++++++++++++++++++++-------
> + htmldoc/ps-pdf.cxx | 5 +++++
> + 3 files changed, 44 insertions(+), 8 deletions(-)
> +
> +diff --git a/htmldoc/file.c b/htmldoc/file.c
> +index 20229c1..9f017de 100644
> +--- a/htmldoc/file.c
> ++++ b/htmldoc/file.c
> +@@ -1000,8 +1000,15 @@ file_rlookup(const char *filename) /* I - Filename */
> +
> +
> + for (i = web_files, wc = web_cache; i > 0; i --, wc ++)
> ++ {
> + if (!strcmp(wc->name, filename))
> +- return (wc->url);
> ++ {
> ++ if (!strncmp(wc->url, "data:", 5))
> ++ return ("data URL");
> ++ else
> ++ return (wc->url);
> ++ }
> ++ }
> +
> + return (filename);
> + }
> +diff --git a/htmldoc/image.cxx b/htmldoc/image.cxx
> +index 8f53050..74abfac 100644
> +--- a/htmldoc/image.cxx
> ++++ b/htmldoc/image.cxx
> +@@ -1336,6 +1336,15 @@ image_load_gif(image_t *img, /* I - Image pointer */
> + }
> +
> +
> ++typedef struct hd_jpeg_err_s // JPEG error manager extension
> ++{
> ++ struct jpeg_error_mgr jerr; // JPEG error manager information
> ++ jmp_buf retbuf; // setjmp() return buffer
> ++ char message[JMSG_LENGTH_MAX];
> ++ // Last error message
> ++} hd_jpeg_err_t;
> ++
> ++
> + /*
> + * 'image_load_jpeg()' - Load a JPEG image file.
> + */
> +@@ -1347,14 +1356,21 @@ image_load_jpeg(image_t *img, /* I - Image pointer */
> + int load_data)/* I - 1 = load image data, 0 = just info */
> + {
> + struct jpeg_decompress_struct cinfo; /* Decompressor info */
> +- struct jpeg_error_mgr jerr; /* Error handler info */
> +- JSAMPROW row; /* Sample row pointer */
> ++ hd_jpeg_err_t jerr; // JPEG error handler
> ++JSAMPROW row; /* Sample row pointer */
> +
> +
> +- jpeg_std_error(&jerr);
> +- jerr.error_exit = jpeg_error_handler;
> ++ jpeg_std_error(&jerr.jerr);
> ++ jerr.jerr.error_exit = jpeg_error_handler;
> +
> +- cinfo.err = &jerr;
> ++ if (setjmp(jerr.retbuf))
> ++ {
> ++ progress_error(HD_ERROR_BAD_FORMAT, "%s (%s)", jerr.message, file_rlookup(img->filename));
> ++ jpeg_destroy_decompress(&cinfo);
> ++ return (-1);
> ++ }
> ++
> ++ cinfo.err = (struct jpeg_error_mgr *)&jerr;
> + jpeg_create_decompress(&cinfo);
> + jpeg_stdio_src(&cinfo, fp);
> + jpeg_read_header(&cinfo, (boolean)1);
> +@@ -1797,9 +1813,17 @@ image_unload(image_t *img) // I - Image
> + */
> +
> + static void
> +-jpeg_error_handler(j_common_ptr)
> ++jpeg_error_handler(j_common_ptr p) // Common JPEG data
> + {
> +- return;
> ++ hd_jpeg_err_t *jerr = (hd_jpeg_err_t *)p->err;
> ++ // JPEG error handler
> ++
> ++
> ++ // Save the error message in the string buffer...
> ++ (jerr->jerr.format_message)(p, jerr->message);
> ++
> ++ // Return to the point we called setjmp()...
> ++ longjmp(jerr->retbuf, 1);
> + }
> +
> +
> +diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
> +index af1a55e..499f487 100644
> +--- a/htmldoc/ps-pdf.cxx
> ++++ b/htmldoc/ps-pdf.cxx
> +@@ -1404,6 +1404,8 @@ pspdf_prepare_page(int page) /* I - Page number */
> +
> +
> + DEBUG_printf(("pspdf_prepare_page(%d)\n", page));
> ++ if (page < 0 || page >= num_pages)
> ++ return;
> +
> + /*
> + * Make a page number; use roman numerals for the table of contents
> +@@ -12258,6 +12260,9 @@ write_trailer(FILE *out, /* I - Output file */
> +
> + for (j = 1; j <= TocDocCount; j ++)
> + {
> ++ if (chapter_starts[j] < 0)
> ++ continue;
> ++
> + page = pages + chapter_starts[j];
> + start = chapter_starts[j] - chapter_starts[1] + 1;
> + type = 'D';
> diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch
> --- htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch 1970-01-01 01:00:00.000000000 +0100
> +++ htmldoc-1.9.11/debian/patches/CVE-2021-23165.patch 2021-06-03 21:29:16.000000000 +0200
> @@ -0,0 +1,26 @@
> +From: Michael R Sweet <michael.r.sweet@gmail.com>
> +Date: Thu, 1 Apr 2021 09:47:56 -0400
> +Subject: CVE-2021-23165
> +
> +Fix a number-up crash bug (Issue #413)
> +
> +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/6e8a95561988500b5b5ae4861b3b0cbf4fba517f
> +Bug: https://github.com/michaelrsweet/htmldoc/issues/413
> +Bug-Debian: https://bugs.debian.org/989437
> +---
> + htmldoc/ps-pdf.cxx | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
> +index 8804df4..7fbc345 100644
> +--- a/htmldoc/ps-pdf.cxx
> ++++ b/htmldoc/ps-pdf.cxx
> +@@ -1318,7 +1318,7 @@ pspdf_prepare_outpages()
> + chapter_outstarts[c] = num_outpages;
> +
> + for (i = chapter_starts[c], j = 0, nup = -1, page = pages + i;
> +- i <= chapter_ends[c];
> ++ i <= chapter_ends[c] && num_outpages < num_pages;
> + i ++, page ++)
> + {
> + if (nup != page->nup)
> diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch
> --- htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch 1970-01-01 01:00:00.000000000 +0100
> +++ htmldoc-1.9.11/debian/patches/CVE-2021-23180.patch 2021-06-03 21:29:16.000000000 +0200
> @@ -0,0 +1,35 @@
> +From: Michael R Sweet <msweet@msweet.org>
> +Date: Tue, 26 Jan 2021 08:02:32 -0500
> +Subject: CVE-2021-23180
> +
> +Fix a crash bug with malformed URIs (Issue #418)
> +
> +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/19c582fb32eac74b57e155cffbb529377a9e751a
> +Bug: https://github.com/michaelrsweet/htmldoc/issues/418
> +Bug-Debian: https://bugs.debian.org/989437
> +---
> + htmldoc/file.c | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/htmldoc/file.c b/htmldoc/file.c
> +index 9f017de..eee89af 100644
> +--- a/htmldoc/file.c
> ++++ b/htmldoc/file.c
> +@@ -304,6 +304,7 @@ const char * /* O - File extension */
> + file_extension(const char *s) /* I - Filename or URL */
> + {
> + const char *extension; /* Pointer to directory separator */
> ++ char *bufptr; /* Pointer into buffer */
> + static char buf[1024]; /* Buffer for files with targets */
> +
> +
> +@@ -334,7 +335,8 @@ file_extension(const char *s) /* I - Filename or URL */
> +
> + strlcpy(buf, extension, sizeof(buf));
> +
> +- *(char *)strchr(buf, '#') = '\0';
> ++ if ((bufptr = strchr(buf, '#')) != NULL)
> ++ *bufptr = '\0';
> +
> + return (buf);
> + }
> diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch
> --- htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch 1970-01-01 01:00:00.000000000 +0100
> +++ htmldoc-1.9.11/debian/patches/CVE-2021-23206.patch 2021-06-03 21:29:16.000000000 +0200
> @@ -0,0 +1,61 @@
> +From: Michael R Sweet <michael.r.sweet@gmail.com>
> +Date: Thu, 1 Apr 2021 08:21:57 -0400
> +Subject: CVE-2021-23206
> +
> +Fix crash bugs with bogus table attributes (Issue #416)
> +
> +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/ba61a3ece382389ae4482c7027af8b32e8ab4cc8
> +Bug: https://github.com/michaelrsweet/htmldoc/issues/416
> +Bug-Debian: https://bugs.debian.org/989437
> +---
> + htmldoc/ps-pdf.cxx | 16 +++++++++++++---
> + 1 file changed, 13 insertions(+), 3 deletions(-)
> +
> +diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
> +index 499f487..bb8a5b9 100644
> +--- a/htmldoc/ps-pdf.cxx
> ++++ b/htmldoc/ps-pdf.cxx
> +@@ -5735,7 +5735,7 @@ render_table_row(hdtable_t &table,
> + if ((var = htmlGetVariable(cells[row][col], (uchar *)"ROWSPAN")) != NULL)
> + table.row_spans[col] = atoi((char *)var);
> +
> +- if (table.row_spans[col] == 1)
> ++ if (table.row_spans[col] <= 1)
> + table.row_spans[col] = 0;
> +
> + if (table.row_spans[col] > (table.num_rows - row))
> +@@ -6555,7 +6555,12 @@ parse_table(tree_t *t, // I - Tree to parse
> + {
> + // Handle colspan and rowspan stuff...
> + if ((var = htmlGetVariable(tempcol, (uchar *)"COLSPAN")) != NULL)
> +- colspan = atoi((char *)var);
> ++ {
> ++ if ((colspan = atoi((char *)var)) < 1)
> ++ colspan = 1;
> ++ else if (colspan > (MAX_COLUMNS - col))
> ++ colspan = MAX_COLUMNS - col;
> ++ }
> + else
> + colspan = 1;
> +
> +@@ -6563,7 +6568,7 @@ parse_table(tree_t *t, // I - Tree to parse
> + {
> + table.row_spans[col] = atoi((char *)var);
> +
> +- if (table.row_spans[col] == 1)
> ++ if (table.row_spans[col] <= 1)
> + table.row_spans[col] = 0;
> +
> + for (tcol = 1; tcol < colspan; tcol ++)
> +@@ -6585,6 +6590,11 @@ parse_table(tree_t *t, // I - Tree to parse
> + {
> + col_width -= 2.0 * table.cellpadding;
> + }
> ++
> ++ if (col_width <= 0.0f)
> ++ col_width = 0.0f;
> ++ else if (col_width > PageWidth)
> ++ col_width = PageWidth;
> + }
> + else
> + col_width = 0.0f;
> diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch
> --- htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch 1970-01-01 01:00:00.000000000 +0100
> +++ htmldoc-1.9.11/debian/patches/CVE-2021-26259.patch 2021-06-03 21:29:16.000000000 +0200
> @@ -0,0 +1,71 @@
> +From: Michael R Sweet <michael.r.sweet@gmail.com>
> +Date: Thu, 1 Apr 2021 08:14:29 -0400
> +Subject: CVE-2021-26259
> +
> +Fix a crash bug with bogus table attributes (Issue #417)
> +
> +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/0ddab26a542c74770317b622e985c52430092ba5
> +Bug: https://github.com/michaelrsweet/htmldoc/issues/417
> +Bug-Debian: https://bugs.debian.org/989437
> +---
> + htmldoc/ps-pdf.cxx | 23 +++++++++++++++++++----
> + 1 file changed, 19 insertions(+), 4 deletions(-)
> +
> +diff --git a/htmldoc/ps-pdf.cxx b/htmldoc/ps-pdf.cxx
> +index bb8a5b9..8804df4 100644
> +--- a/htmldoc/ps-pdf.cxx
> ++++ b/htmldoc/ps-pdf.cxx
> +@@ -6379,6 +6379,9 @@ parse_table(tree_t *t, // I - Tree to parse
> + table_width = (float)(atof((char *)var) * (right - left) / 100.0f);
> + else
> + table_width = (float)(atoi((char *)var) * PagePrintWidth / _htmlBrowserWidth);
> ++
> ++ if (table_width < 0.0f || table_width > PagePrintWidth)
> ++ table_width = right - left;
> + }
> + else
> + table_width = right - left;
> +@@ -6396,19 +6399,31 @@ parse_table(tree_t *t, // I - Tree to parse
> + DEBUG_printf(("table_width = %.1f\n", table_width));
> +
> + if ((var = htmlGetVariable(t, (uchar *)"CELLPADDING")) != NULL)
> +- table.cellpadding = atoi((char *)var);
> ++ {
> ++ if ((table.cellpadding = atoi((char *)var)) < 0.0f)
> ++ table.cellpadding = 0.0f;
> ++ else if (table.cellpadding > 20.0f)
> ++ table.cellpadding = 20.0f;
> ++ }
> + else
> + table.cellpadding = 1.0f;
> +
> + if ((var = htmlGetVariable(t, (uchar *)"CELLSPACING")) != NULL)
> +- cellspacing = atoi((char *)var);
> ++ {
> ++ if ((cellspacing = atoi((char *)var)) < 0.0f)
> ++ cellspacing = 0.0f;
> ++ else if (cellspacing > 20.0f)
> ++ cellspacing = 20.0f;
> ++ }
> + else
> + cellspacing = 0.0f;
> +
> + if ((var = htmlGetVariable(t, (uchar *)"BORDER")) != NULL)
> + {
> +- if ((table.border = (float)atof((char *)var)) == 0.0 && var[0] != '0')
> ++ if ((table.border = (float)atof((char *)var)) <= 0.0 && var[0] != '0')
> + table.border = 1.0f;
> ++ else if (table.border > 20.0f)
> ++ table.border = 20.0f;
> +
> + table.cellpadding += table.border;
> + }
> +@@ -6438,7 +6453,7 @@ parse_table(tree_t *t, // I - Tree to parse
> +
> + table.border_size = table.border - 1.0f;
> +
> +- cellspacing *= PagePrintWidth / _htmlBrowserWidth;
> ++ cellspacing *= PagePrintWidth / _htmlBrowserWidth;
> + table.cellpadding *= PagePrintWidth / _htmlBrowserWidth;
> + table.border *= PagePrintWidth / _htmlBrowserWidth;
> + table.border_size *= PagePrintWidth / _htmlBrowserWidth;
> diff -Nru htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch
> --- htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch 1970-01-01 01:00:00.000000000 +0100
> +++ htmldoc-1.9.11/debian/patches/CVE-2021-26948.patch 2021-06-03 21:29:16.000000000 +0200
> @@ -0,0 +1,65 @@
> +From: =?utf-8?q?H=C3=A5vard_Flaget_Aasen?= <haavard_aasen@yahoo.no>
> +Date: Thu, 3 Jun 2021 21:15:52 +0200
> +Subject: CVE-2021-26948
> +
> +Fix crash bug with data: URIs (Issue #410)
> +
> +Origin: upstream, https://github.com/michaelrsweet/htmldoc/commit/008861d8339c6ec777e487770b70b95b1ed0c1d2
> +Bug: https://github.com/michaelrsweet/htmldoc/issues/410
> +Bug-Debian: https://bugs.debian.org/989437
> +---
> + htmldoc/file.c | 10 +++++++++-
> + 1 file changed, 9 insertions(+), 1 deletion(-)
> +
> +diff --git a/htmldoc/file.c b/htmldoc/file.c
> +index eee89af..9a5f3e2 100644
> +--- a/htmldoc/file.c
> ++++ b/htmldoc/file.c
> +@@ -624,11 +624,13 @@ file_find(const char *path, /* I - Path "dir;dir;dir" */
> + */
> +
> + for (i = 0; i < (int)web_files; i ++)
> ++ {
> + if (strcmp(s, web_cache[i].name) == 0)
> + {
> + DEBUG_printf(("file_find: Returning cache file \"%s\"!\n", s));
> + return (s);
> + }
> ++ }
> +
> + DEBUG_printf(("file_find: \"%s\" not in web cache of %d files...\n", s, (int)web_files));
> +
> +@@ -637,11 +639,14 @@ file_find(const char *path, /* I - Path "dir;dir;dir" */
> + */
> +
> + if (strchr(s, '%') == NULL)
> ++ {
> + strlcpy(basename, s, sizeof(basename));
> ++ }
> + else
> + {
> + for (sptr = s, temp = basename;
> + *sptr && temp < (basename + sizeof(basename) - 1);)
> ++ {
> + if (*sptr == '%' && isxdigit(sptr[1]) && isxdigit(sptr[2]))
> + {
> + /*
> +@@ -664,6 +669,7 @@ file_find(const char *path, /* I - Path "dir;dir;dir" */
> + }
> + else
> + *temp++ = *sptr++;
> ++ }
> +
> + *temp = '\0';
> + }
> +@@ -918,7 +924,9 @@ file_localize(const char *filename, /* I - Filename */
> + const char * /* O - Method string ("http", "ftp", etc.) */
> + file_method(const char *s) /* I - Filename or URL */
> + {
> +- if (strncmp(s, "http:", 5) == 0)
> ++ if (strncmp(s, "data:", 5) == 0)
> ++ return ("data");
> ++ else if (strncmp(s, "http:", 5) == 0)
> + return ("http");
> + else if (strncmp(s, "https:", 6) == 0)
> + return ("https");
> diff -Nru htmldoc-1.9.11/debian/patches/series htmldoc-1.9.11/debian/patches/series
> --- htmldoc-1.9.11/debian/patches/series 2021-05-10 16:10:41.000000000 +0200
> +++ htmldoc-1.9.11/debian/patches/series 2021-06-03 21:29:16.000000000 +0200
> @@ -6,3 +6,9 @@
> disable_libz.patch
> remove-os-check.patch
> Fix-crash-bug-with-bad-GIFs-Issue-423.patch
> +CVE-2021-23158-CVE-2021-23191-CVE-2021-26252.patch
> +CVE-2021-23165.patch
> +CVE-2021-23180.patch
> +CVE-2021-23206.patch
> +CVE-2021-26259.patch
> +CVE-2021-26948.patch
--
Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature